Great! You cloned the Sovereign Stack git repo to your management machine! You're well on your way to deploying your own Bitcoin-native websites!
But before you do anything else, you really SHOULD VERIFY that the code you downloaded has been signed by the Sovereign Stack maintainer key, farscapian.
-----BEGIN PGP PUBLIC KEY BLOCK----- mFIEAAAAABMIKoZIzj0DAQcCAwQ3hQeRT8HLyQEtKJ5C3dKilfWhSpqkPFtfuE0I i+MNLavAM7tL9gShij7tEcyZe0Iy2hc38TizSlQJciIdgtHUtCJEZXJlayBTbWl0 aCA8ZGVyZWtAZmFyc2NhcGlhbi5jb20+iIAEExMIABwFAgAAAAACCwkCGwMEFQgJ CgQWAgMBAheAAh4BABYJELRD5TChThyQCxpUUkVaT1ItR1BHXMcA/2k4QtiV0eNQ 299XW4Wvoac1Be6+WTPRIaC/PYnd0pR7AP4hi5ou6uyKtqkfhLtRQHN/9ny3MBEG whGxb/bCIzOdILhWBAAAAAASCCqGSM49AwEHAgMEI0VBpCTeIpfdH2UcWiSPYGAJ Z1Rsp0uKf6HzZnpGRAdCTNgCh+pVBibP0Cz0pNdM7IfHSfS+OP4/Lb1B5N9BSAMB CAeIbQQYEwgACQUCAAAAAAIbDAAWCRC0Q+UwoU4ckAsaVFJFWk9SLUdQRxM4AQCw m24svH13uNAebQurOloy/1qZgNdXANBQQ05oi1tEyAD/eGFFVdgs5L6Hpg/GJLvo X8bd1+1sa2d9TldbgfNfRA0= =vZGY -----END PGP PUBLIC KEY BLOCK-----
Save it to a file then import it into your gpg public key store. You should see something like this:
ubuntu@ss-mgmt:~$ gpg --import farscapian.gpg gpg: /home/ubuntu/.gnupg/trustdb.gpg: trustdb created gpg: key B443E530A14E1C90: public key "Derek Smith <email@example.com>" imported gpg: Total number processed: 1 gpg: imported: 1
Trust the key
It's useful to update your GPG settings so the key is fully trusted. That way when you download new updates and check the signatures, your system will indicate that the git repos have been signed by a trusted authority and won't issue confusing error messages.
To trust the maintainers key, run
gpg --edit-key B443E530A14E1C90 . You should see the following:
ubuntu@ss-mgmt:~$ gpg --edit-key B443E530A14E1C90 gpg (GnuPG) 2.2.27; Copyright (C) 2021 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. pub nistp256/B443E530A14E1C90 created: 1970-01-01 expires: never usage: SC trust: unknown validity: unknown sub nistp256/798DF725CFB0629A created: 1970-01-01 expires: never usage: E [ unknown] (1). Derek Smith <firstname.lastname@example.org>
trust at the
gpg> prompt. Then press
5 to set fully trust the certificate. After you press enter, type
yes. Then quit by typing
q at the
gpg> prompt. Done!
Verify Sovereign Stack
Now that you have imported the maintainer's certificate and trusted it, you can begin to verify code commits. Do this by running
git log --show-signature from the Sovereign Stack git repo (usually at
~/sovereign-stack). The output will show something like this:
ubuntu@ss-mgmt:~/sovereign-stack$ git log --show-signature commit 98866559bd8dd72700a352210752436a8e2e1c0a (HEAD -> master, ss-upstream/master) gpg: Signature made Tue 07 Mar 2023 12:04:56 AM UTC gpg: using ECDSA key 77A10B652328FCBECEF26DA8B443E530A14E1C90 gpg: Good signature from "Derek Smith <email@example.com>" [uncertain] gpg: checking the trustdb gpg: marginals needed: 3 completes needed: 1 trust model: pgp gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u Author: Derek Smith <firstname.lastname@example.org> Date: Mon Mar 6 19:04:56 2023 -0500 Move projects pull to install.sh
If the output says
Good signature from "Derek Smith <email@example.com> the repo was successfully signed by the Sovereign Stack maintainer.
Ok great! You have reasonable assurance that the bash code you're about to run has been created by a known authority.