diff --git a/releng/models.py b/releng/models.py index 8593180a..d018753f 100644 --- a/releng/models.py +++ b/releng/models.py @@ -49,6 +49,9 @@ def iso_url(self): def tarball_url(self): return "iso/%s/archlinux-bootstrap-%s-x86_64.tar.gz" % (self.version, self.version) + def dir_url(self): + return "iso/%s" % (self.version) + def magnet_uri(self): query = [ ('dn', "archlinux-%s-x86_64.iso" % self.version), diff --git a/templates/public/download.html b/templates/public/download.html index d1dc3942..02b06531 100644 --- a/templates/public/download.html +++ b/templates/public/download.html @@ -95,35 +95,49 @@ <h3>HTTP Direct Downloads</h3> <p>In addition to the BitTorrent links above, install images can also be downloaded via HTTP from the mirror sites listed below. Please - ensure the download image matches the checksum from the sha256sums.txt or - b2sums.txt file in the same directory as the image.</p> + ensure the download image matches the checksum from the <code>sha256sums.txt</code> or <code>b2sums.txt</code> file linked below.</p> - <p><code>b2sum -c b2sums.txt</code></p> + <h4 id="checksums">Checksums and signatures</h4> + <p>File integrity checksums and PGP signatures for the latest releases can be found below:</p> - <p>The release signing key can be downloaded with WKD:</p> - - <p><code>sq network wkd fetch {{ release.wkd_email }} -o release-key.pgp</code></p> + <ul> + <li>ISO + <ul> + <li><a href="https://archlinux.org/{{ release.iso_url }}.sig" + title="ISO PGP signature">PGP signature</a></li> + {% if release.pgp_key %}<li><strong>PGP fingerprint:</strong> {% pgp_key_link release.pgp_key %}</li>{% endif %} + {% if release.sha256_sum %}<li><strong>SHA256:</strong> {{ release.sha256_sum }}</li>{% endif %} + {% if release.b2_sum %}<li><strong>BLAKE2b:</strong> {{ release.b2_sum }}</li>{% endif %} + {% if release.sha1_sum %}<li><strong>SHA1:</strong> {{ release.sha1_sum }}</li>{% endif %} + {% if release.md5_sum %}<li><strong>MD5:</strong> {{ release.md5_sum }}</li>{% endif %} + </ul> + </li> + <li>Bootstrap tarball + <ul> + <li><a href="https://archlinux.org/{{ release.tarball_url }}.sig" + title="Bootstrap tarball PGP signature">PGP signature</a></li> + </ul> + {% if release.sha256_sum %}<li><a href="https://archlinux.org/{{ release.dir_url }}/sha256sums.txt">sha256sums.txt</a></li>{% endif %} + {% if release.b2_sum %}<li><a href="https://archlinux.org/{{ release.dir_url }}/b2sums.txt">b2sums.txt</a></li>{% endif %} + {% if release.sha1_sum %}<li><a href="https://archlinux.org/{{ release.dir_url }}/sha1sums.txt">sha1sums.txt</a></li>{% endif %} + {% if release.md5_sum %}<li><a href="https://archlinux.org/{{ release.dir_url }}/md5sums.txt">md5sums.txt</a></li>{% endif %} + </li> + </ul> - <p>With this key the signature can be verified like this:</p> + <h5>Download verification</h4> - <p><code>sq verify --signer-file release-key.pgp --detached archlinux-{{ release.version }}-x86_64.iso.sig archlinux-{{ release.version }}-x86_64.iso</code></p> + <p>Verify the BLAKE2b checksums as follows: <pre><code>$ b2sum -c b2sums.txt</code></pre></p> - <h4 id="checksums">Checksums</h4> + <p>To verify the PGP signature using Sequoia, first download the release signing key from WKD:<br/> + <pre><code>$ sq network wkd fetch {{ release.wkd_email }} -o release-key.pgp</code></pre> - <p>File integrity checksums for the latest releases can be found below:</p> + With this signing key, verify the signature: + <pre><code>$ sq verify --signer-file release-key.pgp --detached archlinux-{{ release.version }}-x86_64.iso.sig archlinux-{{ release.version }}-x86_64.iso</code></pre></p> - <ul> - <li><a href="https://archlinux.org/{{ release.iso_url }}.sig" - title="ISO PGP signature">ISO PGP signature</a></li> - <li><a href="https://archlinux.org/{{ release.tarball_url }}.sig" - title="Bootstrap tarball PGP signature">Bootstrap tarball PGP signature</a></li> - {% if release.pgp_key %}<li><strong>PGP fingerprint:</strong> {% pgp_key_link release.pgp_key %}</li>{% endif %} - {% if release.wkd_email %}<li><strong>WKD Lookup: </strong><code>gpg --auto-key-locate clear,wkd -v --locate-external-key {{ release.wkd_email }}</code></li>{% endif %} - {% if release.sha256_sum %}<li><strong>SHA256:</strong> {{ release.sha256_sum }}</li>{% endif %} - {% if release.b2_sum %}<li><strong>BLAKE2b:</strong> {{ release.b2_sum }}</li>{% endif %} - {% if release.sha1_sum %}<li><strong>SHA1:</strong> {{ release.sha1_sum }}</li>{% endif %} - {% if release.md5_sum %}<li><strong>MD5:</strong> {{ release.md5_sum }}</li>{% endif %} - </ul> + <p>Alternatively, using GnuPG, download the signing key from WKD: + <pre><code>$ gpg --auto-key-locate clear,wkd -v --locate-external-key {{ release.wkd_email }}</code></pre> + Verify the signature: + <pre><code>$ gpg --keyserver-options auto-key-retrieve --verify archlinux-{{ release.version }}-x86_64.iso.sig archlinux-{{ release.version }}-x86_64.iso</code></pre></p> {% cache 600 download-mirrors %} <div id="download-mirrors">