VerifyingReleases
This page describes briefly how Coq users can verify that a Coq release tarball was signed by Coq a release manager. We will use Coq 8.11.2 and its tarball https://github.com/coq/coq/archive/V8.11.2.tar.gz as an example.
wget https://github.com/coq/coq/archive/V8.11.2.tar.gz
sha512sum V8.11.2.tar.gzThis yields a checksum of f8ab307b8e39ffda5f6984e187c1f8de1cb6dec5c322726dbbe535ee611683cfeeb9cee3e11ad83f5e44e843fc51e7e2d50b4ea69ab42fde38aaf3d0cf2dea3c
git clone https://github.com/coq/coq.git
cd coq
git show-ref -s V8.11.2This yields a commit SHA of 1539a9a0d894ea9e24e3d0e163006d6477646ec6.
git verify-commit 1539a9a0d894ea9e24e3d0e163006d6477646ec6This gives output along the following lines:
gpg: Signature made Thu 14 May 2020 03:29:39 PM CDT using RSA key ID D9BA3C7B
Here, one has to verify that the RSA key ID D9BA3C7B belongs to the release manager, which is beyond the scope of this discussion.
git archive --format=tar.gz --prefix=coq-8.11.2/ -o /tmp/V8.11.2.tar.gz V8.11.2
sha512sum /tmp/V8.11.2.tar.gzThis gives the expected output f8ab307b8e39ffda5f6984e187c1f8de1cb6dec5c322726dbbe535ee611683cfeeb9cee3e11ad83f5e44e843fc51e7e2d50b4ea69ab42fde38aaf3d0cf2dea3c
Since the checksums match, the tarball at https://github.com/coq/coq/archive/V8.11.2.tar.gz has been signed by the release manager (under usual cryptographic assumptions).
To the extent possible under law, the contributors of “Cocorico!, the Coq wiki” have waived all copyright and related or neighboring rights to their contributions.
By contributing to Cocorico!, the Coq wiki, you agree that you hold the copyright and you agree to license your contribution under the CC0 license or you agree that you have permission to distribute your contribution under the CC0 license.