{{Header}}'''This chapter is recommended for better security, but is not strictly required.''' (See [[Trust]].)
{{always_verify_signatures_reminder}}
Change directly into source code folder.
{{CodeSelect|code=
cd derivative-maker
}}
Git fetch. [
Optional. [...]
]
{{CodeSelect|code=
git fetch
}}
Verify the chosen tag to build. Replace with tag you want to build.
{{CodeSelect|code=
git verify-tag {{VersionNew}}-stable
}}
The output should look similar to this.
object 1844108109a5f2f8bddcf2257b9f3675be5cfb22
type commit
tag {{VersionNew}}
tagger Patrick Schleizer
1392320095 +0000
.
gpg: Signature made Thu 13 Feb 2014 07:34:55 PM UTC using RSA key ID 77BB3C48
gpg: Good signature from "Patrick Schleizer " [ultimate]
{{gpg_signature_timestamp}}
The warning.
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Is explained on the [[Signing_Key|{{project_name_short}} Signing Key]] page and can be safely ignored.
By convention, git tags should point to signed git commits. [
Beginning from git tag 9.6 and above.
] ([https://forums.whonix.org/t/security-git-general-verification-verifying-whonix-submodules/513 forum discussion]) It is advisable to verify the signature of the git commit as well (replace {{VersionNew}}
with the actual git tag being verified).
{{CodeSelect|code=
git verify-commit {{VersionNew}}-stable^{commit}
}}
The output should look similar to this.
commit 5aa1c307c943be60e7d2bfa5727fa5ada3a79c4a
gpg: Signature made Sun 07 Dec 2014 01:22:22 AM UTC using RSA key ID 77BB3C48
gpg: Good signature from "Patrick Schleizer
" [ultimate]
Author: Patrick Schleizer
Date: Sun Dec 7 01:22:22 2014 +0000
.
{{Footer}}
[[Category:MultiWiki]]