5B9C 3306 7C71 ABCF CE1A CF8A 7F46 128A BB7C 1E42
The full public key be downloaded from the following link: https://homeserverhq.com/hshq.asc
The source code is composed of two bash scripts, hshq.sh and hshqlib.sh. hshq.sh is a simple wrapper script that invokes hshqlib.sh. hshq.sh will rarely, if ever, change. hshqlib.sh will be regularly updated. When an updated version of hshqlib.sh is available, the wrapper script (hshq.sh) will inform the user, and if the updated version is requested, will automatically download the latest version of hshqlib.sh and verify it.
To properly bootstrap the verification process, initially verifying the hshq.sh wrapper script should technically be performed manually by you before even running it. The steps below describe the manual verification process. If not performed manually, then the verification process for hshqlib.sh and future updates will be automatically initialized given that you (hopefully) started out with a verified version of hshq.sh.
You only need to perform the import once for the machine that you are on. The key will be imported into the .gnupg directory in your home directory, i.e. ~/.gnupg.
Enter the following command:
curl -s https://homeserverhq.com/hshq.asc | gpg --import
If gpg is not yet installed, it can be installed with the following command:
sudo apt update && sudo apt install gnupg -y
It should provide the following output. (email address intentionally obfuscated):
gpg: key 7F46128ABB7C1E42: public key "Dr. Doug (HomeServerHQ, LLC) <drdoug -at- homeserverhq.com>" imported
gpg: Total number processed: 1
gpg: imported: 1
Note that 7F46128ABB7C1E42
matches the last 16 characters of the full fingerprint at the top of this page.
You can view your keys with the command:
gpg --list-keys
For ease of use, the wrapper script (hshq.sh) is signed using a detached signature. This makes the verification process optional. To obtain the corresponding signature, first determine your current version of the script. A very simple and straight-forward counting-based versioning system is used. Each new published updated version will have the version number incremented by +1. The version number will always be the second line of the script. So to extract it run the following command:
sed -n 2p hshq.sh
The output will look similar to the following:
HSHQ_WRAPPER_SCRIPT_VERSION=12
For this example, the version number is 12. Thus, the name of the signature file will be wrap-12.sig
. The signature can be obtained from the following URL: https://homeserverhq.com/signatures/wrap-12.sig
. To obtain this from the command line (ensure you change the version number to match your current version!):
wget -q https://homeserverhq.com/signatures/wrap-12.sig
Finally, to verify the code with the signature, enter the following command (changing the version number accordingly):
gpg --verify wrap-12.sig hshq.sh
A GOOD verification will produce the following output (email address intentionally obfuscated):
gpg: Signature made Mon 25 Mar 2024 10:46:34 PM CDT
gpg: using RSA key 5B9C33067C71ABCFCE1ACF8A7F46128ABB7C1E42
gpg: Good signature from "Dr. Doug (HomeServerHQ, LLC) <drdoug -at- homeserverhq.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 5B9C 3306 7C71 ABCF CE1A CF8A 7F46 128A BB7C 1E42
The warning can be safely disregarded, as the expected fingerprint is published at the top of this page. Simply ensure it matches the Primary key fingerprint from the command output. For a full discussion of GPG (GNU Privacy Guard), see this article.
A BAD verification will produce (email address intentionally obfuscated):
gpg: Signature made Mon 25 Mar 2024 10:46:34 PM CDT
gpg: using RSA key 5B9C33067C71ABCFCE1ACF8A7F46128ABB7C1E42
gpg: BAD signature from "Dr. Doug (HomeServerHQ, LLC) <drdoug -at- homeserverhq.com>" [unknown]
If you receive a BAD signature, then the signature is fake or the source code has been altered. Send a notification email to security -at- homeserverhq.com as soon as possible. The downloaded update with the bad signature will be automatically discarded and you will be able to proceed safely with your current version. However, you should proceed with extreme caution and check to ensure that your system has not been comprimised.
To delete the signature file after verification, enter the following command:
rm wrap-12.sig