h1. Verifying the integrity of the source code

To ensure that nobody has tampered with the source code copy you received, it is recommended to verify the Git tags of all repositories. On the release branch, only signed tags are checked out in the Git repositories and the source code is "frozen" at a certain release version.

h2. Needed GPG keys

Tags are signed with different keys and you need to retrieve these GPG keys first.
Repos that come from the "Replicant group":https://git.replicant.us/replicant and the "LineageOS mirror":https://git.replicant.us/LineageOS-mirror are signed with the same [[ReplicantReleaseKey|release key]] that was used for creating the corresponding release images.

Tags in repos that are directly synced from AOSP are signed with the key from the Android Open Source Project:
Key ID: E8AD3F819AB10E78
Fingerprint: @4340 D135 70EF 945E 8381  0964 E8AD 3F81 9AB1 0E78@

The tags in the repo for the F-Droid Privileged Extension is signed with the key of its maintainer Hans-Christoph Steiner:
Key ID: E9E28DEA00AA5556
Fingerprint: @EE66 20C7 136B 0D2C 456C  0A4D E9E2 8DEA 00AA 5556@

As with the Replicant release key, the other keys can be retrieved with:
<pre>
gpg --recv-key KEY_ID
</pre>

h2. Verification

First, the tag in the manifest needs to be checked:
<pre>
cd .repo/manifests
git verify-tag $(git describe)
cd ../..
</pre>

Then all the other tags can be verified:
<pre>
repo forall -ec ' { echo "Verifying $REPO_PROJECT" && git verify-tag $(git describe) 2>/dev/null; } || { echo "Error: verification failed!" && exit 1; } '
</pre>

If the verification fails for a repo, @Error: verification failed!@ is displayed. To investigate further in case an error happens, you can run @git verify-tag $(git describe)@ in the repo where the error happens.