Hashes:

Digital hashes protects against unintentional modification of data in transit. They make sure that you get the same data as that sent from the website. They do not protect against any kind of attack.
To verify the integrity of the file you need to obtain the SHA256SUM of the binary you have downloaded and compare it to the correspondent wahay-xxxxx.sha256.sum. For example if you want to check the sha256sum of wahay-2020-01-22-9319d8d binary.

$ sha256sum wahay-2020-01-22-9319d8d
f75a4b04d05571d5eb7dff267c1efa996b1e24ff9a8d84c4fa1088141dc48cf8 wahay-2020-01-22-9319d8d

The output of the previous command should be compare with the content of wahay-2020-01-22-9319d8d.sha256sum file.


$ cat wahay-2020-01-22-9319d8d.sha256sum

f75a4b04d05571d5eb7dff267c1efa996b1e24ff9a8d84c4fa1088141dc48cf8  bin/wahay-2020-01-22-9319d8d

If the output of both is the same, then the binary has not been modified in transit, otherwise you have a corrupted file.

Signatures:

Digital signatures ensures that what CAD intended to publish is the same as was published. It protects against attacks where the binary or source code has been modified by an attacker on the website, or modified in transit from the website to your system. It does NOT protect against attacks where the source code has been modified in our repositories, or when the build system has been compromised.

1) Download and import CAD signing key (testing key at the moment):
$ wget https://staging.wahay.app/cad-testing-public-key.asc

2) Import the public key:

$ gpg --import cad-testing-public-key.asc
gpg: key A8854162D28F171E: public key "CAD Signing Key - testing (This is just a test key) " imported
gpg: Total number processed: 1
gpg: imported: 1

3) Verify the key

$ gpg --verify wahay-2020-01-22-9319d8d.sha256sum.asc wahay-2020-01-22-9319d8d.sha256sum
gpg: Signature made mié 22 ene 2020 10:06:02 -05
gpg: using EDDSA key A5DA0791073C1374BB2A98B3A5ABBD2E8E623464
gpg: Good signature from "CAD Signing Key - testing (This is just a test key) \" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 0124 2FFA B8CE 1EC0 C8F5 4456 A885 4162 D28F 171E
Subkey fingerprint: A5DA 0791 073C 1374 BB2A 98B3 A5AB BD2E 8E62 3464

If you see the message: "gpg: Good signature from "CAD Signing Key - testing (This is just a test key) ", that means that the signature is valid. However you would get the following warning: "This key is not certified with a trusted signature!". That is because the key is not trusted. At the moment don't trust in this key, when we have the final CAD signing key we would explain how to trust it.