From ab05d70e712dde52287d500e04afca2e8f995035 Mon Sep 17 00:00:00 2001 From: Matt Birkholz Date: Thu, 27 Apr 2017 13:28:45 -0700 Subject: [PATCH] user.texinfo: Add instructions for verifying downloads. --- doc/user-manual/user.texinfo | 30 +++++++++++++++++++----------- 1 file changed, 19 insertions(+), 11 deletions(-) diff --git a/doc/user-manual/user.texinfo b/doc/user-manual/user.texinfo index 43c1c0b62..eef1a0071 100644 --- a/doc/user-manual/user.texinfo +++ b/doc/user-manual/user.texinfo @@ -3888,12 +3888,12 @@ should be apparent to the casual user. If your code does not hack Edwin and you previously said @example - $ mit-scheme --load my-code +mit-scheme --load my-code @end example @noindent you should be able to say @example - $ mit-scheme-pucked --load my-code +mit-scheme-pucked --load my-code @end example @noindent and be no worse off. @@ -4023,12 +4023,13 @@ sudo apt-key add ~/Downloads/mhb-key.gpg Next add the repository to your list of package sources. On Ubuntu 16.10 (Yakkety Yak) you would use this command: @example -sudo add-apt-repository -s "deb http://birchwood-abbey.net/ubuntu/ yakkety main" +sudo add-apt-repository \ + -s "deb http://birchwood-abbey.net/ubuntu/ yakkety main" @end example or by editing files in @file{/etc/apt/}. Finally, use your package manager to update its list of available -packages and then choose the Scheme plugins you would like to install. +packages and choose the Scheme plugins you would like to install. Scheme itself will be automatically selected because all of the plugins depend on it. You might choose the @code{mit-scheme-pucked-x11-screen} plugin because it depends on @@ -4057,17 +4058,24 @@ want to install the @code{x11-screen} plugin, which requires the project home page lists the package files available for a plugin @emph{and} all of its required plugins. -After you have downloaded all required files, you might want to verify -that each is authentic. If you saved the GPG key in -@file{~/Downloads/mhb-key.gpg}, you can add it to your keyring like -this: +If you would like to verify that the downloaded files are authentic +you will need the corresponding @file{.changes} files. Each contains +checksums for the package files and is signed. If you saved the GPG +key in @file{~/Downloads/mhb-key.gpg}, you can add it to your keyring +like this: @example gpg --import ~/Downloads/mhb-key.gpg @end example -Then verify the signature on e.g. the @code{mit-scheme-pucked} package -file like this: +Then verify the signature on the @file{.changes} file like this: @example -gpg --verify ~/Downloads/mit-scheme-pucked_9.2.7-1_amd64.deb ??? +gpg --verify ~/Downloads/mit-scheme-pucked_9.2.7-1_amd64.changes +@end example +Finally compare the checksum in the @file{.changes} file with one +computed from your downloaded file. +@example +grep mit-scheme-pucked_9.2.7-1_amd64.deb \ + mit-scheme-pucked_9.2.7-1_amd64.changes +sha256sum mit-scheme-pucked_9.2.7-1_amd64.deb @end example After you have downloaded and verified all of the required files, you -- 2.25.1