~aman/static-mozjpeg

c61186f9cf8fb3f6400ead98bacb2641d8e883e8 — Aman Verma 2 months ago d62a632 2020.09.16
Update readme.
1 files changed, 13 insertions(+), 8 deletions(-)

M README.md
M README.md => README.md +13 -8
@@ 8,11 8,12 @@ this. After you build it you can run the container and run

## How to verify the binaries attached in the releases

You can verify the integrity of the attached files with minisign or signify. First,
download my public key file from one of the many places I have uploaded it:
[GitHub][gist], [sr.ht][paste], or [mastodon][toot]. Next, compare the public keys from
at least 2 different places and make sure they are identical. If they aren't, that could
mean one of my accounts has been hacked. Finally, run
You can verify the integrity of the attached files with minisign or signify.
First, download my public key file from one of the many places I have uploaded
it: [GitHub][gist], [sr.ht][paste], [mastodon][toot], or [my website]. Next,
compare the public keys from at least 2 different places and make sure they are
identical. If they aren't, that could mean one of my accounts has been hacked.
Finally, run

    signify -C -p <pubkey> -x SHA256SUMS.sig



@@ 20,19 21,23 @@ where `<pubkey>` is the public key file you downloaded and cross-checked earlier
you downloaded all the attached executables, you should get

    Signature Verified
    cjpeg: OK
    djpeg: OK
    jpegtran: OK
    {filename}: OK

where `{filename}` is the name of the file(s) you are trying to verify.
If you didn't download all the attached executables, signify will complain with the word
"FAIL" after the filename, but it will still try to verify the ones that exist. If you see
"FAIL" after the name of a file that _does_ exist, or if you see "signify: signature
verification failed", that is **bad** and you should delete the files you downloaded
immediately.

Additionally, the binaries were built on builds.sr.ht, so you can see the log
for the build at <https://builds.sr.ht/~aman/job/302552>. The script prints out
the checksums for the binaries at the end so you can check them that way too.

[paste]: https://paste.sr.ht/~aman/392dcc7b5e04f047eb6b80addf4f43787e3ff29c
[toot]: https://mastodon.online/web/statuses/104769781342888143
[gist]: https://gist.github.com/a-vrma/969a05ff013e57ff1abd1625a0de9c5f
[my website]: https://aman.raoverma.com/aman_signify.txt

## Todo