Set up environment for verifying downloads; install Scripts directory
To set up the environment for verifying downloaded artifacts, you will need the GnuPG toolkit (which may already be installed, see comments in code block, below).
Each tranSMART Foundation release artifact (see http://library.transmartfoundation.org/release/release16_1_0.html ) will be downloaded and verified by the install Script. Once you made the necessary setup (this code block) and downloaded, verified, and installed the Scripts folder (the next code block), then the scripts will be able to download, verify, and install all of the other artifacts. In particular, to set up for verification, you must declare your trust in one or more of the signers of the tranSMART Foundation key; which was used to sign the signature file (called a 'detached signature') of all of the artifacts. We each generated a personal key, and each signed the tranSMART Foundation key with our personal key: Terry Weymouth, Peter Rice, John O'Hara, Keith Nangle.
In this process (the 'Set up for verification' code block, directly below) you will need to declare your trust in the person/personal-key of one or more of the signers of the tranSMART Foundation key, You will use the following information:
id | Fingerprint | Description |
|---|---|---|
| 51771D67 | 38F7 51E9 9525 32C8 A11D DA8F EA1D 335C 5177 1D67 | Personal key: Terry Weymouth |
| B71F5D78 | C85D A36B 5E03 4D9C CF5C E270 743B 28C7 B71F 5D78 | Personal key: Peter Rice |
| 178A3631 | 7DFD 03EA 25CC A22E 99C5 A55B 4EA6 5167 178A 3631 | Personal key: John O'Hara |
| 159B600C | FDEC 9561 10D8 3519 B45A F570 6268 396B 159B 600C | Personal key: Keith Nangle |
| ACC50501 | 79CB 8244 E273 7855 274A 55CE A3EE 8EF2 ACC5 0501 | tranSMART Foundation signing key |
The process to declare trust is embodied in the decision to impart trust to these keys. You will be asked to choose one of these options: to trust ultimately, to trust fully, to trust marginally, or not to trust. To fully verify the Foundation's key, you must trust ultimately the tranSMART Foundation signing key (ACC50501), and of the other, supporting keys either trust fully one key or trust marginally at least three keys of the signers. You will use the command gpg --edit-key <key-id> trust to indicate trust; type quit to exit the edit-key option.
Set up for verification
sudo apt-get updatesudo apt-get install -y gnupg# download the keys needed for the verification process# download to the GPG 'keyring' the public keys that will be used to verify the integrity# of the downloaded artifacts, here and when the script is run # use this command to display the fingerprints of the uploaded keys to verify integretygpg --fingerprint# declare your "ultimate" trust in the transmart foundation key# (type 'quit' to exit the edit-key mode)gpg --edit-key ACC50501 trust # declare your "full" trust in one of the other keys# or your "marginal" trust in at least three of the other keys# with one or more of the following commands# (type 'quit' to exit the edit-key mode)gpg --edit-key 51771D67 trustgpg --edit-key B71F5D78 trustgpg --edit-key 178A3631 trustgpg --edit-key 159B600C trust |
To download and verify the Scripts zip file and install the folder, run the following commands in the home directory of the account that you are going to use to run transmart.
sudo apt-get install -y curlsudo apt-get install -y unzip# download and verify the installation script; verification is of the 'detached signature' (the sig file)curl http://library.transmartfoundation.org/release/release16_1_0_artifacts/Scripts-release-16.1.zip -o Scripts-release-16.1.zipcurl http://library.transmartfoundation.org/release/release16_1_0_artifacts/Scripts-release-16.1.zip.sig -o Scripts-release-16.1.zip.siggpg --default-key ACC50501 --verify Scripts-release-16.1.zip.sig Scripts-release-16.1.zip # You will see output similar to this# gpg: Signature made Wed 25 May 2016 01:42:16 PM EDT using RSA key ID ACC50501# gpg: checking the trustdb# gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model# gpg: depth: 0 valid: 1 signed: 4 trust: 0-, 0q, 0n, 0m, 0f, 1u# gpg: depth: 1 valid: 4 signed: 0 trust: 1-, 0q, 0n, 0m, 3f, 0u# gpg: next trustdb check due at 2019-11-30# gpg: Good signature from "tranSMART Foundation <support@transmartfoundation.org>"# unzip and rename the Scripts folderunzip Scripts-release-16.1.zipmv Scripts-release-16.1 Scripts |
