Pull request: upd-keys

Merge in DNS/adguard-home-wiki from upd-keys to master Squashed commit of the following: commit 013a8a432a5511e017be9e0e8a23f21fe8b97286 Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Mon Aug 15 19:50:03 2022 +0300 Verify-Releases: upd commit b541a3b0d9b5dfdae7b50e5be74b47e25231c258 Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Mon Aug 15 19:46:14 2022 +0300 Verify-Releases: upd instructions
2022-08-15 20:20:42 +03:00 · 2022-08-15 20:20:42 +03:00 · d1b1109ae2
parent dd262286c0
commit d1b1109ae2
1 changed files with 57 additions and 29 deletions
--- a/Verify-Releases.md
+++ b/Verify-Releases.md
@ -1,49 +1,77 @@
- # Verifying AdGuard Home Releases
+ #  Verifying AdGuard Home Releases

-Since AdGuard Home v0.103.4 we sign the executable files we build so you can verify they are really created by us and no one else.
-Inside an archive file there's a small file with `.sig` extension which contains the signature data.
-In a hypothetic situation when the binary file inside an archive is replaced by someone, you'll know that it isn't an official release from AdGuard.
+Since AdGuard Home v0.103.4 we sign the executable files we build so that you
+can verify they are really created by us and no one else.  Inside an archive
+file there's a small file with `.sig` extension which contains the signature
+data.  In a hypothetic situation when the binary file inside an archive is
+replaced by someone, you'll know that it isn't an official release from AdGuard.


-## How to verify that the executable file was built by AdGuard?
+##  How to verify that the executable file was built by AdGuard?

-1. Unpack AdGuard Home archive file
-2. Import AdGuard Home public key from keyserver:
+1.  Unpack the AdGuard Home archive file.

-        gpg --keyserver pgp.key-server.io --recv-key 1222CCA0
+1.  Import AdGuard Home public key from keyserver.  For **current releases,**
+    run:

-    The above command will print:
+    ```sh
+    gpg --keyserver 'keys.openpgp.org' --recv-key '28645AC9776EC4C00BCE2AFC0FE641E7235E2EC6'
+    ```

-        gpg: key 9A6F0EB91222CCA0: public key "AdGuard <devteam@adguard.com>" imported
+    **NOTE:** For releases **before v0.107.10 and v0.108.0-b.11,** we used a key
+    with the fingerprint `1222CCA0` stored on `pgp.key-server.io`.  That key is
+    now invalid, and the server does not respond.

-3. Verify (for UNIX):
+    The above command will print something similar to:

-        gpg --verify AdGuardHome/AdGuardHome.sig
+    ```none
+    gpg: key 0FE641E7235E2EC6: public key "AdGuard <devteam@adguard.com>" imported
+    gpg: Total number processed: 1
+    gpg:               imported: 1
+    ```

-    or for Windows:
+1.  Verify.  On unix:

-        gpg --verify AdGuardHome/AdGuardHome.exe.sig
+    ```sh
+    gpg --verify AdGuardHome/AdGuardHome.sig
+    ```
+
+    On Windows (you might need to install PGP):
+
+    ```ps1
+    gpg --verify AdGuardHome/AdGuardHome.exe.sig
+    ```

    You'll see something like this:

-        gpg: assuming signed data in 'AdGuardHome/AdGuardHome'
-        gpg: Signature made Wed 12 Aug 2020 11:06:44 PM +03
-        gpg:                using RSA key 58D6AD46BC509C6181A22C5F9A6F0EB91222CCA0
-        gpg:                issuer "devteam@adguard.com"
-        gpg: Good signature from "AdGuard <devteam@adguard.com>" [unknown]
+    ```none
+    gpg: assuming signed data in 'AdGuardHome/AdGuardHome'
+    gpg: Signature made Mon 15 Aug 2022 19:30:55 MSK
+    gpg:                using RSA key 28645AC9776EC4C00BCE2AFC0FE641E7235E2EC6
+    gpg:                issuer "devteam@adguard.com"
+    gpg: Good signature from "AdGuard <devteam@adguard.com>" [ultimate]
+    ```

-    Check:
-    * RSA key - must be "58D6AD46BC509C6181A22C5F9A6F0EB91222CCA0"
-    * name - must be "AdGuard"
-    * email address - must be "devteam@adguard.com"
+    Check the following:

-> Note Windows users: you need to install PGP software.
+     *  RSA key: must be `28645AC9776EC4C00BCE2AFC0FE641E7235E2EC6`;
+     *  issuer name: must be `AdGuard`;
+     *  E-mail address: must be `devteam@adguard.com`;
+
+    There may also be the following warning:
+
+    ```none
+    gpg: WARNING: The key's User ID is not certified with a trusted signature!
+    gpg:          There is no indication that the signature belongs to the owner.
+    Primary key fingerprint: 2864 5AC9 776E C4C0 0BCE  2AFC 0FE6 41E7 235E 2EC6
+    ```


-## Reproducing AdGuard Home releases

-    git clone --branch "v0.103.3" --depth=1 "https://github.com/AdguardTeam/AdGuardHome" /tmp/adguard
-    cd /tmp/adguard
-    docker run --volume $(pwd):/build --rm --env CHANNEL=release --net=host adguard/golang-ubuntu make release
+##  Reproducing AdGuard Home builds

-where "v0.103.3" is the AdGuard Home version you want to build.
+AdGuard Home uses [reproducible builds][repr].  See the “`build-release.sh`”
+section in our [build script][build] documentation.
+
+[build]: https://github.com/AdguardTeam/AdGuardHome/tree/master/scripts
+[repr]:  https://reproducible-builds.org/