Add bindings PGP public key and documentation on how to verify signatures

This commit is contained in:
thunderbiscuit 2022-09-23 10:48:29 -04:00
parent 3f35a18d41
commit 6598df9ed9
No known key found for this signature in database
GPG Key ID: 88253696EB836462
2 changed files with 53 additions and 0 deletions

14
PGP-BDK-BINDINGS.asc Normal file
View File

@ -0,0 +1,14 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
mDMEYw6xkRYJKwYBBAHaRw8BAQdAg+VLXuidDqeP015H/QMlESJyQeIntTUoQkbk
+IFu+jO0M2JpdGNvaW5kZXZraXQtYmluZGluZ3MgPGJpbmRpbmdzQGJpdGNvaW5k
ZXZraXQub3JnPoiTBBMWCgA7FiEEiK2TrEWJ/QkP87jRJ2jEPogDxqMFAmMOsZEC
GwMFCwkIBwICIgIGFQoJCAsCBBYCAwECHgcCF4AACgkQJ2jEPogDxqPQTgEA292D
RQaxDTJ4k91D0w50Vrd0NSNUwlsERz9XJ64abWABAP99vGMmq2pfrngTQqjLgLe8
0YhQ+VML2x/B0LSN6MgNuDgEYw6xkRIKKwYBBAGXVQEFAQEHQEkUJv+/Wzx7nNiX
eti3HkeT6ZNAuCExPE4F7jxHNQ1TAwEIB4h4BBgWCgAgFiEEiK2TrEWJ/QkP87jR
J2jEPogDxqMFAmMOsZECGwwACgkQJ2jEPogDxqObPQEA/B0xNew03KM0JP630efG
QT/3Caq/jx86pLwnB7XqWI8BAOKmqrOEiwCBjhaIpzC3/1M+aZuPRUL3V91uPxpM
jFAJ
=vvmK
-----END PGP PUBLIC KEY BLOCK-----

View File

@ -115,9 +115,48 @@ and use the `publishToMavenLocal` task without excluding the signing task:
./gradlew publishToMavenLocal
```
## Verifying Signatures
Both libraries and all their corresponding artifacts are signed with a PGP key you can find in the root of this repository. To verify the hashes and signatures, go through the following steps:
1. Import the PGP key in your keyring
2. Download the artifact and its corresponding hash and signature files ([bdk-jvm] and [bdk-android])
3. Verify the hashes
4. Verify the signature
```shell
# 1. Navigate to the root of the repository and import the ./PGP-BDK-BINDINGS.asc public key
gpg --import ./PGP-BDK-BINDINGS.asc
# Alternatively, you can import it directly from a public key server
gpg --keyserver keyserver.ubuntu.com --receive-key 2768C43E8803C6A3
# Verify that the correct key was imported
gpg --list-keys
# ------------------------------
# pub ed25519 2022-08-31 [SC]
# 88AD93AC4589FD090FF3B8D12768C43E8803C6A3
# uid [ unknown] bitcoindevkit-bindings <bindings@bitcoindevkit.org>
# sub cv25519 2022-08-31 [E]
# 2. Add files and their corresponding signature and hash files in the same directory
# e.g. bdk-jvm-0.9.0.jar, bdk-jvm-0.9.0.jar.asc, bdk-jvm-0.9.0.jar.sha256
# 3. Verify that the hashes are the same
shasum --algorithm 256 bdk-android-0.9.0.aar && cat bdk-android-0.9.0.aar.sha256
# 4. Verify the signature
gpg --verify bdk-android-0.9.0.module.asc
```
### PGP Metadata
Full key ID: `88AD 93AC 4589 FD09 0FF3 B8D1 2768 C43E 8803 C6A3`
Fingerprint: `2768C43E8803C6A3`
Name: `bitcoindevkit-bindings`
Email: `bindings@bitcoindevkit.org`
[Kotlin]: https://kotlinlang.org/
[Android Studio]: https://developer.android.com/studio/
[`bdk`]: https://github.com/bitcoindevkit/bdk
[`bdk-ffi`]: https://github.com/bitcoindevkit/bdk-ffi
["Getting Started (Developer)"]: https://github.com/bitcoindevkit/bdk-ffi#getting-started-developer
[Gradle Nexus Publish Plugin]: https://github.com/gradle-nexus/publish-plugin
[bdk-jvm]: https://search.maven.org/artifact/org.bitcoindevkit/bdk-jvm/0.9.0/jar
[bdk-android]: https://search.maven.org/artifact/org.bitcoindevkit/bdk-android/0.9.0/aar