Commits and releases are cryptographically signed with my GPG key F744D8C299C05EAA to ensure authenticity.

Find public sources of trust for my GPG key ID F744D8C299C05EAA, e.g. my website, GitHub, or similar. Verify the integrity of this guide by comparing the key ID and fingerpint throughout.

1. Clone the repository.
2. Checkout a release tag or commit and take note of the signature, e.g:

   git tag -v v1.0.0

   git log --show-signature

3. Import my public key:

   gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys F744D8C299C05EAA

4. Show the fingerprint:

   gpg --fingerprint F744D8C299C05EAA

5. Verify that the fingerprint from the keyserver matches:
   • The git tag signature.
   • This guide.
   • The public source of trust.

1. Import my public key:

   gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys F744D8C299C05EAA

2. Download one of the release files (tarball or zip).
3. Download the SHA256SUMS.asc file which is a signed file containing checksums.
4. In the directory of the downloaded files, verify the integrity:

   gpg --verify SHA256SUMS.asc

5. Ensure the output shows my name Chris Yarbrough and key fingerprint 98A78974F886777AB85CF1D0F744D8C299C05EAA.
6. Verify the checksum(s):

   sha256sum -c SHA256SUMS.asc

   The output should indicate, e.g. ucll-linux-arm64.tar.gz: OK.