From d1b1109ae2f253d7c6ebac98bc616b10bdc30b1c Mon Sep 17 00:00:00 2001 From: Ainar Garipov Date: Mon, 15 Aug 2022 20:20:42 +0300 Subject: [PATCH] Pull request: upd-keys Merge in DNS/adguard-home-wiki from upd-keys to master Squashed commit of the following: commit 013a8a432a5511e017be9e0e8a23f21fe8b97286 Author: Ainar Garipov Date: Mon Aug 15 19:50:03 2022 +0300 Verify-Releases: upd commit b541a3b0d9b5dfdae7b50e5be74b47e25231c258 Author: Ainar Garipov Date: Mon Aug 15 19:46:14 2022 +0300 Verify-Releases: upd instructions --- Verify-Releases.md | 86 ++++++++++++++++++++++++++++++---------------- 1 file changed, 57 insertions(+), 29 deletions(-) diff --git a/Verify-Releases.md b/Verify-Releases.md index 88b9fdc..47b90f4 100644 --- a/Verify-Releases.md +++ b/Verify-Releases.md @@ -1,49 +1,77 @@ - # Verifying AdGuard Home Releases + # Verifying AdGuard Home Releases -Since AdGuard Home v0.103.4 we sign the executable files we build so you can verify they are really created by us and no one else. -Inside an archive file there's a small file with `.sig` extension which contains the signature data. -In a hypothetic situation when the binary file inside an archive is replaced by someone, you'll know that it isn't an official release from AdGuard. +Since AdGuard Home v0.103.4 we sign the executable files we build so that you +can verify they are really created by us and no one else. Inside an archive +file there's a small file with `.sig` extension which contains the signature +data. In a hypothetic situation when the binary file inside an archive is +replaced by someone, you'll know that it isn't an official release from AdGuard. -## How to verify that the executable file was built by AdGuard? +## How to verify that the executable file was built by AdGuard? -1. Unpack AdGuard Home archive file -2. Import AdGuard Home public key from keyserver: +1. Unpack the AdGuard Home archive file. - gpg --keyserver pgp.key-server.io --recv-key 1222CCA0 +1. Import AdGuard Home public key from keyserver. For **current releases,** + run: - The above command will print: + ```sh + gpg --keyserver 'keys.openpgp.org' --recv-key '28645AC9776EC4C00BCE2AFC0FE641E7235E2EC6' + ``` - gpg: key 9A6F0EB91222CCA0: public key "AdGuard " imported + **NOTE:** For releases **before v0.107.10 and v0.108.0-b.11,** we used a key + with the fingerprint `1222CCA0` stored on `pgp.key-server.io`. That key is + now invalid, and the server does not respond. -3. Verify (for UNIX): + The above command will print something similar to: - gpg --verify AdGuardHome/AdGuardHome.sig + ```none + gpg: key 0FE641E7235E2EC6: public key "AdGuard " imported + gpg: Total number processed: 1 + gpg: imported: 1 + ``` - or for Windows: +1. Verify. On unix: - gpg --verify AdGuardHome/AdGuardHome.exe.sig + ```sh + gpg --verify AdGuardHome/AdGuardHome.sig + ``` + + On Windows (you might need to install PGP): + + ```ps1 + gpg --verify AdGuardHome/AdGuardHome.exe.sig + ``` You'll see something like this: - gpg: assuming signed data in 'AdGuardHome/AdGuardHome' - gpg: Signature made Wed 12 Aug 2020 11:06:44 PM +03 - gpg: using RSA key 58D6AD46BC509C6181A22C5F9A6F0EB91222CCA0 - gpg: issuer "devteam@adguard.com" - gpg: Good signature from "AdGuard " [unknown] + ```none + gpg: assuming signed data in 'AdGuardHome/AdGuardHome' + gpg: Signature made Mon 15 Aug 2022 19:30:55 MSK + gpg: using RSA key 28645AC9776EC4C00BCE2AFC0FE641E7235E2EC6 + gpg: issuer "devteam@adguard.com" + gpg: Good signature from "AdGuard " [ultimate] + ``` - Check: - * RSA key - must be "58D6AD46BC509C6181A22C5F9A6F0EB91222CCA0" - * name - must be "AdGuard" - * email address - must be "devteam@adguard.com" + Check the following: -> Note Windows users: you need to install PGP software. + * RSA key: must be `28645AC9776EC4C00BCE2AFC0FE641E7235E2EC6`; + * issuer name: must be `AdGuard`; + * E-mail address: must be `devteam@adguard.com`; + + There may also be the following warning: + + ```none + gpg: WARNING: The key's User ID is not certified with a trusted signature! + gpg: There is no indication that the signature belongs to the owner. + Primary key fingerprint: 2864 5AC9 776E C4C0 0BCE 2AFC 0FE6 41E7 235E 2EC6 + ``` -## Reproducing AdGuard Home releases - git clone --branch "v0.103.3" --depth=1 "https://github.com/AdguardTeam/AdGuardHome" /tmp/adguard - cd /tmp/adguard - docker run --volume $(pwd):/build --rm --env CHANNEL=release --net=host adguard/golang-ubuntu make release +## Reproducing AdGuard Home builds -where "v0.103.3" is the AdGuard Home version you want to build. +AdGuard Home uses [reproducible builds][repr]. See the “`build-release.sh`” +section in our [build script][build] documentation. + +[build]: https://github.com/AdguardTeam/AdGuardHome/tree/master/scripts +[repr]: https://reproducible-builds.org/