Release notes for v0.3.0

decred · Aug 12, 2016 · e59af1e · e59af1e
1 parent e9d4343
commit e59af1e
Show file tree

Hide file tree

Showing 2 changed files with 57 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -6,3 +6,49 @@ This repository contains the decred installer.
 For the release notes, manifests, and released binary achives please
 go to [decred-binaries](https://github.com/decred/decred-binaries).
 
+## Verifying Binaries
+
+Each release contains a manifest file with sha256 hashes for the
+binaries in that release.  To verify these, you will need:
+
+* SHA256 - Once you download your file(s), you need to check their
+  SHA256 hashes, so you may need to download a tool to do this,
+  depending on your OS.
+* GnuPG or PGP - This is required to import public keys and verify
+  signatures. Examples below use GnuPG.
+
+The steps to verify the binaries are as follows:
+
+1. Download the file manifest, the signature for the file manifest, and the binary for your OS from here.
+2. Obtain the SHA256 value for the binary for your OS and check that it matches the value in the file manifest, e.g. for 64-bit Linux
+
+   ```
+   $ sha256sum dcrinstall-linux-amd64-v0.3.0
+   a53004599daeab51c0e86af026748b7aa55ff9e5d4844bef3b7d8ccf8a5d72a9  dcrinstall-linux-amd64-v0.3.0
+   ```
+
+3. Import the Decred Release Signing Key in GnuPG.
+   ```
+   $ gpg --keyserver pgp.mit.edu --recv-keys 0x518A031D
+      gpg: requesting key 518A031D from hkp server pgp.mit.edu
+      gpg: /home/user/.gnupg/trustdb.gpg: trustdb created
+      gpg: key 7608AF04: public key "Decred Release <[email protected]>" imported
+      gpg: Total number processed: 1
+      gpg: imported: 1 (RSA: 1)
+   ```
+4. Verify the signature for the file manifest is valid and created by
+the Decred Release Signing Key.
+
+	```
+   $ gpg --verify manifest-dcrinstall-v0.3.0.txt
+      gpg: assuming signed data in `manifest-dcrinstall-v0.3.0.txt'
+      gpg: Signature made Wed 27 Jan 2016 08:56:59 PM UTC using RSA key ID 518A031D
+      gpg: Good signature from "Decred Release <[email protected]>"
+      gpg: WARNING: This key is not certified with a trusted signature!
+      gpg: There is no indication that the signature belongs to the owner.
+          Primary key fingerprint: FD13 B683 5E24 8FAF 4BD1 838D 6DF6 34AA 7608 AF04
+           Subkey fingerprint: F516 ADB7 A069 852C 7C28 A02D 6D89 7EDF 518A 031D
+   ```
+
+The binary for your platform is now verified and you can be confident
+they were generated by the Decred team.
diff --git a/release-notes.md b/release-notes.md
@@ -1,3 +1,13 @@
+#[v0.3.0](https://github.com/decred/decred-release/releases/tag/v0.3.0)
+
+## 2016-08-15
+
+This upgrades dcrinstall to default to the current release of the dcr
+tools.
+
+For instructions on how to verify the dcrinstall binary, please see
+[README.md](./README.md).
+
 #[v0.2.0](https://github.com/decred/decred-release/releases/tag/v0.2.0)
 
 ## 2016-07-22
@@ -6,7 +16,7 @@ This upgrades dcrinstall to default to the current release of the dcr
 tools.
 
 For instructions on how to verify the dcrinstall binary, please see
-[the documentation on cryptographically verifying binaries](https://wiki.decred.org/Verifying_Binaries).
+[README.md](./README.md).
 
 #[v0.1.6](https://github.com/decred/decred-release/releases/tag/v0.1.6)