RowKeyDB

Security

Verifying RowKeyDB releases.

Why this page exists

A program downloaded from the internet carries no proof of where it came from. Someone who fetches a RowKeyDB release has, on the face of it, no way to know that the file is the one we built, rather than something altered along the way or rehosted by a stranger. A cryptographic signature settles the question: it lets you confirm, in a single command, that the file is exactly the one we signed.

A signature is worth only as much as your confidence that the public key is genuinely ours. That confidence rests on one value — the fingerprint below — appearing unchanged in several independent places. No single place proves much by itself; that the same forty characters appear here, on the maintainer’s GitHub account, on the public keyserver, and on his LinkedIn profile is what makes impersonation hard. Check that they agree before you trust a download.

The signing key

RowKeyDB releases are signed by:

Brian Gitonga Marete (RowKeyDB Release Signing) <[email protected]>

Its fingerprint is:

A56D 0CCF 7F9E 66BD F5E9  7CAF 54BD 1DFD F41B D841

The certifying half of the key is kept offline. The half that signs releases is held on a hardware token and never leaves it, and each signature requires a physical touch. You can obtain the public key from any of the following, and they are the same key:

Verifying a release

Each release carries a SHA256SUMS manifest and a detached signature, SHA256SUMS.asc. Three commands check a download:

# 1. fetch the signing key (any source above; here, by address)
gpg --locate-keys [email protected]

# 2. confirm the fingerprint matches the one printed on this page
gpg --fingerprint [email protected]

# 3. verify the manifest's signature, then the files against the manifest
gpg --verify SHA256SUMS.asc SHA256SUMS
sha256sum -c SHA256SUMS

If the signature verifies and the checksums match, the files are precisely the ones we released. If either step fails, do not trust the download.