Project

General

Profile

SourceCodeTagsVerification » History » Version 2

Wolfgang Wiedmeyer, 05/10/2017 07:19 PM
verification steps

1 1 Wolfgang Wiedmeyer
h1. Verifying the integrity of the source code
2
3
To ensure that nobody has tampered with the source code copy you received, it is recommended to verify the Git tags of all repositories. On the release branch, only signed tags are checked out in the Git repositories and the source code is "frozen" at a certain release version.
4
5 2 Wolfgang Wiedmeyer
h2. Needed GPG keys
6 1 Wolfgang Wiedmeyer
7 2 Wolfgang Wiedmeyer
Tags are signed with different keys and you need to retrieve these GPG keys first.
8
Repos that come from the "Replicant group":https://git.replicant.us/replicant and the "LineageOS mirror":https://git.replicant.us/LineageOS-mirror are signed with the same [[ReplicantReleaseKey|release key]] that was used for creating the corresponding release images.
9
10 1 Wolfgang Wiedmeyer
Tags in repos that are directly synced from AOSP are signed with the key from the Android Open Source Project:
11
Key ID: E8AD3F819AB10E78
12
Fingerprint: @4340 D135 70EF 945E 8381  0964 E8AD 3F81 9AB1 0E78@
13
14
The tags in the repo for the F-Droid Privileged Extension is signed with the key of its maintainer Hans-Christoph Steiner:
15
Key ID: E9E28DEA00AA5556
16
Fingerprint: @EE66 20C7 136B 0D2C 456C  0A4D E9E2 8DEA 00AA 5556@
17 2 Wolfgang Wiedmeyer
18
As with the Replicant release key, the other keys can be retrieved with:
19
<pre>
20
gpg --recv-key KEY_ID
21
</pre>
22
23
h2. Verification
24
25
First, the tag in the manifest needs to be checked:
26
<pre>
27
cd .repo/manifests
28
git verify-tag $(git describe)
29
cd ../..
30
</pre>
31
32
Then all the other tags can be verified:
33
<pre>
34
repo forall -ec ' { echo "Verifying $REPO_PROJECT" && git verify-tag $(git describe) 2>/dev/null; } || { echo "Error: verification failed!" && exit 1; } '
35
</pre>
36
37
If the verification fails for a repo, @Error: verification failed!@ is displayed. To investigate further in case an error happens, you can run @git verify-tag $(git describe)@ in the repo where the error happens.