Verify release artifacts

Goal

Confirm three properties before installation:

1. the artifact is authentic (GPG signature);
2. the artifact is not corrupted (SHA256);
3. the artifact matches the expected version.

Step-by-step verify path

VERSION="0.6.3"
ART="angarabase-server-v${VERSION}-x86_64-unknown-linux-gnu.tar.gz"
BASE_URL="https://s3.angarabase.io/stable/v${VERSION}"

# 1) Download
curl -fsSL "${BASE_URL}/${ART}" -o "${ART}"
curl -fsSL "${BASE_URL}/${ART}.asc" -o "${ART}.asc"
curl -fsSL "${BASE_URL}/SHA256SUMS" -o SHA256SUMS

# 2) Import the release key (once)
gpg --keyserver hkps://keys.openpgp.org --recv-keys <KEY_FINGERPRINT>
# alternative:
# curl -fsSL https://angarabase.io/release-key.gpg | gpg --import

# 3) Verify signature
gpg --verify "${ART}.asc" "${ART}"

# 4) Verify checksum
sha256sum --check --ignore-missing SHA256SUMS

Success criteria

• gpg --verify returns Good signature.
• sha256sum --check returns OK.

If any step fails, do not use the artifact.

Next

After the signature and SHA-256 match:

• Installation — unpack the verified archive or install the package.
• GOST crypto setup — if GOST cryptography is required during verification.
• Support and bug-report artifact collection — what to do if the hash does not match.