## Manifest- gitian-verify/ - README.md - step_1/ - verify-key

1. ## Manifest
2.  
3. - gitian-verify/
4. - README.md
5. - step_1/
6. - verify-keys.sh
7. - fingerprints.txt
8. - signatures/
9. - ...
10. - step_2/
11. - download-and-verify.sh
12.  
13. ## verify-keys.sh: create and edit a trusted gitian keyring
14.  
15. Summary: a very simple and clear shell script that's easily audited even
16. by relatively inexperienced programmers that bootstraps a
17. gitian-specific keyring for the user and uses that to verify the
18. remainder of the verification code (and, ultimately, the binaries).
19.  
20. 1. Includes a hardcoded list of pubkeys belonging to Gitian signers
21. sourced from the bitcoin/bitcoin repository. (The list is not
22. trusted, but is part of the program to keep the code simple and
23. auditable.)
24.  
25. 2. Checks to see if any of those keys are already in a gitian-specific
26. keyring. If so, tells the user that they trust n gitian signers so
27. far and lists the names of them (and provides an option to remove
28. individuals from that list).
29.  
30. 3. Presents the list of Gitian signers who have not been trusted yet,
31. and asks the user if they want to trust any of those keys. Provides
32. some guideance (perhaps via URLs to multiple different sites) about
33. how to authenticate keys and what can go wrong if the user chooses
34. the wrong keys to trust. If the user choose a key for trust, adds it
35. to the gitian-specific keyring.
36.  
37. 4. Repeat steps two and three until the user is satisfied with their key
38. selection.
39.  
40. 5. Uses gpg/gpgv to verify the full contents of the gitian-verify/
41. directiory, except for the signatures/ subdirectory, using the
42. gitian-specific keyring the user populated and the contents of the
43. signatures/ subdirectory.
44.  
45. ## download-and-verify.sh: install/upgrade verification
46.  
47. Summary: a shell script that can be a bit less clear (because it's been
48. verified) that presents the user with a list of download options,
49. retieves the binary and its gitian sigs, and verifies them.
50.  
51. 1. Checks out the gitian sigs repository (or grabs a pre-packaged
52. tarball, whatever).
53.  
54. 2. Finds and verifies all attestations signed by keys on the
55. gitian-specific keyring.
56.  
57. 3. Using only those authenticated attestations, builds a list of known releases
58. and presents that to the user in order, with highest-version-number first.
59.  
60. 4. The user selects a release to download. The program tells the user
61. what each key on the gitian-specific keyring did. E.g.,
62.  
63. a. Signed a file with the same hash as n other signers on the
64. gitian-specific key ring
65. b. Signed a file with a different hash from any other signers
66. c. Did not sign anything for this release
67.  
68. 5. After the user has reviewed the above information, gives them the
69. option to download a release tarball/zipfile. Prompts them for their
70. platform. Downloads the archive, verifies its hash, and indicates
71. success to the user.
72.  
73. 6. If the downloaded archive includes a more recent version of the
74. gitian-verify/ directory, encourages the user to use that archive's
75. `download-and-verify.sh` for future upgrades.
76.  
77. ## Notes
78.  
79. - All programs can take environment variables or CLI parameters to
80. retrieve remote content at a different URL than whatever is set as the
81. default.