2.2 KiB
+++ title = "Release Hashes" description = "Verify you are using genuine After Dark software." categories = ["security"] tags = ["validate", "privacy", "security", "cryptography", "npm", "git"] features = ["code highlighter", "related content"] copyright owner = "Josh Habdas" date = "2019" license = "agpl-3.0-or-later" +++
After Dark utilizes the {{< external href="https://www.npmjs.com" text="NPM" />}} CLI to produce a unique cryptographic hash each release, enabling any copy to be uniquely identified regardless of its source.
Release hashes use the SHA-512 algorithm and look like this:
{{< hackcss-alert type="success" >}} VWcn7AxXUkZRGsRIM/6A5RjqW7DOPH+XbnLGRp7hpr0TCH/9l31ug2h2JaIlEvsDzOPRcZDBdyZvJ4mSm/Rqjg== {{< /hackcss-alert >}}
Each release a new hash is generated in the following locations:
- Embedded using PGP in the {{< external href="https://git.habd.as/comfusion/after-dark/releases" text="release source" />}}
git tagmessage. - Codified into the {{< external href="https://registry.npmjs.org/after-dark/latest" text="latest" />}} or {{< external href="https://registry.npmjs.org/after-dark/6.7.9" text="version-specific" />}} NPM package metadata.
- Embedded inside the After Dark Online Help documentation.
Upon receiving your copy of After Dark you may use the release hash to verify you are using an unadulterated version of the software.
Run the Release Validator to quickly check your release offline:
{{< hackcss-card header="Interactive Release Validator" >}}
{{< /hackcss-card >}}For a more thorough inspection do the following:
- Install the {{< external href="https://docs.npmjs.com/cli/npm" text="npm cli" />}} on your machine.
- Navigate to
themes/after-darkfrom within your site. - Run
npm i && npm run integrityto generate your SHA-512 hash. - Compare your hash to the hash generated during a signed release.
- If equal, verify the GPG signature used to sign that release.
If inspection fails run the Upgrade Script and try again.