All of lore.kernel.org
 help / color / mirror / Atom feed
* [qemu-web RFC PATCH] _download/source.html: show the GPG fingerprint for releases
@ 2021-03-08 11:16 Alex Bennée
  2021-03-08 13:44 ` Paolo Bonzini
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: Alex Bennée @ 2021-03-08 11:16 UTC (permalink / raw)
  To: qemu-devel
  Cc: pbonzini, thuth, Alex Bennée, Michael Roth, Stefan Hajnoczi

At the moment we mention the signature but don't actually say what it
is or how to check it. Lets surface the fingerprint on the information
along with a guide of how to verify the download.

Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Cc: Michael Roth <mdroth@linux.vnet.ibm.com>
Cc: Stefan Hajnoczi <stefanha@redhat.com>
---
 _download/source.html | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/_download/source.html b/_download/source.html
index 35fd156..6c2f6f6 100644
--- a/_download/source.html
+++ b/_download/source.html
@@ -8,14 +8,21 @@
 	<div id="releases">
 	{% include releases.html %}
 	</div>
-	<p>or stay on the bleeding edge with the
-	   <a href="https://gitlab.com/qemu-project/qemu">git repository!</a></p>
-
+	<p>
+          Our source code tarballs are signed with the release
+          managers key, fingerprint:
+          <pre><code>CEAC C9E1 5534 EBAB B82D  3FA0 3353 C9CE F108 B584</code></pre>.
+          Alternatively stay on the bleeding edge with the
+	  <a href="https://gitlab.com/qemu-project/qemu">git repository!</a></p>
 	<h2>Build instructions</h2>
 
 	{% for release in site.data.releases offset: 0 limit: 1 %}
 	<p>To download and build QEMU {{release.branch}}.{{release.patch}}:</p>
 <pre>wget https://download.qemu.org/qemu-{{release.branch}}.{{release.patch}}.tar.xz
+# optional verify signature
+wget https://download.qemu.org/qemu-{{release.branch}}.{{release.patch}}.tar.xz.sig
+gpg --output qemu-{{release.branch}}.{{release.patch}}.tar.xz --verify qemu-{{release.branch}}.{{release.patch}}.tar.xz.sig
+# extract and build
 tar xvJf qemu-{{release.branch}}.{{release.patch}}.tar.xz
 cd qemu-{{release.branch}}.{{release.patch}}
 ./configure
-- 
2.20.1



^ permalink raw reply related	[flat|nested] 4+ messages in thread
* Re: [qemu-web RFC PATCH] _download/source.html: show the GPG fingerprint for releases
  2021-03-08 11:16 [qemu-web RFC PATCH] _download/source.html: show the GPG fingerprint for releases Alex Bennée
@ 2021-03-08 13:44 ` Paolo Bonzini
  2021-03-08 13:57 ` Thomas Huth
  2021-03-08 14:03 ` Peter Maydell
  2 siblings, 0 replies; 4+ messages in thread
From: Paolo Bonzini @ 2021-03-08 13:44 UTC (permalink / raw)
  To: Alex Bennée, Thomas Huth, Michael Roth, qemu-devel

On 08/03/21 12:16, Alex Bennée wrote:
> +          managers key, fingerprint:
> +          <pre><code>CEAC C9E1 5534 EBAB B82D  3FA0 3353 C9CE F108 B584</code></pre>.
> +          Alternatively stay on the bleeding edge with the
> +	  <a href="https://gitlab.com/qemu-project/qemu">git repository!</a></p>
>   	<h2>Build instructions</h2>
>   
>   	{% for release in site.data.releases offset: 0 limit: 1 %}
>   	<p>To download and build QEMU {{release.branch}}.{{release.patch}}:</p>
>   <pre>wgethttps://download.qemu.org/qemu-{{release.branch}}.{{release.patch}}.tar.xz
> +# optional verify signature
> +wget https://download.qemu.org/qemu-{{release.branch}}.{{release.patch}}.tar.xz.sig
> +gpg --output qemu-{{release.branch}}.{{release.patch}}.tar.xz --verify qemu-{{release.branch}}.{{release.patch}}.tar.xz.sig
> +# extract and build

Maybe add some <b> to either the comments or the commands?

(For reference, the result is visible at 
https://bonzini.gitlab.io/qemu-web/download/#source).

Paolo



^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [qemu-web RFC PATCH] _download/source.html: show the GPG fingerprint for releases
  2021-03-08 11:16 [qemu-web RFC PATCH] _download/source.html: show the GPG fingerprint for releases Alex Bennée
  2021-03-08 13:44 ` Paolo Bonzini
@ 2021-03-08 13:57 ` Thomas Huth
  2021-03-08 14:03 ` Peter Maydell
  2 siblings, 0 replies; 4+ messages in thread
From: Thomas Huth @ 2021-03-08 13:57 UTC (permalink / raw)
  To: Alex Bennée, qemu-devel; +Cc: pbonzini, Michael Roth, Stefan Hajnoczi

