1 # Verifying OTP release integrity
3 All stable OTP releases are cryptographically signed, to allow
4 you to verify the integrity if you choose to.
6 Releases are signed with [Signify](https://man.openbsd.org/signify.1),
7 with [the public key in the main repository](https://akkoma.dev/AkkomaGang/akkoma/src/branch/stable/SIGNING_KEY.pub)
9 Release URLs will always be of the form
12 https://akkoma-updates.s3-website.fr-par.scw.cloud/{branch}/akkoma-{flavour}.zip
15 Where branch is usually `stable` and `flavour` is
16 the one [that you detect on install](../otp_en/#detecting-flavour).
18 So, for an AMD64 stable install, your update URL will be
21 https://akkoma-updates.s3-website.fr-par.scw.cloud/stable/akkoma-amd64.zip
24 To verify the integrity of this file, we have two helper files
28 https://akkoma-updates.s3-website.fr-par.scw.cloud/{branch}/akkoma-{flavour}.zip.sha256
30 # Signify signature of the hashes
31 https://akkoma-updates.s3-website.fr-par.scw.cloud/{branch}/akkoma-{flavour}.zip.sha256.sig
34 Thus, to upgrade manually, with integrity checking, consider the following script:
44 curl --silent https://akkoma.dev/AkkomaGang/akkoma/raw/branch/$BRANCH/SIGNING_KEY.pub -o AKKOMA_SIGNING_KEY.pub
46 # Download zip file and sig files
47 wget -q https://akkoma-updates.s3-website.fr-par.scw.cloud/$BRANCH/akkoma-$FLAVOUR{.zip,.zip.sha256,.zip.sha256.sig}
49 # Verify zip file's sha256 integrity
50 sha256sum --check akkoma-$FLAVOUR.zip.sha256
52 # Verify hash file's integrity
53 # Signify might be under the `signify` command, depending on your distribution
54 signify-openbsd -V -p AKKOMA_SIGNING_KEY.pub -m akkoma-$FLAVOUR.zip.sha256
56 # We're good, use that URL
57 echo "Update URL contents verified"
59 echo "./bin/pleroma_ctl update --zip-url https://akkoma-updates.s3-website.fr-par.scw.cloud/$BRANCH/akkoma-$FLAVOUR"
60 echo "to update your instance"
63 rm akkoma-$FLAVOUR.zip
64 rm akkoma-$FLAVOUR.zip.sha256
65 rm akkoma-$FLAVOUR.zip.sha256.sig