{{Header}}'''This chapter is recommended for better security, but is not strictly required.''' (See [[Trust]].) {{always_verify_signatures_reminder}} Change directly into source code folder. {{CodeSelect|code= cd derivative-maker }} Git fetch. Optional. [...] {{CodeSelect|code= git fetch }} Verify the chosen tag to build. Replace with tag you want to build. {{CodeSelect|code= git verify-tag {{VersionNew}}-stable }} The output should look similar to this.
object 1844108109a5f2f8bddcf2257b9f3675be5cfb22 type commit tag {{VersionNew}} tagger Patrick Schleizer 1392320095 +0000 . gpg: Signature made Thu 13 Feb 2014 07:34:55 PM UTC using RSA key ID 77BB3C48 gpg: Good signature from "Patrick Schleizer " [ultimate]
{{gpg_signature_timestamp}} The warning.
gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner.
Is explained on the [[Signing_Key|{{project_name_short}} Signing Key]] page and can be safely ignored. By convention, git tags should point to signed git commits. Beginning from git tag 9.6 and above. ([https://forums.whonix.org/t/security-git-general-verification-verifying-whonix-submodules/513 forum discussion]) It is advisable to verify the signature of the git commit as well (replace {{VersionNew}} with the actual git tag being verified). {{CodeSelect|code= git verify-commit {{VersionNew}}-stable^{commit} }} The output should look similar to this.
commit 5aa1c307c943be60e7d2bfa5727fa5ada3a79c4a gpg: Signature made Sun 07 Dec 2014 01:22:22 AM UTC using RSA key ID 77BB3C48 gpg: Good signature from "Patrick Schleizer " [ultimate] Author: Patrick Schleizer Date: Sun Dec 7 01:22:22 2014 +0000 .
{{Footer}} [[Category:MultiWiki]]