krb5 commit: Better document how to verify PGP signature

Tom Yu tlyu at mit.edu
Tue Oct 14 17:06:28 EDT 2014


https://github.com/krb5/krb5/commit/fa4138c7853487105ab3c54e6d176c45eaf8b065
commit fa4138c7853487105ab3c54e6d176c45eaf8b065
Author: Tom Yu <tlyu at mit.edu>
Date:   Tue Oct 14 14:31:09 2014 -0400

    Better document how to verify PGP signature
    
    Add text clarifying our unusual packaging of the PGP signature inside
    a tar file.
    
    ticket: 7927
    target_version: 1.13
    tags: pullup

 doc/build/index.rst |   24 ++++++++++++++----------
 1 files changed, 14 insertions(+), 10 deletions(-)

diff --git a/doc/build/index.rst b/doc/build/index.rst
index d89bcba..3416817 100644
--- a/doc/build/index.rst
+++ b/doc/build/index.rst
@@ -30,16 +30,20 @@ Obtaining the software
 
 The source code can be obtained from MIT Kerberos Distribution page,
 at http://web.mit.edu/kerberos/dist/index.html.
-The MIT Kerberos distribution comes in an archive file, generally named
-krb5-VERSION.tar, where *VERSION* is a placeholder for the major and minor
-versions of MIT Kerberos.  (For example, MIT Kerberos 1.9
-has major version "1" and minor version "9".)
-
-The krb5-VERSION.tar contains a compressed tar file consisting of the
-sources for all of Kerberos (generally krb5-VERSION.tar.gz) and
-a PGP signature file for this source tree (generally
-krb5-VERSION.tar.gz.asc).  MIT highly recommends that you verify
-the integrity of the source code using this signature.
+The MIT Kerberos distribution comes in an archive file, generally
+named krb5-VERSION-signed.tar, where *VERSION* is a placeholder for
+the major and minor versions of MIT Kerberos.  (For example, MIT
+Kerberos 1.9 has major version "1" and minor version "9".)
+
+The krb5-VERSION-signed.tar contains a compressed tar file consisting
+of the sources for all of Kerberos (generally named
+krb5-VERSION.tar.gz) and a PGP signature file for this source tree
+(generally named krb5-VERSION.tar.gz.asc).  MIT highly recommends that
+you verify the integrity of the source code using this signature,
+e.g., by running::
+
+    tar xf krb5-VERSION-signed.tar
+    gpg --verify krb5-VERSION.tar.gz.asc
 
 Unpack krb5-VERSION.tar.gz in some directory. In this section we will assume
 that you have chosen the top directory of the distribution the directory


More information about the cvs-krb5 mailing list