Skip to content

Commit 19b07b5

Browse files
rogerwangrogerwang
committed
[README] add verifying binaries
1 parent 2cdd06c commit 19b07b5

File tree

1 file changed

+48
-0
lines changed

1 file changed

+48
-0
lines changed

README.md

Lines changed: 48 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -98,6 +98,54 @@ Issues are being tracked here on GitHub.
9898

9999
The source code for NW.js and the daily development spans across multiple repositories in this organization. This repository is for the purpose of issue tracking, landing page and part of the source code.
100100

101+
### Verifying Binaries
102+
103+
Starting from 0.32.0 the stable and nightly download directories contain a SHASUMS256.txt
104+
file that lists the SHA checksums for each file available for download, as well as the
105+
checksums for the files inside the download package.
106+
107+
The SHASUMS256.txt can be downloaded using `curl`.
108+
109+
```console
110+
$ curl -O https://dl.nwjs.io/vx.y.z/SHASUMS256.txt
111+
```
112+
113+
To check that a downloaded file matches the checksum, run
114+
it through `sha256sum` with a command such as:
115+
116+
```console
117+
$ grep nwjs-vx.y.z.tar.gz SHASUMS256.txt | sha256sum -c -
118+
```
119+
120+
The stable releases (but not Nightlies) also have the GPG detached
121+
signature of SHASUMS256.txt available as SHASUMS256.txt.asc. You can use `gpg`
122+
to verify that SHASUMS256.txt has not been tampered with.
123+
124+
To verify SHASUMS256.txt has not been altered, you will first need to import
125+
the GPG key of NW.js maintainer to create releases.
126+
Use this command to import the key:
127+
128+
```console
129+
$ gpg --keyserver pool.sks-keyservers.net --recv-keys 78680FA9E21BB40A
130+
```
131+
```
132+
(Key fingerprint is 1E8B EE8D 5B0C 4CBC D6D1 9E26 7868 0FA9 E21B B40A)
133+
```
134+
See the bottom of this README for a full script to import active release keys.
135+
136+
Next, download the SHASUMS256.txt.asc for the release:
137+
138+
```console
139+
$ curl -O https://dl.nwjs.io/vx.y.z/SHASUMS256.txt.asc
140+
```
141+
142+
After downloading the appropriate SHASUMS256.txt and SHASUMS256.txt.asc files,
143+
you can then use `gpg --verify SHASUMS256.txt.asc SHASUMS256.txt` to verify
144+
that the file has been signed by an authorized member of the NW.js team.
145+
146+
Once verified, use the SHASUMS256.txt file to get the checksum for
147+
the binary verification command above.
148+
101149
## License
102150

103151
`NW.js`'s code in this repo uses the MIT license, see our `LICENSE` file. To redistribute the binary, see [How to package and distribute your apps](https://github.com/nwjs/nw.js/wiki/How-to-package-and-distribute-your-apps)

0 commit comments

Comments
 (0)