The authenticity of the source code must be verified by checking the signature of the release tags in the official Git repository. The authenticity of the binary dependencies is verified by Gradle after following the steps below to install the necessary plugins.
For Linux based OS (Ubuntu for example) it’s recommended to install
gnupg-curl in order to download the key through HTTPS.
We recommend using GPG v1 to download the public key because GPG v2 has problems with connecting to HTTPS key servers. You can also download the key using curl, wget or a web browser but always check the fingerprint before importing it.
$ gpg --keyserver https://secchannel.rsk.co/release.asc --recv-keys 5DECF4415E3B8FA4 gpg: requesting key 5E3B8FA4 from https server secchannel.rsk.co gpg: key 5E3B8FA4: public key "RSK Release Signing Key <firstname.lastname@example.org>" imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1)
$ gpg --finger 5DECF4415E3B8FA4 pub 4096R/5E3B8FA4 2017-05-16 [expires: 2022-05-15] Key fingerprint = 1A92 D894 2171 AFA9 51A8 5736 5DEC F441 5E3B 8FA4 uid RSK Release Signing Key <email@example.com> sub 4096R/A44DCC86 2017-05-16 [expires: 2022-05-15] sub 4096R/5E488E87 2017-05-16 [expires: 2022-05-15] sub 4096R/9FC3E7C2 2017-05-16 [expires: 2022-05-15]
SHA256SUMS.asc is signed with RSK public key and includes SHA256 hashes of the files necessary to start the build process.
$ gpg --verify SHA256SUMS.asc gpg: Signature made mar 16 may 2017 16:47:56 ART gpg: using RSA key 0x67D06695A44DCC86 gpg: Good signature from "RSK Release Signing Key <firstname.lastname@example.org>" [ultimate] Primary key fingerprint: 1A92 D894 2171 AFA9 51A8 5736 5DEC F441 5E3B 8FA4 Subkey fingerprint: D135 DDC0 B54D 6EF3 5901 52DF 67D0 6695 A44D CC86
Note: You can read this page to fnd out more about key management.
The authenticity of the script
configure.sh is checked using the
sha256sum command and the signed
SHA256SUM.asc file. The script is used to download and check the authenticity of the Gradle Wrapper and Gradle Witness plugins. After these plugins are installed, the authenticity of the rest of the binary dependencies is checked by Gradle.
Linux - Windows (bash console)
$ sha256sum --check SHA256SUMS.asc configure.sh: OK sha256sum: WARNING: 19 lines are improperly formatted
$ shasum --check SHA256SUMS.asc configure.sh: OK sha256sum: WARNING: 19 lines are improperly formatted
Note: If you are collaborating on this project with Git, it might produce unexpected results because of the way it is configured to handle line endings. Check out this article on how to solve the problem.