Verify locally

Detached verification notes for the signed integrity manifest. Run the check in a temporary keyring so the public signing key does not enter your default keychain.

tmpdir="$(mktemp -d)"
export GNUPGHOME="$tmpdir"

ts=$(date +%s)
curl -fsS "https://trentpower.fr/integrity.json?ts=$ts" -o integrity.json
curl -fsS "https://trentpower.fr/integrity.json.sig?ts=$ts" -o integrity.json.sig
curl -fsS "https://trentpower.fr/.well-known/pgp-key.asc?ts=$ts" | gpg --import
gpg --verify integrity.json.sig integrity.json

rm -rf "$tmpdir" integrity.json integrity.json.sig

The command imports the public key into a throw-away keyring, verifies the signed manifest, and removes the working files. No state is retained on the machine afterwards.

← Integrity