m3r
/
AlwaysVerify
1
2
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
22 Commits
1 Branch
0 Tags
607 KiB
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'main'
${ noResults }
Go to file
ElongatedVeggie 1f4db6cef5
updated keys and added mozilla 		10 months ago
Notices updated pgp key, added prev keys and new dir 2 years ago
Verify updated keys and added mozilla 10 months ago
LICENSE Initial commit 2 years ago
README.md updated keys and added mozilla 10 months ago
pubkeys.md updated pgp key, added prev keys and new dir 2 years ago
pubkeys.md.minisig signed pubkeys file 2 years ago

README.md

AlwaysVerify

This repository is for taking snapshots of hashes, PGP key fingerprints and more or sometimes even help people find the keys that are hidden in obscure places. More sites to check out and create a web of trust:

https://artemislena.eu/services/verify.html

(feel free to add yours with an issue or a PR)

Available files:

Okay, but how do I verify?

This guide assumes you use Linux + you have gpg installed and will not go over how to verify the actual file (such as an iso of an OS or the apk of a file), but instead it will show you how to verify the key validity you got.

PGP Fingerprints:

gpg --fingerprint will show you all the fingerprints of the keys you have in your keyring. If you do not wish to import the key, you can simply type echo 'key-goes-here' | gpg and it will show you the details of a key, including the fingerprint

Sha256 fingerprint

https://developer.android.com/studio/command-line/apksigner#usage-verify

Sha256 hashes

sha256sum /path/to/filename and if you have a checksum file you can do sha256sum -c /path/to/checksum (the checksum and the actual file have to be in the same folder).

Please also keep in mind that hashes are better used for file integrity checking, rather than validity.

I will not be very consistent with updating hashes, because I don't want to encourage developers to not sign their releases and just release hashes and I just might miss it.

Please, do not trust this repository 100% as the whole point is to create a web of trust and distribute it. My announcements such as key changes will be in notices. The dates under the keys only show the date the key has been updated in this repository. It does not show when the actual key has been changed, when the link has been changed, when the page has been changed, etc. Just the key fingerprint being modified in this repo.