mirror of
https://gitea.com/gitea/docs.git
synced 2026-07-02 17:08:48 +00:00
update binary verification section (#449)
--------- Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> Reviewed-on: https://gitea.com/gitea/docs/pulls/449 Reviewed-by: Lunny Xiao <xiaolunwen@gmail.com> Co-authored-by: TheFox0x7 <thefox0x7@gmail.com>
This commit is contained in:
@@ -40,7 +40,24 @@ chmod +x gitea
|
||||
|
||||
Note that the above command will download Gitea @version@ for 64-bit Linux.
|
||||
|
||||
## Verify GPG signature
|
||||
## Verify signature
|
||||
|
||||
### Sigstore
|
||||
|
||||
Starting with v1.27 Gitea signs all binaries using [sigstore](https://sigstore.dev/) to prevent against unwanted modification of binaries.
|
||||
To validate the binary, download the bundle file which ends in `sigstore.json` for the binary you downloaded and use the [cosign](https://docs.sigstore.dev/cosign/system_config/installation/) command line tool.
|
||||
|
||||
```sh
|
||||
cosign verify-blob gitea-@version@-linux-amd64 --bundle gitea-@version@-linux-amd64.sigstore.json --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity-regexp="https://github.com/go-gitea/gitea/.github/workflows/release-.*"
|
||||
```
|
||||
|
||||
If the command outputs `Verified OK`, binary was not modified.
|
||||
|
||||
:::note
|
||||
The above command will match any release workflow. You may choose to restrict the identity further by requiring a specific branch or workflow to be matched. For example this url will match only nightly builds made on main branch: `https://github.com/go-gitea/gitea/.github/workflows/release-nightly.yml@refs/heads/main`
|
||||
:::
|
||||
|
||||
### GPG
|
||||
|
||||
Gitea signs all binaries with a [GPG key](https://keys.openpgp.org/search?q=teabot%40gitea.io) to prevent against unwanted modification of binaries.
|
||||
To validate the binary, download the signature file which ends in `.asc` for the binary you downloaded and use the GPG command line tool.
|
||||
@@ -53,6 +70,7 @@ gpg --verify gitea-@version@-linux-amd64.asc gitea-@version@-linux-amd64
|
||||
Look for the text `Good signature from "Teabot <teabot@gitea.io>"` to assert a good binary,
|
||||
despite warnings like `This key is not certified with a trusted signature!`.
|
||||
|
||||
|
||||
## Recommended server configuration
|
||||
|
||||
:::note
|
||||
|
||||
@@ -40,7 +40,24 @@ chmod +x gitea
|
||||
|
||||
Note that the above command will download Gitea @version@ for 64-bit Linux.
|
||||
|
||||
## Verify GPG signature
|
||||
## Verify signature
|
||||
|
||||
### Sigstore
|
||||
|
||||
Starting with v1.27 Gitea signs all binaries using [sigstore](https://sigstore.dev/) to prevent against unwanted modification of binaries.
|
||||
To validate the binary, download the bundle file which ends in `sigstore.json` for the binary you downloaded and use the [cosign](https://docs.sigstore.dev/cosign/system_config/installation/) command line tool.
|
||||
|
||||
```sh
|
||||
cosign verify-blob gitea-@version@-linux-amd64 --bundle gitea-@version@-linux-amd64.sigstore.json --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity-regexp="https://github.com/go-gitea/gitea/.github/workflows/release-.*"
|
||||
```
|
||||
|
||||
If the command outputs `Verified OK`, binary was not modified.
|
||||
|
||||
:::note
|
||||
The above command will match any release workflow. You may choose to restrict the identity further by requiring a specific branch or workflow to be matched. For example this url will match only nightly builds made on main branch: `https://github.com/go-gitea/gitea/.github/workflows/release-nightly.yml@refs/heads/main`
|
||||
:::
|
||||
|
||||
### GPG
|
||||
|
||||
Gitea signs all binaries with a [GPG key](https://keys.openpgp.org/search?q=teabot%40gitea.io) to prevent against unwanted modification of binaries.
|
||||
To validate the binary, download the signature file which ends in `.asc` for the binary you downloaded and use the GPG command line tool.
|
||||
|
||||
Reference in New Issue
Block a user