From 18490bbb17067888ade3c94841077bd01f293402 Mon Sep 17 00:00:00 2001 From: Audric Ackermann Date: Mon, 24 May 2021 10:11:01 +1000 Subject: [PATCH] add verify sha instructions in README --- README.md | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/README.md b/README.md index 5e41159c45..e3f06a301d 100644 --- a/README.md +++ b/README.md @@ -20,6 +20,39 @@ Please search for any [existing issues](https://github.com/oxen-io/session-andro Build instructions can be found in [BUILDING.md](BUILDING.md). +## Verifing signatures + +Get Kee's key and import it: + +``` +wget https://raw.githubusercontent.com/oxen-io/oxen-core/master/utils/gpg_keys/KeeJef.asc +gpg --import KeeJef.asc +``` + +Get the signed hash for this release, the SESSION_VERSION needs to be updated for the release you want to verify + +``` +export SESSION_VERSION=1.10.4 +wget https://github.com/oxen-io/session-android/releases/download/$SESSION_VERSION/signatures.asc +``` + +Verify the signature of the hashes of the files + +``` +gpg --verify signatures.asc 2>&1 |grep "Good signature from" +``` + +The command above should print "`Good signature from "Kee Jefferys...`" +If it does, the hashes are valid but we still have to make the sure the signed hashes matches the downloaded files. + +Make sure the two commands below returns the same hash. +If they do, files are valid. + +``` +sha256sum session-$SESSION_VERSION-universal.apk +grep universal.apk signatures.asc +``` + ## License Copyright 2011 Whisper Systems