OpenPGP signatures should be checked when projects provide them. To do this in a publicly-verifiable way, the signature check can be done as part of the build process. An example:
{ fetchurl, gnupg, runCommand, }: let version = "5.4"; in rec { tails-signing-key = fetchurl { url = "https://tails.boum.org/tails-signing.key"; sha256 = "1sa6kc1icwf8y1smfqfy3zxh9z687zrm59whn2xj4s98wqg39wbh"; }; unverified-tails-iso = fetchurl { url = "https://ftp.nluug.nl/os/Linux/distr/tails/tails/stable/tails-amd64-${version}/tails-amd64-${version}.iso"; sha256 = "142nw4gp24pn1ndx6rk78bbam78pbmwgnzfs0zmb9vv1s4lp15wa"; }; tails-iso-signature = fetchurl { url = "https://tails.boum.org/torrents/files/tails-amd64-${version}.iso.sig"; sha256 = "1f0l6mwy6nw8817a5p5a798arqklbv3fkv3d3p45pzinr57ny6dc"; }; verified-tails-iso = runCommand "verified-tails-iso" { } '' set -euo pipefail GNUPGHOME=$(mktemp -d) export GNUPGHOME ${gnupg}/bin/gpg --import ${tails-signing-key} ${gnupg}/bin/gpg --verify ${tails-iso-signature} ${unverified-tails-iso} && ln -s ${unverified-tails-iso} $out ''; }
Version bumps change the fetch hashes of the signed resource and the signature, but not the signing key:
@@ -1,6 +1,6 @@ { fetchurl, gawk, gnupg, gnused, qemu_kvm, runCommand, socat, stdenvNoCC, wmctrl , writeShellScriptBin, }: -let version = "5.3.1"; +let version = "5.4"; in rec { tails-signing-key = fetchurl { @@ -11,11 +11,11 @@ unverified-tails-iso = fetchurl { url = "https://ftp.nluug.nl/os/Linux/distr/tails/tails/stable/tails-amd64-${version}/tails-amd64-${version}.iso"; - sha256 = "12riynxzwv0f6cl5jkp8z1zszxxzfrk2kmf4f9g118ypwjzy352p"; + sha256 = "142nw4gp24pn1ndx6rk78bbam78pbmwgnzfs0zmb9vv1s4lp15wa"; }; tails-iso-signature = fetchurl { url = "https://tails.boum.org/torrents/files/tails-amd64-${version}.iso.sig"; - sha256 = "0s50m12g6lsrwwrvm79wrq7lyvwgha12ajc1qi6sr1dxn48zvxp7"; + sha256 = "1f0l6mwy6nw8817a5p5a798arqklbv3fkv3d3p45pzinr57ny6dc"; }; verified-tails-iso = runCommand "verified-tails-iso" { } ''