From 5409ade28c5f0acf99dbadd4d95e6f8efda5d395 Mon Sep 17 00:00:00 2001 From: ArthurHoaro Date: Thu, 14 Apr 2016 14:20:23 +0200 Subject: Update docs from Wiki --- doc/GnuPG-signature.html | 143 +++++++++++++++++++---------------------------- 1 file changed, 59 insertions(+), 84 deletions(-) (limited to 'doc/GnuPG-signature.html') diff --git a/doc/GnuPG-signature.html b/doc/GnuPG-signature.html index a1210b75..c187c996 100644 --- a/doc/GnuPG-signature.html +++ b/doc/GnuPG-signature.html @@ -4,31 +4,49 @@ - Shaarli - GnuPG signature + Shaarli – GnuPG signature - +
@@ -39,18 +57,26 @@ code > span.er { color: #ff0000; font-weight: bold; }
  • Download
  • Server requirements
  • Server configuration
  • +
  • Server security
  • +
  • Shaarli installation
  • Shaarli configuration
  • +
  • Plugin installation & configuration
  • +
  • Docker
  • +
  • Plugin list
  • Usage
  • How To
  • @@ -62,6 +88,7 @@ code > span.er { color: #ff0000; font-weight: bold; }
  • Directory structure
  • 3rd party libraries
  • Plugin System
  • +
  • Release Shaarli
  • Security
  • Static analysis
  • Theming
  • @@ -78,10 +105,13 @@ code > span.er { color: #ff0000; font-weight: bold; }

    GnuPG signature

    Introduction

    PGP and GPG

    -

    Gnu Privacy Guard (GnuPG) is an Open Source implementation of the Pretty Good [](.html)
    Privacy
    (OpenPGP) specification. Its main purposes are digital authentication,
    signature and encryption.

    +

    Gnu Privacy Guard (GnuPG) is an Open Source implementation of the Pretty Good [](.html)
    +Privacy
    (OpenPGP) specification. Its main purposes are digital authentication,
    +signature and encryption.

    It is often used by the FLOSS community to verify:

    Trust

    @@ -95,9 +125,12 @@ code > span.er { color: #ff0000; font-weight: bold; }
  • Web of trust
  • Generate a GPG key

    -

    See Generating a GPG key for Git tagging.

    +

    gpg - provide identity information

    -
    $ gpg --gen-key
    +
    $ gpg --gen-key
     
     gpg (GnuPG) 2.1.6; Copyright (C) 2015 Free Software Foundation, Inc.
     This is free software: you are free to change and redistribute it.
    @@ -116,7 +149,7 @@ code > span.er { color: #ff0000; font-weight: bold; }
     We need to generate a lot of random bytes. It is a good idea to perform
     some other action (type on the keyboard, move the mouse, utilize the
     disks) during the prime generation; this gives the random number
    -generator a better chance to gain enough entropy.
    +generator a better chance to gain enough entropy.

    gpg - entropy interlude

    At this point, you will:

    gpg - key creation confirmation

    -
    gpg: key A9D53A3E marked as ultimately trusted
    +
    gpg: key A9D53A3E marked as ultimately trusted
     public and secret key created and signed.
     
     gpg: checking the trustdb
    @@ -133,69 +166,11 @@ code > span.er { color: #ff0000; font-weight: bold; }
     pub   rsa2048/A9D53A3E 2015-07-31
           Key fingerprint = AF2A 5381 E54B 2FD2 14C4  A9A3 0E35 ACA4 A9D5 3A3E
     uid       [ultimate] Marvin the Paranoid Android <marvin@h2g2.net>[](.html)
    -sub   rsa2048/8C0EACF1 2015-07-31
    +sub rsa2048/8C0EACF1 2015-07-31

    gpg - submit your public key to a PGP server (Optional)

    -
    $ gpg --keyserver pgp.mit.edu --send-keys A9D53A3E
    -gpg: sending key A9D53A3E to hkp server pgp.mit.edu
    +
    $ gpg --keyserver pgp.mit.edu --send-keys A9D53A3E
    +gpg: sending key A9D53A3E to hkp server pgp.mit.edu

    Create and push a GPG-signed tag

    -

    See Git - Maintaining a project - Tagging your [](.html)
    releases
    .

    -

    Prerequisites

    -

    This guide assumes that you have:

    - -

    Bump Shaarli's version

    -
    $ cd /path/to/shaarli
    -
    -# create a new branch
    -$ git fetch upstream
    -$ git checkout upstream/master -b v0.5.0
    -
    -# bump the version number
    -$ vim index.php shaarli_version.php
    -
    -# commit the changes
    -$ git add index.php shaarli_version.php
    -$ git commit -s -m "Bump version to v0.5.0"
    -
    -# push the commit on your GitHub fork
    -$ git push origin v0.5.0
    -

    Create and merge a Pull Request

    -

    This one is pretty straightforward ;-)

    -

    Create and push a signed tag

    -
    # update your local copy
    -$ git checkout master
    -$ git fetch upstream
    -$ git pull upstream master
    -
    -# create a signed tag
    -$ git tag -s -m "Release v0.5.0" v0.5.0
    -
    -# push it to "upstream"
    -$ git push --tags upstream
    -

    Verify a signed tag

    -

    v0.5.0 is the first GPG-signed tag pushed on the Community Shaarli.

    -

    Let's have a look at its signature!

    -
    $ cd /path/to/shaarli
    -$ git fetch upstream
    -
    -# get the SHA1 reference of the tag
    -$ git show-ref tags/v0.5.0
    -f7762cf803f03f5caf4b8078359a63783d0090c1 refs/tags/v0.5.0
    -
    -# verify the tag signature information
    -$ git verify-tag f7762cf803f03f5caf4b8078359a63783d0090c1
    -gpg: Signature made Thu 30 Jul 2015 11:46:34 CEST using RSA key ID 4100DF6F
    -gpg: Good signature from "VirtualTam <virtualtam@flibidi.net>" [ultimate][](.html)
    +

    See Release Shaarli.

    -- cgit v1.2.3