Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 7 additions & 1 deletion cliff.toml
Original file line number Diff line number Diff line change
Expand Up @@ -15,12 +15,14 @@ In order to verify the release, you'll need to have gpg or gpg2 installed on you
curl https://raw.githubusercontent.com/MostroP2P/mostro/main/keys/negrunch.asc | gpg --import
curl https://raw.githubusercontent.com/MostroP2P/mostro/main/keys/arkanoider.asc | gpg --import
curl https://raw.githubusercontent.com/MostroP2P/mostro/main/keys/catrya.asc | gpg --import
curl https://raw.githubusercontent.com/MostroP2P/mostro/main/keys/andreadiazcorreia.asc | gpg --import
```
Once you have the required PGP keys, you can verify the release (assuming manifest.txt.sig.negrunch, manifest.txt.sig.arkanoider, manifest.txt.sig.catrya and manifest.txt are in the current directory) with:
Once you have the required PGP keys, you can verify the release (assuming manifest.txt.sig.negrunch, manifest.txt.sig.arkanoider, manifest.txt.sig.catrya, manifest.txt.sig.andreadiazcorreia and manifest.txt are in the current directory) with:
```bash
gpg --verify manifest.txt.sig.negrunch manifest.txt
gpg --verify manifest.txt.sig.arkanoider manifest.txt
gpg --verify manifest.txt.sig.catrya manifest.txt
gpg --verify manifest.txt.sig.andreadiazcorreia manifest.txt
Comment thread
AndreaDiazCorreia marked this conversation as resolved.

gpg: Signature made fri 10 oct 2025 11:28:03 -03
gpg: using RSA key 1E41631D137BA2ADE55344F73852B843679AD6F0
Expand All @@ -34,6 +36,10 @@ gpg: Signature made fri 10 oct 2025 11:28:03 -03
gpg: using RSA key 9A718444050F091D3D24CF6CE15E232F243D73E6
gpg: Good signature from "Catrya (github) <140891948+Catrya@users.noreply.github.com>" [ultimate]

gpg: Signature made fri 10 oct 2025 11:28:03 -03
gpg: using EDDSA key 57376B6467F41F565ADDC65B1ED8B40E3A46E21D
gpg: Good signature from "Andrea Diaz Correia <andrea.diaz.correia@gmail.com>" [ultimate]

```
That will verify the signature of the manifest file, which ensures integrity and authenticity of the archive you've downloaded locally containing the binaries. Next, depending on your operating system, you should then re-compute the sha256 hash of the archive with `shasum -a 256 <filename>`, compare it with the corresponding one in the manifest file, and ensure they match exactly.

Expand Down
13 changes: 13 additions & 0 deletions keys/andreadiazcorreia.asc
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----

mDMEaLW8ZRYJKwYBBAHaRw8BAQdATSYa9ze+csJ5hu8b6GaVUNdPVGIJ+VNr5P6W
NXyV0dy0M0FuZHJlYSBEaWF6IENvcnJlaWEgPGFuZHJlYS5kaWF6LmNvcnJlaWFA
Z21haWwuY29tPoiQBBMWCgA4FiEEVzdrZGf0H1Za3cZbHti0DjpG4h0FAmi1vGUC
GwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQHti0DjpG4h1WbAD/fCixPp1g
4W/h+dMkQZI0Eqrcvad9d1Urd3krr+cDacEBAI3twqLFnaUER04zuFw9SxNOmgSu
AihVwkxypj2b6s8JuDgEaLW8ZRIKKwYBBAGXVQEFAQEHQElFe2DN76ovNtt5VQdz
yepYTBRkzU1iYBX1Ja1ra/t8AwEIB4h4BBgWCgAgFiEEVzdrZGf0H1Za3cZbHti0
DjpG4h0FAmi1vGUCGwwACgkQHti0DjpG4h1AKwD9ExneRpFqOqVwhN2ha+oC6t3Z
zJQP4lTS4iID7dTzR7MA/Rbl2/bszTXPjfSDPOV7y7lklorzFL7r26IJiSCGzcwJ
=+5ZY
-----END PGP PUBLIC KEY BLOCK-----