* [qemu-web RFC PATCH] _download/source.html: show the GPG fingerprint for releases
@ 2021-03-08 11:16 Alex Bennée
2021-03-08 13:44 ` Paolo Bonzini
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Alex Bennée @ 2021-03-08 11:16 UTC (permalink / raw)
To: qemu-devel
Cc: pbonzini, thuth, Alex Bennée, Michael Roth, Stefan Hajnoczi
At the moment we mention the signature but don't actually say what it
is or how to check it. Lets surface the fingerprint on the information
along with a guide of how to verify the download.
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Cc: Michael Roth <mdroth@linux.vnet.ibm.com>
Cc: Stefan Hajnoczi <stefanha@redhat.com>
---
_download/source.html | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/_download/source.html b/_download/source.html
index 35fd156..6c2f6f6 100644
--- a/_download/source.html
+++ b/_download/source.html
@@ -8,14 +8,21 @@
<div id="releases">
{% include releases.html %}
</div>
- <p>or stay on the bleeding edge with the
- <a href="https://gitlab.com/qemu-project/qemu">git repository!</a></p>
-
+ <p>
+ Our source code tarballs are signed with the release
+ managers key, fingerprint:
+ <pre><code>CEAC C9E1 5534 EBAB B82D 3FA0 3353 C9CE F108 B584</code></pre>.
+ Alternatively stay on the bleeding edge with the
+ <a href="https://gitlab.com/qemu-project/qemu">git repository!</a></p>
<h2>Build instructions</h2>
{% for release in site.data.releases offset: 0 limit: 1 %}
<p>To download and build QEMU {{release.branch}}.{{release.patch}}:</p>
<pre>wget https://download.qemu.org/qemu-{{release.branch}}.{{release.patch}}.tar.xz
+# optional verify signature
+wget https://download.qemu.org/qemu-{{release.branch}}.{{release.patch}}.tar.xz.sig
+gpg --output qemu-{{release.branch}}.{{release.patch}}.tar.xz --verify qemu-{{release.branch}}.{{release.patch}}.tar.xz.sig
+# extract and build
tar xvJf qemu-{{release.branch}}.{{release.patch}}.tar.xz
cd qemu-{{release.branch}}.{{release.patch}}
./configure
--
2.20.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [qemu-web RFC PATCH] _download/source.html: show the GPG fingerprint for releases
2021-03-08 11:16 [qemu-web RFC PATCH] _download/source.html: show the GPG fingerprint for releases Alex Bennée
@ 2021-03-08 13:44 ` Paolo Bonzini
2021-03-08 13:57 ` Thomas Huth
2021-03-08 14:03 ` Peter Maydell
2 siblings, 0 replies; 4+ messages in thread
From: Paolo Bonzini @ 2021-03-08 13:44 UTC (permalink / raw)
To: Alex Bennée, Thomas Huth, Michael Roth, qemu-devel
On 08/03/21 12:16, Alex Bennée wrote:
> + managers key, fingerprint:
> + <pre><code>CEAC C9E1 5534 EBAB B82D 3FA0 3353 C9CE F108 B584</code></pre>.
> + Alternatively stay on the bleeding edge with the
> + <a href="https://gitlab.com/qemu-project/qemu">git repository!</a></p>
> <h2>Build instructions</h2>
>
> {% for release in site.data.releases offset: 0 limit: 1 %}
> <p>To download and build QEMU {{release.branch}}.{{release.patch}}:</p>
> <pre>wgethttps://download.qemu.org/qemu-{{release.branch}}.{{release.patch}}.tar.xz
> +# optional verify signature
> +wget https://download.qemu.org/qemu-{{release.branch}}.{{release.patch}}.tar.xz.sig
> +gpg --output qemu-{{release.branch}}.{{release.patch}}.tar.xz --verify qemu-{{release.branch}}.{{release.patch}}.tar.xz.sig
> +# extract and build
Maybe add some <b> to either the comments or the commands?
(For reference, the result is visible at
https://bonzini.gitlab.io/qemu-web/download/#source).
Paolo
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [qemu-web RFC PATCH] _download/source.html: show the GPG fingerprint for releases
2021-03-08 11:16 [qemu-web RFC PATCH] _download/source.html: show the GPG fingerprint for releases Alex Bennée
2021-03-08 13:44 ` Paolo Bonzini
@ 2021-03-08 13:57 ` Thomas Huth
2021-03-08 14:03 ` Peter Maydell
2 siblings, 0 replies; 4+ messages in thread
From: Thomas Huth @ 2021-03-08 13:57 UTC (permalink / raw)
To: Alex Bennée, qemu-devel; +Cc: pbonzini, Michael Roth, Stefan Hajnoczi
On 08/03/2021 12.16, Alex Bennée wrote:
> At the moment we mention the signature but don't actually say what it
> is or how to check it. Lets surface the fingerprint on the information
> along with a guide of how to verify the download.
