[qemu-web,RFC] _download/source.html: show the GPG fingerprint for releases

Message ID 20210308111649.14898-1-alex.bennee@linaro.org
State New
Headers show
Series
  • [qemu-web,RFC] _download/source.html: show the GPG fingerprint for releases
Related show

Commit Message

Alex Bennée March 8, 2021, 11:16 a.m.
At the moment we mention the signature but don't actually say what it
is or how to check it. Lets surface the fingerprint on the information
along with a guide of how to verify the download.

Signed-off-by: Alex Bennée <alex.bennee@linaro.org>

Cc: Michael Roth <mdroth@linux.vnet.ibm.com>
Cc: Stefan Hajnoczi <stefanha@redhat.com>
---
 _download/source.html | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

-- 
2.20.1

Comments

Paolo Bonzini March 8, 2021, 1:44 p.m. | #1
On 08/03/21 12:16, Alex Bennée wrote:
> +          managers key, fingerprint:

> +          <pre><code>CEAC C9E1 5534 EBAB B82D  3FA0 3353 C9CE F108 B584</code></pre>.

> +          Alternatively stay on the bleeding edge with the

> +	  <a href="https://gitlab.com/qemu-project/qemu">git repository!</a></p>

>   	<h2>Build instructions</h2>

>   

>   	{% for release in site.data.releases offset: 0 limit: 1 %}

>   	<p>To download and build QEMU {{release.branch}}.{{release.patch}}:</p>

>   <pre>wgethttps://download.qemu.org/qemu-{{release.branch}}.{{release.patch}}.tar.xz

> +# optional verify signature

> +wget https://download.qemu.org/qemu-{{release.branch}}.{{release.patch}}.tar.xz.sig

> +gpg --output qemu-{{release.branch}}.{{release.patch}}.tar.xz --verify qemu-{{release.branch}}.{{release.patch}}.tar.xz.sig

> +# extract and build


Maybe add some <b> to either the comments or the commands?

(For reference, the result is visible at 
https://bonzini.gitlab.io/qemu-web/download/#source).

Paolo
Thomas Huth March 8, 2021, 1:57 p.m. | #2
On 08/03/2021 12.16, Alex Bennée wrote:
> At the moment we mention the signature but don't actually say what it

> is or how to check it. Lets surface the fingerprint on the information

> along with a guide of how to verify the download.

> 

> Signed-off-by: Alex Bennée <alex.bennee@linaro.org>

> Cc: Michael Roth <mdroth@linux.vnet.ibm.com>

> Cc: Stefan Hajnoczi <stefanha@redhat.com>

> ---

>   _download/source.html | 13 ++++++++++---

>   1 file changed, 10 insertions(+), 3 deletions(-)

> 

> diff --git a/_download/source.html b/_download/source.html

> index 35fd156..6c2f6f6 100644

> --- a/_download/source.html

> +++ b/_download/source.html

> @@ -8,14 +8,21 @@

>   	<div id="releases">

>   	{% include releases.html %}

>   	</div>

> -	<p>or stay on the bleeding edge with the

> -	   <a href="https://gitlab.com/qemu-project/qemu">git repository!</a></p>

> -

> +	<p>

> +          Our source code tarballs are signed with the release

> +          managers key, fingerprint:


I'd like to suggest to replace the above sentence with:

Our source code tarballs are signed with the
<a 
href="http://hkps.pool.sks-keyservers.net/pks/lookup?op=vindex&fingerprint=on&search=0xCEACC9E15534EBABB82D3FA03353C9CEF108B584">release 
managers key</a>. The fingerprint of this key is:


> +          <pre><code>CEAC C9E1 5534 EBAB B82D  3FA0 3353 C9CE F108 B584</code></pre>.

