Closed nahuhh closed 2 months ago
thephez
commented
2 months ago If you're referring to the guix.sigs repo, it looks like the PRs simply haven't been merged in yet (they've been there/approved since the release): https://github.com/dashpay/guix.sigs/pulls?q=is%3Apr+is%3Aopen+21.1.0
@PastaPastaPasta @UdjinM6 can we get those merged?
PastaPastaPasta
commented
2 months ago @thephez thanks! merged those. Otherwise, I wrote the following before you responded.
All these .asc files are the signatures.
Use on of these guides to verify them
Additionally, the .exe's and .dmgs are all signed (and notarized if applicable)
see: https://www.virustotal.com/gui/file/8addbaf79f9cfba7b215a0c96f6cbf1013a6da1a9c68fd91cb6e6c707f25cf39 for the exe
even the docker images are signed! (although less documented)
cosign verify --key=dashd.pub dashpay/dashd:21.1.0(find dashd.pub here https://github.com/dashpay/docker.sigs/blob/master/dashd/dashd.pub)
nahuhh
commented
2 months ago Thanks
nahuhh
commented
2 months ago Files posted on release page can be modified at will.
we trust the guix builds and use the committed sigs on that repo to verify binaries
PastaPastaPasta
commented
2 months ago Makes sense, yeah, it is best to validate against those signatures, but I guess you're the only person who uses them directly 😂
Thanks for letting us know
^^
cmon guys.