Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Provide instruction to validate the checksum of ORAS CLI binaries #69

Closed
FeynmanZhou opened this issue Nov 22, 2022 · 4 comments · Fixed by #216
Closed

Provide instruction to validate the checksum of ORAS CLI binaries #69

FeynmanZhou opened this issue Nov 22, 2022 · 4 comments · Fixed by #216

Comments

@FeynmanZhou
Copy link
Member

FeynmanZhou commented Nov 22, 2022
edited
Loading

ORAS release uses a GPG key to sign each release binaries in the release process. We should provide instructions to help users validate the checksum of ORAS CLI binaries.
@aryab2003
Copy link

I am willing to work under this project.Could you please provide me the details about this issue?

@FeynmanZhou
Copy link
Member Author

@aryab2003 Thanks for your interest. However, this issue has been assigned to @deepeshaburse as she is the mentee of the LFX mentorship program.

@FeynmanZhou
Copy link
Member Author

FeynmanZhou commented Jul 3, 2023
edited
Loading

@deepeshaburse
According to the v1.0.0 release notes, it mentioned the GPG key was used to sign the ORAS release binaries:

This release was signed with BE6F A8DD A48D 4C23 0091 A0A9 276D 8A72 4CE1 C704 (@qweeah's GPG key) which can be found here.

So it has the following steps to validate the release binary using GPG. You can try it locally:

gpg --import https://github.com/qweeah.gpg // save it to a local `.gpg` file

gpg --gen-key

sign

save

gpg --edit-key qweeah trust

choose "4 = I trust fully"

gpg --verify oras_1.0.0_linux_amd64.tar.gz.asc oras_1.0.0_linux_amd64.tar.gz

@FeynmanZhou FeynmanZhou mentioned this issue Jul 3, 2023
Closed
@deepeshaburse
Copy link
Contributor

@FeynmanZhou thanks for the input!

@deepeshaburse deepeshaburse mentioned this issue Jul 11, 2023
Merged
@FeynmanZhou FeynmanZhou mentioned this issue Jul 25, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

docs: update installation guide with validation for cli binaries deepeshaburse/oras-www
3 participants
@FeynmanZhou @deepeshaburse @aryab2003