> +          Alternatively stay on the bleeding edge with the

> +	  <a href="https://gitlab.com/qemu-project/qemu">git repository!</a></p>

>   	<h2>Build instructions</h2>

>   

>   	{% for release in site.data.releases offset: 0 limit: 1 %}

>   	<p>To download and build QEMU {{release.branch}}.{{release.patch}}:</p>

>   <pre>wget https://download.qemu.org/qemu-{{release.branch}}.{{release.patch}}.tar.xz

> +# optional verify signature

> +wget https://download.qemu.org/qemu-{{release.branch}}.{{release.patch}}.tar.xz.sig

> +gpg --output qemu-{{release.branch}}.{{release.patch}}.tar.xz --verify qemu-{{release.branch}}.{{release.patch}}.tar.xz.sig

> +# extract and build

>   tar xvJf qemu-{{release.branch}}.{{release.patch}}.tar.xz

>   cd qemu-{{release.branch}}.{{release.patch}}

>   ./configure

> 


  Thomas
Peter Maydell March 8, 2021, 2:03 p.m. | #3
On Mon, 8 Mar 2021 at 11:19, Alex Bennée <alex.bennee@linaro.org> wrote:
>

> At the moment we mention the signature but don't actually say what it

> is or how to check it. Lets surface the fingerprint on the information

> along with a guide of how to verify the download.

>

> Signed-off-by: Alex Bennée <alex.bennee@linaro.org>

> Cc: Michael Roth <mdroth@linux.vnet.ibm.com>

> Cc: Stefan Hajnoczi <stefanha@redhat.com>

> ---

>  _download/source.html | 13 ++++++++++---

>  1 file changed, 10 insertions(+), 3 deletions(-)

>

> diff --git a/_download/source.html b/_download/source.html

> index 35fd156..6c2f6f6 100644

> --- a/_download/source.html

> +++ b/_download/source.html

> @@ -8,14 +8,21 @@

>         <div id="releases">

>         {% include releases.html %}

>         </div>

> -       <p>or stay on the bleeding edge with the

> -          <a href="https://gitlab.com/qemu-project/qemu">git repository!</a></p>

> -

> +       <p>

> +          Our source code tarballs are signed with the release

> +          managers key, fingerprint:


"manager's"

> +          <pre><code>CEAC C9E1 5534 EBAB B82D  3FA0 3353 C9CE F108 B584</code></pre>.

> +          Alternatively stay on the bleeding edge with the

> +         <a href="https://gitlab.com/qemu-project/qemu">git repository!</a></p>

>         <h2>Build instructions</h2>

>

>         {% for release in site.data.releases offset: 0 limit: 1 %}

>         <p>To download and build QEMU {{release.branch}}.{{release.patch}}:</p>

>  <pre>wget https://download.qemu.org/qemu-{{release.branch}}.{{release.patch}}.tar.xz

> +# optional verify signature


"optionally"

thanks
-- PMM

Patch

diff --git a/_download/source.html b/_download/source.html
index 35fd156..6c2f6f6 100644
--- a/_download/source.html
+++ b/_download/source.html
@@ -8,14 +8,21 @@ 
 	<div id="releases">
 	{% include releases.html %}
 	</div>
-	<p>or stay on the bleeding edge with the
-	   <a href="https://gitlab.com/qemu-project/qemu">git repository!</a></p>
-
+	<p>
+          Our source code tarballs are signed with the release
+          managers key, fingerprint:
+          <pre><code>CEAC C9E1 5534 EBAB B82D  3FA0 3353 C9CE F108 B584</code></pre>.
+          Alternatively stay on the bleeding edge with the
+	  <a href="https://gitlab.com/qemu-project/qemu">git repository!</a></p>
 	<h2>Build instructions</h2>
 
 	{% for release in site.data.releases offset: 0 limit: 1 %}
 	<p>To download and build QEMU {{release.branch}}.{{release.patch}}:</p>
 <pre>wget https://download.qemu.org/qemu-{{release.branch}}.{{release.patch}}.tar.xz
+# optional verify signature
+wget https://download.qemu.org/qemu-{{release.branch}}.{{release.patch}}.tar.xz.sig
+gpg --output qemu-{{release.branch}}.{{release.patch}}.tar.xz --verify qemu-{{release.branch}}.{{release.patch}}.tar.xz.sig
+# extract and build
 tar xvJf qemu-{{release.branch}}.{{release.patch}}.tar.xz
 cd qemu-{{release.branch}}.{{release.patch}}
 ./configure