>
> Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
> Cc: Michael Roth <mdroth@linux.vnet.ibm.com>
> Cc: Stefan Hajnoczi <stefanha@redhat.com>
> ---
> _download/source.html | 13 ++++++++++---
> 1 file changed, 10 insertions(+), 3 deletions(-)
>
> diff --git a/_download/source.html b/_download/source.html
> index 35fd156..6c2f6f6 100644
> --- a/_download/source.html
> +++ b/_download/source.html
> @@ -8,14 +8,21 @@
> <div id="releases">
> {% include releases.html %}
> </div>
> - <p>or stay on the bleeding edge with the
> - <a href="https://gitlab.com/qemu-project/qemu">git repository!</a></p>
> -
> + <p>
> + Our source code tarballs are signed with the release
> + managers key, fingerprint:
I'd like to suggest to replace the above sentence with:
Our source code tarballs are signed with the
<a
href="http://hkps.pool.sks-keyservers.net/pks/lookup?op=vindex&fingerprint=on&search=0xCEACC9E15534EBABB82D3FA03353C9CEF108B584">release
managers key</a>. The fingerprint of this key is:
> + <pre><code>CEAC C9E1 5534 EBAB B82D 3FA0 3353 C9CE F108 B584</code></pre>.
> + Alternatively stay on the bleeding edge with the
> + <a href="https://gitlab.com/qemu-project/qemu">git repository!</a></p>
> <h2>Build instructions</h2>
>
> {% for release in site.data.releases offset: 0 limit: 1 %}
> <p>To download and build QEMU {{release.branch}}.{{release.patch}}:</p>
> <pre>wget https://download.qemu.org/qemu-{{release.branch}}.{{release.patch}}.tar.xz
> +# optional verify signature
> +wget https://download.qemu.org/qemu-{{release.branch}}.{{release.patch}}.tar.xz.sig
> +gpg --output qemu-{{release.branch}}.{{release.patch}}.tar.xz --verify qemu-{{release.branch}}.{{release.patch}}.tar.xz.sig
> +# extract and build
> tar xvJf qemu-{{release.branch}}.{{release.patch}}.tar.xz
> cd qemu-{{release.branch}}.{{release.patch}}
> ./configure
>
Thomas
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [qemu-web RFC PATCH] _download/source.html: show the GPG fingerprint for releases
2021-03-08 11:16 [qemu-web RFC PATCH] _download/source.html: show the GPG fingerprint for releases Alex Bennée
2021-03-08 13:44 ` Paolo Bonzini
2021-03-08 13:57 ` Thomas Huth
@ 2021-03-08 14:03 ` Peter Maydell
2 siblings, 0 replies; 4+ messages in thread
From: Peter Maydell @ 2021-03-08 14:03 UTC (permalink / raw)
To: Alex Bennée
Cc: Paolo Bonzini, Thomas Huth, QEMU Developers, Stefan Hajnoczi,
Michael Roth
On Mon, 8 Mar 2021 at 11:19, Alex Bennée <alex.bennee@linaro.org> wrote:
>
> At the moment we mention the signature but don't actually say what it
> is or how to check it. Lets surface the fingerprint on the information
> along with a guide of how to verify the download.
>
> Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
> Cc: Michael Roth <mdroth@linux.vnet.ibm.com>
> Cc: Stefan Hajnoczi <stefanha@redhat.com>
> ---
> _download/source.html | 13 ++++++++++---
> 1 file changed, 10 insertions(+), 3 deletions(-)
>
> diff --git a/_download/source.html b/_download/source.html
> index 35fd156..6c2f6f6 100644
> --- a/_download/source.html
> +++ b/_download/source.html
> @@ -8,14 +8,21 @@
> <div id="releases">
> {% include releases.html %}
> </div>
> - <p>or stay on the bleeding edge with the
> - <a href="https://gitlab.com/qemu-project/qemu">git repository!</a></p>
> -
> + <p>
> + Our source code tarballs are signed with the release
> + managers key, fingerprint:
"manager's"
> + <pre><code>CEAC C9E1 5534 EBAB B82D 3FA0 3353 C9CE F108 B584</code></pre>.
> + Alternatively stay on the bleeding edge with the
> + <a href="https://gitlab.com/qemu-project/qemu">git repository!</a></p>
> <h2>Build instructions</h2>
>
> {% for release in site.data.releases offset: 0 limit: 1 %}
> <p>To download and build QEMU {{release.branch}}.{{release.patch}}:</p>
> <pre>wget https://download.qemu.org/qemu-{{release.branch}}.{{release.patch}}.tar.xz
> +# optional verify signature
"optionally"
thanks
-- PMM
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-03-08 14:26 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-03-08 11:16 [qemu-web RFC PATCH] _download/source.html: show the GPG fingerprint for releases Alex Bennée
2021-03-08 13:44 ` Paolo Bonzini
2021-03-08 13:57 ` Thomas Huth
2021-03-08 14:03 ` Peter Maydell
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.