luxolus
/
open-nomad
2
0
Fork 0
Code Issues 1 Pull Requests Packages Releases Wiki Activity

docs: remove partial sig/checksum verification 

Point users to security doc instead. Right now it takes a lot of
explaining to describe to users exactly how to validate the binary and
what the output of the tools used means.

For example, this is the output when validating according to the
instructions in this guide and the linked doc:

```
vagrant@linux:/tmp$ gpg --verify nomad_0.8.7_SHA256SUMS.sig
nomad_0.8.7_SHA256SUMS
gpg: Signature made Fri 11 Jan 2019 09:47:56 PM UTC using RSA key ID
348FFC4C
gpg: Good signature from "HashiCorp Security <security@hashicorp.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the
owner.
Primary key fingerprint: 91A6 E7F8 5D05 C656 30BE  F189 5185 2D87 348F
FC4C
vagrant@linux:/tmp$ shasum -a 256 -c nomad_0.8.7_SHA256SUMS
shasum: ./nomad_0.8.7_darwin_amd64.zip:
./nomad_0.8.7_darwin_amd64.zip: FAILED open or read
shasum: ./nomad_0.8.7_linux_386.zip: No such file or directory
./nomad_0.8.7_linux_386.zip: FAILED open or read
shasum: ./nomad_0.8.7_linux_amd64-lxc.zip: No such file or directory
./nomad_0.8.7_linux_amd64-lxc.zip: FAILED open or read
./nomad_0.8.7_linux_amd64.zip: OK
shasum: ./nomad_0.8.7_linux_arm64.zip: No such file or directory
./nomad_0.8.7_linux_arm64.zip: FAILED open or read
shasum: ./nomad_0.8.7_linux_arm.zip: No such file or directory
./nomad_0.8.7_linux_arm.zip: FAILED open or read
shasum: ./nomad_0.8.7_windows_386.zip: No such file or directory
./nomad_0.8.7_windows_386.zip: FAILED open or read
shasum: ./nomad_0.8.7_windows_amd64.zip: No such file or directory
./nomad_0.8.7_windows_amd64.zip: FAILED open or read
shasum: WARNING: 7 listed files could not be read
```

There are only two lines that matter in all of that output:

```
...
gpg: Good signature from "HashiCorp Security <security@hashicorp.com>"
...
./nomad_0.8.7_linux_amd64.zip: OK
...
```

I feel like trying to teach users how to use and interpret these tools
in our deployment guide may be as likely to reduce confidence as
increase it.
This commit is contained in:
Michael Schurter 2019-03-20 09:36:29 -07:00
parent 4c3dbd2f84
commit 3c78271ea2
1 changed files with 2 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
website/source/guides/operations/deployment-guide.html.md
View File

@ -37,15 +37,13 @@ These setup steps should be completed on all Nomad hosts:
Precompiled Nomad binaries are available for download at [https://releases.hashicorp.com/nomad/](https://releases.hashicorp.com/nomad/) and Nomad Enterprise binaries are available for download by following the instructions made available to HashiCorp Enterprise customers.
You should perform checksum verification of the zip packages using the SHA256SUMS and SHA256SUMS.sig files available for the specific release version. HashiCorp provides [a guide on checksum verification](https://www.hashicorp.com/security.html) for precompiled binaries.
```text
export NOMAD_VERSION="0.8.7"
curl --silent --remote-name https://releases.hashicorp.com/nomad/${NOMAD_VERSION}/nomad_${NOMAD_VERSION}_linux_amd64.zip
curl --silent --remote-name https://releases.hashicorp.com/nomad/${NOMAD_VERSION}/nomad_${NOMAD_VERSION}_SHA256SUMS
curl --silent --remote-name https://releases.hashicorp.com/nomad/${NOMAD_VERSION}/nomad_${NOMAD_VERSION}_SHA256SUMS.sig
```
You may perform checksum verification of the zip packages using the SHA256SUMS and SHA256SUMS.sig files available for the specific release version. HashiCorp provides [a guide on checksum verification](https://www.hashicorp.com/security.html) for precompiled binaries.
## Install Nomad
Unzip the downloaded package and move the `nomad` binary to `/usr/local/bin/`. Check `nomad` is available on the system path.