frost/bdk-ffi
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add bindings PGP public key and documentation on how to verify signatures

Browse Source
This commit is contained in:
thunderbiscuit 2022-09-26 09:01:05 -04:00
parent 6598df9ed9
commit 3a0fe79dd8
No known key found for this signature in database
GPG Key ID: 88253696EB836462
1 changed files with 26 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
README.md
View File

@ -116,34 +116,41 @@ and use the `publishToMavenLocal` task without excluding the signing task:
```
## Verifying Signatures
Both libraries and all their corresponding artifacts are signed with a PGP key you can find in the root of this repository. To verify the hashes and signatures, go through the following steps:
1. Import the PGP key in your keyring
2. Download the artifact and its corresponding hash and signature files ([bdk-jvm] and [bdk-android])
3. Verify the hashes
4. Verify the signature
Both libraries and all their corresponding artifacts are signed with a PGP key you can find in the
root of this repository. To verify the signatures follow the below steps:
1. Import the PGP key in your keyring.
```shell
# 1. Navigate to the root of the repository and import the ./PGP-BDK-BINDINGS.asc public key
# Navigate to the root of the repository and import the ./PGP-BDK-BINDINGS.asc public key
gpg --import ./PGP-BDK-BINDINGS.asc
# Alternatively, you can import it directly from a public key server
# Alternatively, you can import the key directly from a public key server
gpg --keyserver keyserver.ubuntu.com --receive-key 2768C43E8803C6A3
# Verify that the correct key was imported
gpg --list-keys
# ------------------------------
# pub ed25519 2022-08-31 [SC]
# 88AD93AC4589FD090FF3B8D12768C43E8803C6A3
# uid [ unknown] bitcoindevkit-bindings <bindings@bitcoindevkit.org>
# sub cv25519 2022-08-31 [E]
# You should see the below output
pub ed25519 2022-08-31 [SC]
88AD93AC4589FD090FF3B8D12768C43E8803C6A3
uid [ unknown] bitcoindevkit-bindings <bindings@bitcoindevkit.org>
sub cv25519 2022-08-31 [E]
```
# 2. Add files and their corresponding signature and hash files in the same directory
# e.g. bdk-jvm-0.9.0.jar, bdk-jvm-0.9.0.jar.asc, bdk-jvm-0.9.0.jar.sha256
2. Download the binary artifacts and corresponding signature files.
- from [bdk-jvm]
- `bdk-jvm-<version>.jar`
- `bdk-jvm-<version>.jar.asc`
- from [bdk-android]
- `bdk-android-<version>.aar`
- `bdk-android-<version>.aar.asc`
# 3. Verify that the hashes are the same
shasum --algorithm 256 bdk-android-0.9.0.aar && cat bdk-android-0.9.0.aar.sha256
3. Verify the signatures.
```shell
gpg --verify bdk-jvm-<version>.jar.asc
gpg --verify bdk-android-<version>.aar.asc
# 4. Verify the signature
gpg --verify bdk-android-0.9.0.module.asc
# you should see a "Good signature" result
gpg: Good signature from "bitcoindevkit-bindings <bindings@bitcoindevkit.org>" [unknown]
```
### PGP Metadata