||1 month ago|
|Notices||4 months ago|
|Verify||1 month ago|
|LICENSE||7 months ago|
|README.md||1 month ago|
|pubkeys.md||4 months ago|
|pubkeys.md.minisig||4 months ago|
This repository is for taking snapshots of hashes, PGP key fingerprints and more or sometimes even help people find the keys that are hidden in obscure places. More sites to check out and create a web of trust:
(feel free to add yours with an issue or a PR)
Okay, but how do I verify?
This guide assumes you use Linux + you have gpg installed and will not go over how to verify the actual file (such as an iso of an OS or the apk of a file), but instead it will show you how to verify the key validity you got.
gpg --fingerprint will show you all the fingerprints of the keys you have in your keyring. If you do not wish to import the key, you can simply type
echo 'key-goes-here' | gpg and it will show you the details of a key, including the fingerprint
sha256sum /path/to/filename and if you have a checksum file you can do
sha256sum -c /path/to/checksum (the checksum and the actual file have to be in the same folder).
Please also keep in mind that hashes are better used for file integrity checking, rather than validity.
I will not be very consistent with updating hashes, because I don't want to encourage developers to not sign their releases and just release hashes and I just might miss it.
Please, do not trust this repository 100% as the whole point is to create a web of trust and distribute it. My announcements such as key changes will be in notices