VerifyingReleases - coq/coq GitHub Wiki
This page describes briefly how Coq users can verify that a Coq release tarball was signed by Coq a release manager. We will use Coq 8.11.2 and its tarball https://github.com/coq/coq/archive/V8.11.2.tar.gz as an example.
Obtaining the checksum of the tarball
wget https://github.com/coq/coq/archive/V8.11.2.tar.gz
sha512sum V8.11.2.tar.gz
This yields a checksum of f8ab307b8e39ffda5f6984e187c1f8de1cb6dec5c322726dbbe535ee611683cfeeb9cee3e11ad83f5e44e843fc51e7e2d50b4ea69ab42fde38aaf3d0cf2dea3c
Obtaining the release commit and signature
git clone https://github.com/coq/coq.git
cd coq
git show-ref -s V8.11.2
This yields a commit SHA of 1539a9a0d894ea9e24e3d0e163006d6477646ec6
.
Verifying the signature of the commit
git verify-commit 1539a9a0d894ea9e24e3d0e163006d6477646ec6
This gives output along the following lines:
gpg: Signature made Thu 14 May 2020 03:29:39 PM CDT using RSA key ID D9BA3C7B
Here, one has to verify that the RSA key ID D9BA3C7B
belongs to the release manager, which is beyond the scope of this discussion.
Generating the tarball from the verified tag
git archive --format=tar.gz --prefix=coq-8.11.2/ -o /tmp/V8.11.2.tar.gz V8.11.2
sha512sum /tmp/V8.11.2.tar.gz
This gives the expected output f8ab307b8e39ffda5f6984e187c1f8de1cb6dec5c322726dbbe535ee611683cfeeb9cee3e11ad83f5e44e843fc51e7e2d50b4ea69ab42fde38aaf3d0cf2dea3c
Conclusion
Since the checksums match, the tarball at https://github.com/coq/coq/archive/V8.11.2.tar.gz has been signed by the release manager (under usual cryptographic assumptions).