diff --git a/README.md b/README.md index a95bbb2e2..4af3274d8 100644 --- a/README.md +++ b/README.md @@ -10,7 +10,7 @@ Session integrates directly with [Oxen Service Nodes](https://docs.oxen.io/about ## Want to contribute? Found a bug or have a feature request? -Please search for any [existing issues](https://github.com/loki-project/session-ios/issues) that describe your bugs in order to avoid duplicate submissions. Submissions can be made by making a pull request to our dev branch. If you don't know where to start contributing, try reading the Github issues page for ideas. +Please search for any [existing issues](https://github.com/session-foundation/session-ios/issues) that describe your bugs in order to avoid duplicate submissions. Submissions can be made by making a pull request to our dev branch. If you don't know where to start contributing, try reading the Github issues page for ideas. ## Build instructions @@ -18,7 +18,46 @@ Build instructions can be found in [BUILDING.md](BUILDING.md). ## Translations -Want to help us translate Session into your language? You can do so at https://crowdin.com/project/session-ios! +Want to help us translate Session into your language? You can do so at https://getsession.org/translate ! + +## Verifying signatures + +**Step 1:** + +Add Jason's GPG key. Jason Rhinelander, a member of the [Session Technology Foundation](https://session.foundation/) and is the current signer for all Session iOS releases. His GPG key can be found on his GitHub and other sources. + +```sh +wget https://github.com/jagerman.gpg +gpg --import jagerman.gpg +``` + +**Step 2:** + +Get the signed hashes for this release. `SESSION_VERSION` needs to be updated for the release you want to verify. + +```sh +export SESSION_VERSION=2.9.1 +wget https://github.com/session-foundation/session-ios/releases/download/$SESSION_VERSION/signature.asc +``` + +**Step 3:** + +Verify the signature of the hashes of the files. + +```sh +gpg --verify signature.asc 2>&1 |grep "Good signature from" +``` + +The command above should print "`Good signature from "Jason Rhinelander...`". If it does, the hashes are valid but we still have to make the sure the signed hashes match the downloaded files. + +**Step 4:** + +Make sure the two commands below return the same hash for the file you are checking. If they do, file is valid. + +``` +sha256sum session-$SESSION_VERSION.ipa +grep .ipa signature.asc +``` ## License