Feature #5630: Reproducible builds
Document how users can verify a reproducibly built ISO/IUK
|Status:||In Progress||Start date:||06/02/2017|
|QA Check:||Ready for QA||Blueprint:|
|Type of work:||Contributors documentation||Affected tool:|
- Assignee set to u
- download our .sig and verify it against your own build
- when someone reproducibly builds our .iso they have a file that is exactly the same as ours, which the .sig will verify for them
- there's a way to extract the SHA from the .sig.
- the SHAAA is already in IDFs and UDFs
#5 Updated by u about 17 hours ago
- Assignee changed from u to intrigeri
- QA Check set to Ready for QA
I added a page about this and would love someone from the foundations team to verify what I wrote and improve on it. Tentatively assigning to intrigeri.
- I don't know how to verify an IUK so this part is missing
- Is there an archive of our OpenPGP signatures so that people can verify older builds in the future?
- Is there an archive of our IDFs/SHAsums so that people can verify older builds in the future?
You can also reassign this to me if you think there is too much information missing.