From db8d2789caf7a1df48c1f77f8c8a5797577b400f Mon Sep 17 00:00:00 2001
From: Mantre <mantre@protonmail.com>
Date: Tue, 8 Oct 2024 12:11:16 +0800
Subject: [PATCH] How to Verify That Pactus Software (#54)

---
 content/tutorials/software-verification.md | 57 ++++++++++++++++++++++
 1 file changed, 57 insertions(+)
 create mode 100644 content/tutorials/software-verification.md

diff --git a/content/tutorials/software-verification.md b/content/tutorials/software-verification.md
new file mode 100644
index 0000000..122e733
--- /dev/null
+++ b/content/tutorials/software-verification.md
@@ -0,0 +1,57 @@
+---
+title: How to Verify That Pactus Software Is Safe?
+weight: 9
+---
+
+## Preface
+
+When downloading Pactus software, it's important to verify that the binaries are authentic and
+haven't been tampered with.
+By verifying the signatures of the files, you ensure that the software you're installing is secure.
+This guide will walk you through the steps to verify Pactus software.
+
+## Understanding the Verification Process
+
+When the Pactus binaries are created, a `SHA256SUMS` file is generated,
+containing the checksums (unique digital fingerprints) for the binaries.
+This file is then digitally signed and stored in `SHA256SUMS.sig`.
+Users can later verify the integrity of the downloaded binaries by
+checking the checksums and confirming the validity of the signature.
+
+## Verify the Checksum
+
+Once you've downloaded the binaries and the `SHA256SUMS` file,
+run the following command to ensure the binaries match the checksums:
+
+```bash
+sha256sum -c SHA256SUMS --ignore-missing
+```
+
+This command will compare the checksums in the `SHA256SUMS` file with the ones generated from your downloaded binaries.
+If they match, you’ll see an “OK” message, confirming that the files are intact and unaltered.
+
+## Verify the SHA256SUMS Signature
+
+To ensure that the `SHA256SUMS` file itself hasn’t been tampered with,
+Pactus signs the file with a digital signature.
+You can verify this signature using [Cosign](https://docs.sigstore.dev/cosign/).
+
+```bash
+cosign verify-blob SHA256SUMS --signature=SHA256SUMS.sig --key https://pactus.org/cosign.pub
+```
+
+This command uses the Pactus public key, hosted at [https://pactus.org/cosign.pub](https://pactus.org/cosign.pub),
+to confirm that the Pactus team signed the file.
+
+If the signature is valid, Cosign will confirm that the `SHA256SUMS` file is legitimate and
+was signed by the official Pactus team.
+
+## Why This Is Important
+
+By verifying both the checksum and the signature, you ensure:
+
+- The Pactus binaries you downloaded are complete and unmodified.
+- The `SHA256SUMS` file has not been tampered with and was signed by the Pactus team.
+
+This process protects your system from potentially compromised software and
+ensures you're running the correct, secure version of Pactus.