-
Notifications
You must be signed in to change notification settings - Fork 5
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
How to Verify That Pactus Software (#54)
- Loading branch information
Showing
1 changed file
with
57 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,57 @@ | ||
| --- | ||
| title: How to Verify That Pactus Software Is Safe? | ||
| weight: 9 | ||
| --- | ||
|
|
||
| ## Preface | ||
|
|
||
| When downloading Pactus software, it's important to verify that the binaries are authentic and | ||
| haven't been tampered with. | ||
| By verifying the signatures of the files, you ensure that the software you're installing is secure. | ||
| This guide will walk you through the steps to verify Pactus software. | ||
|
|
||
| ## Understanding the Verification Process | ||
|
|
||
| When the Pactus binaries are created, a `SHA256SUMS` file is generated, | ||
| containing the checksums (unique digital fingerprints) for the binaries. | ||
| This file is then digitally signed and stored in `SHA256SUMS.sig`. | ||
| Users can later verify the integrity of the downloaded binaries by | ||
| checking the checksums and confirming the validity of the signature. | ||
|
|
||
| ## Verify the Checksum | ||
|
|
||
| Once you've downloaded the binaries and the `SHA256SUMS` file, | ||
| run the following command to ensure the binaries match the checksums: | ||
|
|
||
| ```bash | ||
| sha256sum -c SHA256SUMS --ignore-missing | ||
| ``` | ||
|
|
||
| This command will compare the checksums in the `SHA256SUMS` file with the ones generated from your downloaded binaries. | ||
| If they match, you’ll see an “OK” message, confirming that the files are intact and unaltered. | ||
|
|
||
| ## Verify the SHA256SUMS Signature | ||
|
|
||
| To ensure that the `SHA256SUMS` file itself hasn’t been tampered with, | ||
| Pactus signs the file with a digital signature. | ||
| You can verify this signature using [Cosign](https://docs.sigstore.dev/cosign/). | ||
|
|
||
| ```bash | ||
| cosign verify-blob SHA256SUMS --signature=SHA256SUMS.sig --key https://pactus.org/cosign.pub | ||
| ``` | ||
|
|
||
| This command uses the Pactus public key, hosted at [https://pactus.org/cosign.pub](https://pactus.org/cosign.pub), | ||
| to confirm that the Pactus team signed the file. | ||
|
|
||
| If the signature is valid, Cosign will confirm that the `SHA256SUMS` file is legitimate and | ||
| was signed by the official Pactus team. | ||
|
|
||
| ## Why This Is Important | ||
|
|
||
| By verifying both the checksum and the signature, you ensure: | ||
|
|
||
| - The Pactus binaries you downloaded are complete and unmodified. | ||
| - The `SHA256SUMS` file has not been tampered with and was signed by the Pactus team. | ||
|
|
||
| This process protects your system from potentially compromised software and | ||
| ensures you're running the correct, secure version of Pactus. |