add verify sha instructions in README

This commit is contained in:
Audric Ackermann 2021-05-24 10:11:01 +10:00
parent 12ae8d4051
commit 18490bbb17
No known key found for this signature in database
GPG Key ID: 999F434D76324AD4

View File

@ -20,6 +20,39 @@ Please search for any [existing issues](https://github.com/oxen-io/session-andro
Build instructions can be found in [BUILDING.md](BUILDING.md).
## Verifing signatures
Get Kee's key and import it:
```
wget https://raw.githubusercontent.com/oxen-io/oxen-core/master/utils/gpg_keys/KeeJef.asc
gpg --import KeeJef.asc
```
Get the signed hash for this release, the SESSION_VERSION needs to be updated for the release you want to verify
```
export SESSION_VERSION=1.10.4
wget https://github.com/oxen-io/session-android/releases/download/$SESSION_VERSION/signatures.asc
```
Verify the signature of the hashes of the files
```
gpg --verify signatures.asc 2>&1 |grep "Good signature from"
```
The command above should print "`Good signature from "Kee Jefferys...`"
If it does, the hashes are valid but we still have to make the sure the signed hashes matches the downloaded files.
Make sure the two commands below returns the same hash.
If they do, files are valid.
```
sha256sum session-$SESSION_VERSION-universal.apk
grep universal.apk signatures.asc
```
## License
Copyright 2011 Whisper Systems