Project

General

Profile

SourceCodeTagsVerification » History » Version 1

Wolfgang Wiedmeyer, 05/10/2017 07:09 PM
init with needed keys

1 1 Wolfgang Wiedmeyer
h1. Verifying the integrity of the source code
2
3
To ensure that nobody has tampered with the source code copy you received, it is recommended to verify the Git tags of all repositories. On the release branch, only signed tags are checked out in the Git repositories and the source code is "frozen" at a certain release version.
4
5
Tags are signed with different keys and you need to retrieve these GPG keys first. Repos that come from the "Replicant group":https://git.replicant.us/replicant and the "LineageOS mirror":https://git.replicant.us/LineageOS-mirror are signed with the same [[ReplicantReleaseKey|release key]] that was used for creating the corresponding release images.
6
7
Tags in repos that are directly synced from AOSP are signed with the key from the Android Open Source Project:
8
Key ID: E8AD3F819AB10E78
9
Fingerprint: @4340 D135 70EF 945E 8381  0964 E8AD 3F81 9AB1 0E78@
10
11
The tags in the repo for the F-Droid Privileged Extension is signed with the key of its maintainer Hans-Christoph Steiner:
12
Key ID: E9E28DEA00AA5556
13
Fingerprint: @EE66 20C7 136B 0D2C 456C  0A4D E9E2 8DEA 00AA 5556@