Verify instructions

Hashes:

Digital hashes protect against unintentional modification of data in transit. They help you make sure that you get the same data as what was sent from the website. They do NOT protect against any kind of attack. To verify the integrity of the file you need to obtain the SHA-256 of the binary you have downloaded and compare it with the associated file wahay-xxxxx.sha256.sum. For example, if you want to check the sha256sum of wahay-2020-01-22-9319d8d binary:



$ sha256sum wahay-2020-01-22-9319d8d
f75a4b04d05571d5eb7dff267c1efa996b1e24ff9a8d84c4fa1088141dc48cf8 wahay-2020-01-22-9319d8d

The output of the previous command should be compared with the content of the wahay-2020-01-22-9319d8d.sha256sum file.


$ cat wahay-2020-01-22-9319d8d.sha256sum
f75a4b04d05571d5eb7dff267c1efa996b1e24ff9a8d84c4fa1088141dc48cf8 bin/wahay-2020-01-22-9319d8d

If the output of both is the same, then the binary has not been modified in transit, otherwise your file has been corrupted, and you should try to download it again.

Signatures:

Digital signatures ensure that what CAD intended to publish is the same as what was published. It protects against attacks where the binary or source code has been modified by an attacker on the website, or modified in transit from the website to your system. It does NOT protect against attacks where the source code has been modified in our repositories, or when the build system has been compromised.

1) Download the current signing key for CAD:

$ wget https://wahay.app/cad-testing-public-key.asc

2) Import the public key:


$ gpg --import cad-testing-public-key.asc
gpg: key F3B1159FC97D5490: public key "CAD Signing Key - testing (This is a test key) " imported
gpg: Total number processed: 1
gpg: imported: 1


3) Verify hash signature

$ gpg --verify wahay-2020-01-22-9319d8d.sha256sum.asc wahay-2020-01-22-9319d8d.sha256sum
gpg: Signature made miƩ 22 ene 2020 10:06:02 -05
gpg: using EDDSA key A5DA0791073C1374BB2A98B3A5ABBD2E8E623464
gpg: Good signature from "CAD Signing Key - testing (This is a test key) \" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 0124 2FFA B8CE 1EC0 C8F5 4456 A885 4162 D28F 171E
Subkey fingerprint: A5DA 0791 073C 1374 BB2A 98B3 A5AB BD2E 8E62 3464


If you see the message: "gpg: Good signature from "CAD Signing Key - testing (This is a test key) ", that means that the signature is valid. However, if you get the following warning: "This key is not certified with a trusted signature!", it is because the key is not trusted.