Verify Sovereign Stack
Photo by Glenn Carstens-Peters / Unsplash

Great! You have cloned the Sovereign Stack git repo to your management machine! You're well on your way to deploying your own Bitcoin-native website!

But before you do anything else, you really SHOULD VERIFY that the code you downloaded has been signed by the Sovereign Stack maintainer key. Right now, the current Sovereign Stack maintainer is Derek Smith. His public key can be downloaded below.

After it's downloaded, run gpg --import derek_smith.gpg to import it into your gpg public key store. You should see something like this:

ubuntu@www:~$ gpg --import derek_smith.gpg 
gpg: /home/ubuntu/.gnupg/trustdb.gpg: trustdb created
gpg: key 8F1CD799CCA516CC: public key "Derek Smith <derek@farscapian.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1

Trust the key

It's useful to update your GPG settings so the key is fully trusted. That way when you download new updates and check the signatures, your system will indicate that the git repos have been signed by a trusted authority and won't issue confusing error messages.

To trust the maintainers key, run gpg --edit-key 3CC6319316B613A46EEFDF778F1CD799CCA516CC. You should see the following:

ubuntu@www:~$ gpg --edit-key 3CC6319316B613A46EEFDF778F1CD799CCA516CC
gpg (GnuPG) 2.2.20; Copyright (C) 2020 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.


pub  nistp256/8F1CD799CCA516CC
     created: 1970-01-01  expires: never       usage: SC  
     trust: unknown       validity: unknown
sub  nistp256/D67CE85E0293024B
     created: 1970-01-01  expires: never       usage: E   
[ unknown] (1). Derek Smith <derek@farscapian.com>

Next, run trust at the gpg> prompt. Then press 5 to set fully trust the certificate. After you press enter, type yes. Then quit by typing q at the gpg> prompt. Done!

Verify Sovereign Stack

Now that you have imported the maintainer's certificate and trusted it, you can begin to verify code commits. Do this by running git log --show-signature from the Sovereign Stack git repo (usually at ~/sovereign-stack). The output will show something like this:

ubuntu@www:~/sovereign-stack$ git log --show-signature
commit 29b079a2c684f0c9589c197c3c9b40d4e73d119b (HEAD -> master, tag: v0.0.18, origin/master, origin/HEAD)
gpg: Signature made Sun 02 Jan 2022 03:34:53 PM UTC
gpg:                using ECDSA key 3CC6319316B613A46EEFDF778F1CD799CCA516CC
gpg: Good signature from "Derek Smith <derek@farscapian.com>" [uncertain]
gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
Author: Derek Smith <derek@farscapian.com>
Date:   Sun Jan 2 10:34:53 2022 -0500

    Creating commit on Sun Jan  2 10:34:53 AM EST 2022.
    
    Signed-off-by: Derek Smith <derek@farscapian.com>

If the output says Good signature from "Derek Smith <derek@farscapian.com> and the fingerprint ends with CCA516CC, the repo was successfully signed by the Sovereign Stack maintainer!

Ok great! You have reasonable assurance that the bash code you're about to run has been created by a trusted authority.


Want to support Sovereign Stack development? Consider donating to our monthly crowdfund.