1.1.2 Signature verification

It is highly recommended to verify the signature of the tarball. You will need the OpenBSD tool ‘signify(1)’ for this. Many distributions provide a package for it, if you are using a Carbs Linux host, you can also install the package ‘otools’ which provides ‘signify’. Download the signature first.

wget $URL/carbs-rootfs.tar.xz.sig

The signature file should say something similar to

untrusted comment: verify with carbslinux-2023.02.pub
RWTe38zmx+iyuKEL5T84MJ5Y24jqenkTtQLJxbaMzOBS/NkGVl5J+Vn2B6vTV/gJK7LYBPS+IOXV5sEf+YLGCMcBYAGHCcP4xQ8=

Grab the key (which probably should be the latest one) that is written on the file from https://dl.carbslinux.org/keys/ so you can verify the signature. The latest Signify public key is also available on the package repository, so you can check the validity of the public key from multiple locations, or just copy paste that portion to a file and use that instead.

PUBKEY=carbslinux-2023.02.pub
wget https://dl.carbslinux.org/keys/$PUBKEY

You can now verify the distribution tarball with signify.

signify -V -m carbs-rootfs.tar.xz -p $PUBKEY

If everything went alright, this should output:

Signature Verified