On 08/03/2021 12.16, Alex Bennée wrote:
> At the moment we mention the signature but don't actually say what it
> is or how to check it. Lets surface the fingerprint on the information
> along with a guide of how to verify the download.
> 
> Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
> Cc: Michael Roth <mdroth@linux.vnet.ibm.com>
> Cc: Stefan Hajnoczi <stefanha@redhat.com>
> ---
>   _download/source.html | 13 ++++++++++---
>   1 file changed, 10 insertions(+), 3 deletions(-)
> 
> diff --git a/_download/source.html b/_download/source.html
> index 35fd156..6c2f6f6 100644
> --- a/_download/source.html
> +++ b/_download/source.html
> @@ -8,14 +8,21 @@
>   	<div id="releases">
>   	{% include releases.html %}
>   	</div>
> -	<p>or stay on the bleeding edge with the
> -	   <a href="https://gitlab.com/qemu-project/qemu">git repository!</a></p>
> -
> +	<p>
> +          Our source code tarballs are signed with the release
> +          managers key, fingerprint:

I'd like to suggest to replace the above sentence with:

Our source code tarballs are signed with the
<a 
href="http://hkps.pool.sks-keyservers.net/pks/lookup?op=vindex&fingerprint=on&search=0xCEACC9E15534EBABB82D3FA03353C9CEF108B584">release 
managers key</a>. The fingerprint of this key is:


> +          <pre><code>CEAC C9E1 5534 EBAB B82D  3FA0 3353 C9CE F108 B584</code></pre>.
> +          Alternatively stay on the bleeding edge with the
> +	  <a href="https://gitlab.com/qemu-project/qemu">git repository!</a></p>
>   	<h2>Build instructions</h2>
>   
>   	{% for release in site.data.releases offset: 0 limit: 1 %}
>   	<p>To download and build QEMU {{release.branch}}.{{release.patch}}:</p>
>   <pre>wget https://download.qemu.org/qemu-{{release.branch}}.{{release.patch}}.tar.xz
> +# optional verify signature
> +wget https://download.qemu.org/qemu-{{release.branch}}.{{release.patch}}.tar.xz.sig
> +gpg --output qemu-{{release.branch}}.{{release.patch}}.tar.xz --verify qemu-{{release.branch}}.{{release.patch}}.tar.xz.sig
> +# extract and build
>   tar xvJf qemu-{{release.branch}}.{{release.patch}}.tar.xz
>   cd qemu-{{release.branch}}.{{release.patch}}
>   ./configure
> 

  Thomas



^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [qemu-web RFC PATCH] _download/source.html: show the GPG fingerprint for releases
  2021-03-08 11:16 [qemu-web RFC PATCH] _download/source.html: show the GPG fingerprint for releases Alex Bennée
  2021-03-08 13:44 ` Paolo Bonzini
  2021-03-08 13:57 ` Thomas Huth
@ 2021-03-08 14:03 ` Peter Maydell
  2 siblings, 0 replies; 4+ messages in thread
From: Peter Maydell @ 2021-03-08 14:03 UTC (permalink / raw)
  To: Alex Bennée
  Cc: Paolo Bonzini, Thomas Huth, QEMU Developers, Stefan Hajnoczi,
	Michael Roth

On Mon, 8 Mar 2021 at 11:19, Alex Bennée <alex.bennee@linaro.org> wrote:
>
> At the moment we mention the signature but don't actually say what it
> is or how to check it. Lets surface the fingerprint on the information
> along with a guide of how to verify the download.
>
> Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
> Cc: Michael Roth <mdroth@linux.vnet.ibm.com>
> Cc: Stefan Hajnoczi <stefanha@redhat.com>
> ---
>  _download/source.html | 13 ++++++++++---
>  1 file changed, 10 insertions(+), 3 deletions(-)
>
> diff --git a/_download/source.html b/_download/source.html
> index 35fd156..6c2f6f6 100644
> --- a/_download/source.html
> +++ b/_download/source.html
> @@ -8,14 +8,21 @@
>         <div id="releases">
>         {% include releases.html %}
>         </div>
> -       <p>or stay on the bleeding edge with the
> -          <a href="https://gitlab.com/qemu-project/qemu">git repository!</a></p>
> -
> +       <p>
> +          Our source code tarballs are signed with the release
> +          managers key, fingerprint:

"manager's"

> +          <pre><code>CEAC C9E1 5534 EBAB B82D  3FA0 3353 C9CE F108 B584</code></pre>.
> +          Alternatively stay on the bleeding edge with the
> +         <a href="https://gitlab.com/qemu-project/qemu">git repository!</a></p>
>         <h2>Build instructions</h2>
>
>         {% for release in site.data.releases offset: 0 limit: 1 %}
>         <p>To download and build QEMU {{release.branch}}.{{release.patch}}:</p>
>  <pre>wget https://download.qemu.org/qemu-{{release.branch}}.{{release.patch}}.tar.xz
> +# optional verify signature

"optionally"

thanks
-- PMM


^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-03-08 14:26 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-03-08 11:16 [qemu-web RFC PATCH] _download/source.html: show the GPG fingerprint for releases Alex Bennée
2021-03-08 13:44 ` Paolo Bonzini
2021-03-08 13:57 ` Thomas Huth
2021-03-08 14:03 ` Peter Maydell

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.