yigitcolakoglu
/
fr1nge.xyz
1
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
10 Commits
1 Branch
8.0 MiB
Tree: 4b98414d62
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '4b98414d62'
${ noResults }
fr1nge.xyz/themes/after-dark/docs/content/feature/release-hashes.md

44 lines
2.2 KiB
Raw Normal View History

Hugo Added
4 years ago
 
  1. +++
  2. title = "Release Hashes"
  3. description = "Verify you are using genuine After Dark software."
  4. categories = ["security"]
  5. tags = ["validate", "privacy", "security", "cryptography", "npm", "git"]
  6. features = ["code highlighter", "related content"]
  7. [[copyright]]
  8.   owner = "Josh Habdas"
  9.   date = "2019"
  10.   license = "agpl-3.0-or-later"
  11. +++
  12. 

  13. After Dark utilizes the {{< external href="https://www.npmjs.com" text="NPM" />}} CLI to produce a unique cryptographic hash each release, enabling any copy to be uniquely identified regardless of its source.
  14. 

  15. Release hashes use the <abbr title="Secure Hashing Algorithm">SHA-512</abbr> algorithm and look like this:
  16. 

  17. {{< hackcss-alert type="success" >}}
  18. <samp>VWcn7AxXUkZRGsRIM/6A5RjqW7DOPH+XbnLGRp7hpr0TCH/9l31ug2h2JaIlEvsDzOPRcZDBdyZvJ4mSm/Rqjg==</samp>
  19. {{< /hackcss-alert >}}
  20. 

  21. 

  22. Each release a new hash is generated in the following locations:
  23. 

  24. - Embedded using PGP in the {{< external href="https://git.habd.as/comfusion/after-dark/releases" text="release source" />}} `git tag` message.
  25. - Codified into the {{< external href="https://registry.npmjs.org/after-dark/latest" text="latest" />}} or {{< external href="https://registry.npmjs.org/after-dark/6.7.9" text="version-specific" />}} NPM package metadata.
  26. - Embedded inside the After Dark [Online Help](../online-help) documentation.
  27. 

  28. Upon receiving your copy of After Dark you may use the release hash to verify you are using an unadulterated version of the software.
  29. 

  30. Run the [Release Validator](/validate) to quickly check your release offline:
  31. 

  32. {{< hackcss-card header="Interactive Release Validator" >}}
  33. <iframe title="Validate Release" scrolling="no" width="100%" height="360" src="/validate"></iframe>
  34. {{< /hackcss-card >}}
  35. 

  36. For a more thorough inspection do the following:
  37. 

  38. 1. Install the {{< external href="https://docs.npmjs.com/cli/npm" text="npm cli" />}} on your machine.
  39. 2. Navigate to `themes/after-dark` from within your site.
  40. 3. Run `npm i && npm run integrity` to generate your SHA-512 hash.
  41. 4. Compare your hash to the hash generated during a signed release.
  42. 5. If equal, verify the GPG signature used to sign that release.
  43. 

  44. If inspection fails run the [Upgrade Script](../upgrade-script/) and try again.