# Verifying Radroots Releases All official **Radroots** releases are cryptographically signed by a designated release manager. Alongside every binary distribution (such as `radrootsd`) you will find: - A detached **OpenPGP signature** (`.asc`) - A **SHA256 checksum** file (`SHA256SUMS`) These files let you confirm both **authenticity** (the file really came from Radroots) and **integrity** (the file has not been tampered with). > **Always download signatures and keys directly from `radroots.dev`, never from mirrors or third-party sources.** --- ## Where to Get Keys and Signatures - **Public keys**: - **Release binaries & checksums/signatures**: --- ## Checking Signatures Assume you’ve downloaded: - `radrootsd-0.1.0-x86_64-unknown-linux-gnu` (the binary) - `SHA256SUMS` (checksums for all artifacts) - `SHA256SUMS.asc` (the detached GPG signature for the checksum file) ### 1) Import the release keys ```bash curl -O https://radroots.dev/keys/KEYS gpg --import KEYS ``` ### 2) Verify the signed checksum file ```bash gpg --verify SHA256SUMS.asc SHA256SUMS ``` You should see output indicating a **Good signature** from a Radroots developer key. ### 3) Verify the checksum of the binary ```bash sha256sum -c SHA256SUMS ``` The result should show `OK` for the file you downloaded, for example: ``` radrootsd-0.1.0-x86_64-unknown-linux-gnu: OK ``` --- ## Validating Authenticity of a Key A valid signature only proves the file was produced by someone with access to the private key. You must also validate that the key **belongs to Radroots**. - Key fingerprints are published on and in the `KEYS` file. - Compare the full **40-character fingerprint** shown by GnuPG with the published fingerprint. Example: ```bash gpg --fingerprint release@radroots.dev ``` The result should match what is listed on the Radroots website. **Stronger validation** can be done by building a **web of trust** or meeting a Radroots developer in person to confirm fingerprints. --- ## Checking Integrity with OpenSSL (alternative) You can also compute a SHA256 hash manually: ```bash openssl sha256 radrootsd-0.1.0-x86_64-unknown-linux-gnu ``` Compare the printed hash with the corresponding line for that file in `SHA256SUMS`. --- ## Security Notes - Always use **HTTPS** when fetching keys and signatures. - Treat the `KEYS` file as your **root of trust**. If the Radroots website is ever compromised, verify keys **out-of-band**. - Keep an eye on for announcements regarding **key rotations** or **security advisories**. --- ## Reference Example Below is an illustrative example showing what you might see when a signature is present but the key is not yet on your keyring, and why **fingerprint validation** matters. 1) Attempt to verify a detached signature against the checksum file: ```bash gpg --verify SHA256SUMS.asc SHA256SUMS # gpg: Signature made Sat Apr 1 03:21:01 2012 UTC using RSA key ID 7885CD4F # gpg: Can't check signature: public key not found ``` 2) Import the missing public keys from the official Radroots `KEYS` file: ```bash curl -O https://radroots.dev/keys/KEYS gpg --import KEYS # gpg: key 7885CD4F: public key "Radroots Release Signing Key " imported ``` 3) Verify again; you may get a **Good signature** but still see a trust warning until you validate the key’s **fingerprint**: ```bash gpg --verify SHA256SUMS.asc SHA256SUMS # gpg: Good signature from "Radroots Release Signing Key " # gpg: WARNING: This key is not certified with a trusted signature! ``` 4) Check the **full fingerprint** and compare it to the fingerprints published by Radroots: ```bash gpg --fingerprint release@radroots.dev # Fingerprint: 6103 7CBC 77C4 6DE6 D1A9 AA17 1A83 1C7D 5B38 F3EF ``` Only after the fingerprint matches a trusted source (Radroots website, face-to-face verification with a Radroots developer, or a web-of-trust path) should you treat the signature as both **valid** and **trusted**. 5) To verify file integrity with the published SHA256 sums: ```bash shasum -a 256 -c SHA256SUMS # radrootsd-0.1.0-x86_64-unknown-linux-gnu: OK ``` Or compute it directly: ```bash openssl sha256 -r radrootsd-0.1.0-x86_64-unknown-linux-gnu # 3f2a7b5c8d9e1a2b3c4d5e6f7081920a3b4c5d6e7f819203a4b5c6d7e8f90123 *radrootsd-0.1.0-x86_64-unknown-linux-gnu ``` ---