Skip to content
This repository has been archived by the owner on Jan 15, 2024. It is now read-only.

Verifying Releases

kleijnweb edited this page Sep 14, 2015 · 1 revision

Verifying Composer Downloads

When you install a package using composer it will by default use the zip distribution created by GitHub. Check the release page for the md5 hash for the release and verify it matches:

md5sum $HOME/.composer/cache/files/kleijnweb/swagger-bundle/*.zip | cut -d ' ' -f 1

Verifying Git Tags

Release tags are signed. To validate your download use git tag -v v$SWAGGER_BUNDLE_VERSION after cloning.

Assuming you do not have my GPG key installed, git will complain:

gpg: Can't check signature: public key not found.

Save the following public key to a file:

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1

mQENBFX2dgQBCACv+f6QGsD5vq34DCc14gd3vTUbloIcQG8gMfnywry+R63/Iz/B
THbNAViNoVkvpqDh/YSMkpzKpeGJOJH+nO/H2gKtp1JFDj8zLKQQAmf4tzUMMOuy
YMXYciD9ofmicYC9V5rjHH9TeAQZlxD42FeYKzA8tpusH7BHEhLQW3emnc7C0yF/
KUy9i24wcKU0HBWQJKItTtm0V/kYB+lcfx0O3dJYe5aB2o85tM4A8y7SMLxkTOE8
uISe9S9nXuMrtC0qEuHJVXuxVHrSBk++mu8BD2Xu3GcJeMMJedlOOHAJhD7kuQz1
4xa+/CBEQbzyEubMBjXfTfcYIBjCPuW5XbdzABEBAAG0H0pvaG4gS2xlaWpuIDxq
b2huQGtsZWlqbndlYi5ubD6JATgEEwECACIFAlX2dgQCGwMGCwkIBwMCBhUIAgkK
CwQWAgMBAh4BAheAAAoJEP7GHTGh2H1z0U0IAKe0ejPda4KY004iftN5/rQRMsCa
r0CJbRnexTabLWgQM0i+XXvV4gd0JyVyj6KbCmbTpu8kLWwOB7cyYkNwogd/1/+1
+xopUBsYOtqIc/cDPeeEzOySbAaRXxe+XE2rAPHV68mr9IU0jSxdRFQD8rRNZ/3l
22lDj7LfepCM1E4IPoz2IBuPedoEvu0iVi1Z4l9IqvSvbSsn8WkYw6gOkZOFqc3d
ZWlJVtZQeIdlCmm8JRr/HeJ+Rz5wflOVcy6yhk0V4hjjptAkhk4R6BG0psUrPna7
D4AKk+wVEuNImcNh/kJmNKwtOQ2oWHN4pkt7jckhM/51MacKX7YjA7yQ3Oi5AQ0E
VfZ2BAEIAK6d8DDbXpvnmnnpm8EFkyRsdhg4jLAdioihUlmYprPyVP/5Ugf+qV4M
b/lXgQc/5rK6Rfjnzz2fZp6QrLN7wGqn/qrSB4HD3fdJkUyvGXyYgo7p/4SJiKN2
wJgd4JzwkXhGI1tZWQL/dVSnrMBcj5EnTT8UAjB1wObU+45rGXDMjXldka0XCufF
ZfTvRw4gjvKjYpMbIJrRiQ+GHejqiIdTkWnKc/Eb92tdKK3vDeJrEHZHt2x41csn
ft6cqOEK0sJ3Wa7bbA5vXpwcafmlfrOfmY3PDgDh97h+BRJbM2XUNDTige0rPIQB
WeLgTR0IxkBbpJT3ynr33fYCoxcR+NsAEQEAAYkBHwQYAQIACQUCVfZ2BAIbDAAK
CRD+xh0xodh9c47OB/43pmbHwMnwFvn+xEbZKZ3/BP8nat8Rku4LcTHSagSJ80ME
UdZ2VGmEXrEozFEFlU9KYBjk7H743EBOhpJ9tsftG8FwFgOt1bKUYe2HR5ogjmb7
aHzknE7gngwiyVf5NRL0s97qwHn3a3+g6tTE0J8p39PItbVpM9HKAfbWO5ExEdWF
nnp1FXgtAxPGk+ulatbZrupfC/oS00CLGEWT3ptqMXB/w2STywi95NInAYYYMZMt
A2uROwuN18QUhXTG582ro3mmxwugqHk9reRguRGYAgQQUbPoKw2r5ARXh8xJJmbO
UzIIEnzBw3zfZ5ahvOGR0AihCTTMLHngZ9+7QFgY
=gMXt
-----END PGP PUBLIC KEY BLOCK-----

Use gpg --import to import the key and retry git tag -v.

Clone this wiki locally