Skip to content

Commit 7d96e29

Browse files
sarahcpagesarahcpage
authored
Merge pull request #57 from sassoftware/pr-gpg-sign
feat: Add instructions for GPG key verification
2 parents d645017 + 1ac1573 commit 7d96e29

File tree

1 file changed

+44
-2
lines changed

1 file changed

+44
-2
lines changed

README.md

Lines changed: 44 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -57,8 +57,9 @@ Use "viya4-orders-cli [command] --help" for more information about a command.
5757
#### Option 1 - Download a pre-built binary file.
5858

5959
Binaries for Windows, macOS, and Linux are available as downloads from
60-
https://github.com/sassoftware/viya4-orders-cli/releases. Expand `Assets` under
61-
the release of interest.
60+
https://github.com/sassoftware/viya4-orders-cli/releases/latest.
61+
62+
If you choose this option, refer to [Verifying Release Signatures](#verifying-release-signatures) to verify the authenticity and integrity of the downloaded binary.
6263

6364
#### Option 2 - Build the project yourself.
6465

@@ -259,6 +260,47 @@ using SAS Viya Orders CLI:
259260
}
260261
```
261262

263+
## Verifying Release Signatures
264+
265+
SAS Viya Orders CLI releases are cryptographically signed with [GPG](https://www.gnupg.org/). To verify the authenticity of a downloaded binary:
266+
267+
### 1. Import the SAS release signing public key
268+
269+
``` bash
270+
# Download and import the public key
271+
curl -O https://github.com/sassoftware/viya4-orders-cli/releases/download/latest/sas-release-signing-key.asc
272+
273+
gpg --import sas-release-signing-key.asc
274+
```
275+
276+
### 2. Verify the key fingerprint
277+
278+
Ensure the imported key matches this fingerprint:
279+
```
280+
A604 6426 9268 85FD 8E00 5C42 D7EC 86DE FBC5 F8E2
281+
```
282+
283+
You can check with:
284+
```bash
285+
gpg --fingerprint [email protected]
286+
```
287+
288+
### 3. Verify the signature
289+
290+
Download both the binary and its corresponding `.asc` signature file from https://github.com/sassoftware/viya4-orders-cli/releases/latest, then verify:
291+
292+
```bash
293+
# Example for Linux binary
294+
gpg --verify viya4-orders-cli_linux_amd64.asc viya4-orders-cli_linux_amd64
295+
```
296+
297+
A successful verification will show:
298+
```
299+
gpg: Good signature from "SAS Institute, Inc. (Release Signing) <[email protected]>"
300+
```
301+
302+
**Note:** You may see a warning about the key not being "certified with a trusted signature." This is normal and does not affect the verification. The warning simply means you haven't explicitly marked the key as trusted in your keyring.
303+
262304
## Contributing
263305

264306
We welcome your contributions! Please read [CONTRIBUTING.md](CONTRIBUTING.md)

0 commit comments

Comments
 (0)