Pull request: upd-keys
Merge in DNS/adguard-home-wiki from upd-keys to master Squashed commit of the following: commit 013a8a432a5511e017be9e0e8a23f21fe8b97286 Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Mon Aug 15 19:50:03 2022 +0300 Verify-Releases: upd commit b541a3b0d9b5dfdae7b50e5be74b47e25231c258 Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Mon Aug 15 19:46:14 2022 +0300 Verify-Releases: upd instructions
parent
dd262286c0
commit
d1b1109ae2
|
@ -1,49 +1,77 @@
|
||||||
# Verifying AdGuard Home Releases
|
# Verifying AdGuard Home Releases
|
||||||
|
|
||||||
Since AdGuard Home v0.103.4 we sign the executable files we build so you can verify they are really created by us and no one else.
|
Since AdGuard Home v0.103.4 we sign the executable files we build so that you
|
||||||
Inside an archive file there's a small file with `.sig` extension which contains the signature data.
|
can verify they are really created by us and no one else. Inside an archive
|
||||||
In a hypothetic situation when the binary file inside an archive is replaced by someone, you'll know that it isn't an official release from AdGuard.
|
file there's a small file with `.sig` extension which contains the signature
|
||||||
|
data. In a hypothetic situation when the binary file inside an archive is
|
||||||
|
replaced by someone, you'll know that it isn't an official release from AdGuard.
|
||||||
|
|
||||||
|
|
||||||
## How to verify that the executable file was built by AdGuard?
|
## How to verify that the executable file was built by AdGuard?
|
||||||
|
|
||||||
1. Unpack AdGuard Home archive file
|
1. Unpack the AdGuard Home archive file.
|
||||||
2. Import AdGuard Home public key from keyserver:
|
|
||||||
|
|
||||||
gpg --keyserver pgp.key-server.io --recv-key 1222CCA0
|
1. Import AdGuard Home public key from keyserver. For **current releases,**
|
||||||
|
run:
|
||||||
|
|
||||||
The above command will print:
|
```sh
|
||||||
|
gpg --keyserver 'keys.openpgp.org' --recv-key '28645AC9776EC4C00BCE2AFC0FE641E7235E2EC6'
|
||||||
|
```
|
||||||
|
|
||||||
gpg: key 9A6F0EB91222CCA0: public key "AdGuard <devteam@adguard.com>" imported
|
**NOTE:** For releases **before v0.107.10 and v0.108.0-b.11,** we used a key
|
||||||
|
with the fingerprint `1222CCA0` stored on `pgp.key-server.io`. That key is
|
||||||
|
now invalid, and the server does not respond.
|
||||||
|
|
||||||
3. Verify (for UNIX):
|
The above command will print something similar to:
|
||||||
|
|
||||||
gpg --verify AdGuardHome/AdGuardHome.sig
|
```none
|
||||||
|
gpg: key 0FE641E7235E2EC6: public key "AdGuard <devteam@adguard.com>" imported
|
||||||
|
gpg: Total number processed: 1
|
||||||
|
gpg: imported: 1
|
||||||
|
```
|
||||||
|
|
||||||
or for Windows:
|
1. Verify. On unix:
|
||||||
|
|
||||||
gpg --verify AdGuardHome/AdGuardHome.exe.sig
|
```sh
|
||||||
|
gpg --verify AdGuardHome/AdGuardHome.sig
|
||||||
|
```
|
||||||
|
|
||||||
|
On Windows (you might need to install PGP):
|
||||||
|
|
||||||
|
```ps1
|
||||||
|
gpg --verify AdGuardHome/AdGuardHome.exe.sig
|
||||||
|
```
|
||||||
|
|
||||||
You'll see something like this:
|
You'll see something like this:
|
||||||
|
|
||||||
gpg: assuming signed data in 'AdGuardHome/AdGuardHome'
|
```none
|
||||||
gpg: Signature made Wed 12 Aug 2020 11:06:44 PM +03
|
gpg: assuming signed data in 'AdGuardHome/AdGuardHome'
|
||||||
gpg: using RSA key 58D6AD46BC509C6181A22C5F9A6F0EB91222CCA0
|
gpg: Signature made Mon 15 Aug 2022 19:30:55 MSK
|
||||||
gpg: issuer "devteam@adguard.com"
|
gpg: using RSA key 28645AC9776EC4C00BCE2AFC0FE641E7235E2EC6
|
||||||
gpg: Good signature from "AdGuard <devteam@adguard.com>" [unknown]
|
gpg: issuer "devteam@adguard.com"
|
||||||
|
gpg: Good signature from "AdGuard <devteam@adguard.com>" [ultimate]
|
||||||
|
```
|
||||||
|
|
||||||
Check:
|
Check the following:
|
||||||
* RSA key - must be "58D6AD46BC509C6181A22C5F9A6F0EB91222CCA0"
|
|
||||||
* name - must be "AdGuard"
|
|
||||||
* email address - must be "devteam@adguard.com"
|
|
||||||
|
|
||||||
> Note Windows users: you need to install PGP software.
|
* RSA key: must be `28645AC9776EC4C00BCE2AFC0FE641E7235E2EC6`;
|
||||||
|
* issuer name: must be `AdGuard`;
|
||||||
|
* E-mail address: must be `devteam@adguard.com`;
|
||||||
|
|
||||||
|
There may also be the following warning:
|
||||||
|
|
||||||
|
```none
|
||||||
|
gpg: WARNING: The key's User ID is not certified with a trusted signature!
|
||||||
|
gpg: There is no indication that the signature belongs to the owner.
|
||||||
|
Primary key fingerprint: 2864 5AC9 776E C4C0 0BCE 2AFC 0FE6 41E7 235E 2EC6
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
## Reproducing AdGuard Home releases
|
|
||||||
|
|
||||||
git clone --branch "v0.103.3" --depth=1 "https://github.com/AdguardTeam/AdGuardHome" /tmp/adguard
|
## Reproducing AdGuard Home builds
|
||||||
cd /tmp/adguard
|
|
||||||
docker run --volume $(pwd):/build --rm --env CHANNEL=release --net=host adguard/golang-ubuntu make release
|
|
||||||
|
|
||||||
where "v0.103.3" is the AdGuard Home version you want to build.
|
AdGuard Home uses [reproducible builds][repr]. See the “`build-release.sh`”
|
||||||
|
section in our [build script][build] documentation.
|
||||||
|
|
||||||
|
[build]: https://github.com/AdguardTeam/AdGuardHome/tree/master/scripts
|
||||||
|
[repr]: https://reproducible-builds.org/
|
||||||
|
|
Loading…
Reference in New Issue