--- /dev/null
+<appendix id="appendix-signatures" xreflabel="Verifying digital signatures">
+ <title>Verifying digital signatures</title>
+
+ <para>
+ The signing key ID used for BDR releases based on PostgreSQL 9.4 is <ulink
+ url="http://packages.2ndquadrant.com/postgresql-bdr94-2ndquadrant/RPM-GPG-KEY-2NDQ-BDR-94">
+ the key <literal>0x6E192B0E</literal></ulink>.
+ </para>
+
+ <para>
+ To download the BDR 9.4 repository key to your computer:
+ <programlisting>
+ curl -s http://packages.2ndquadrant.com/postgresql-bdr94-2ndquadrant/RPM-GPG-KEY-2NDQ-BDR-94 | gpg --import
+ gpg --fingerprint 0x6E192B0E
+ </programlisting>
+ then verify that the fingerprint is the expected value:
+ <programlisting>
+ 9793 74C1 0580 940E 9611 1BE3 A879 B734 6E19 2B0E
+ </programlisting>
+ </para>
+
+ <para>
+ The BDR / 9.4 releases key key is in turn signed by
+ <ulink url="http://packages.2ndquadrant.com/2NDQUADRANT-PACKAGING-MASTER-KEY.asc">
+ the 2ndQuadrant master packaging/releases key with key ID
+ <literal>0x2B11E054</literal></ulink>. You can <ulink
+ url="http://2ndquadrant.com/signing-keys"> verify the fingerprint
+ of the master packaging key on the 2ndQuadrant website.</ulink>
+ </para>
+
+ <para>
+ For checking tarballs, download the BDR release signing key as
+ shown above, then use
+ <application>gpg</application> directly to verify, e.g.:
+ <programlisting>
+ gpg --verify bdr-0.8.0.tar.gz.asc
+ </programlisting>
+ </para>
+
+ <para>
+ To check a repository RPM, use <application>rpmkeys</application> to load the
+ master packaging signing key into the RPM database then use <literal>rpm -K</literal>, e.g.:
+ <programlisting>
+ sudo rpmkeys --import http://packages.2ndquadrant.com/2NDQUADRANT-PACKAGING-MASTER-KEY.asc
+ rpm -K postgresql-bdr94-2ndquadrant-redhat-1.0-2.noarch.rpm
+ </programlisting>
+ </para>
+
+ <para>
+ If you want to manually verify individual RPMs you will need to load the
+ repository key. This is usually installed for you when you install
+ the repository RPM, then <application>yum</application> checks the
+ package signatures after download. So it is <emphasis>not</emphasis>
+ typically necessary to manually verify signatures so long as you
+ verified the repository RPM.
+ <programlisting>
+ sudo rpmkeys --import http://packages.2ndquadrant.com/postgresql-bdr94-2ndquadrant/RPM-GPG-KEY-2NDQ-BDR-94
+ rpm -K some-bdr-rpm.rpm
+ </programlisting>
+ </para>
+
+</appendix>
</para>
<note>
- <title>Verifying the digital signature on the repository RPM</title>
<para>
- If you wish to verify the repository RPM's digital signature
- using <literal>rpm -V</literal>, the signing key ID is the
- 2ndQuadrant packaging key <literal>0x2B11E054</literal>, which
- can be <ulink
- url="https://pgp.mit.edu/pks/lookup?search=0x2B11E054&op=index&exact=on">
- found in the GPG keyservers</ulink>. You can <ulink
- url="http://2ndquadrant.com/signing-keys"> verify the fingerprint
- on the 2ndQuadrant website.</ulink> then import the key with
- <literal>rpmkeys</literal>.
+ The repository RPM is signed with 2ndQuadrant's master packaging/releases
+ signing key. See <xref linkend="appendix-signatures">.
</para>
</note>
To install either &bdr; or &udr; the prerequisites for compiling
&postgres; must be installed. These are described in &postgres;'s
documentation
- on <ulink url='http://www.postgresql.org/docs/current/install-requirements.html'>build requirements</ulink>
- and <ulink url='http://www.postgresql.org/docs/current/docguide-toolsets.html'>build requirements for documentation</ulink>.
+ on <ulink url="http://www.postgresql.org/docs/current/install-requirements.html">build requirements</ulink>
+ and <ulink url="http://www.postgresql.org/docs/current/docguide-toolsets.html">build requirements for documentation</ulink>.
</para>
<para>
</para>
</sect1>
+ <sect1 id="installation-get-source">
+ <title>Getting &bdr; source code</title>
+
+ <para>
+ There are two ways to get the &bdr; source code: with git, or by downloading tarballs of released versions.
+ </para>
+
+ <sect2>
+ <title>Using <application>git</application> to get the &bdr; sources</title>
+
+ <para>
+ Use <application><ulink url="http://git-scm.org">git</ulink></application> if you expect
+ to update often, you want to keep track of development or if you want to contribute
+ changes to &bdr;. There is no reason <emphasis>not</emphasis> to use <application>git</application>
+ if you're familiar with it.
+ </para>
+
+ <para>
+ The source for &bdr; is maintained at
+ <ulink url="http://git.postgresql.org/gitweb/?p=2ndquadrant_bdr.git;a=tree;h=refs/heads/bdr-plugin/stable;hb=bdr-plugin/stable">
+ git.postgresql.org in the 2ndquadrant_bdr repository</ulink>. There are
+ actually two independent source trees in this repository - one tree for
+ the &bdr; plugin, and one for the modified version of PostgreSQL
+ &pgmajorversion; that it requires to run. At the time of writing the
+ main branches are:
+ <itemizedlist>
+ <listitem><para><filename>bdr-plugin/stable</filename>:
+ the current stable release of the &bdr; plugin</para></listitem>
+ <listitem><para><filename>bdr-plugin/next</filename>:
+ the in-progress development version of the &bdr; plugin</para></listitem>
+ <listitem><para><filename>bdr-pg/REL9_4_STABLE</filename>:
+ the current stable release of the modified PostgreSQL that &bdr; requires.</para></listitem>
+ </itemizedlist>
+ </para>
+
+ <para>
+ There are also tags for each &bdr; release, e.g. <filename>bdr-plugin/0.8.0</filename>.
+ </para>
+
+ <para>
+ To clone the source code using <application>git</application> you will
+ need to run two clones, one for the &bdr; plugin sources and one for the
+ patched PostgreSQL sources, e.g.:
+ <programlisting>
+ git clone -b bdr-pg/REL9_4_STABLE git://git.postgresql.org/git/2ndquadrant_bdr.git postgresql-bdr
+ git clone -b bdr-plugin/stable git://git.postgresql.org/git/2ndquadrant_bdr.git bdr-plugin
+ </programlisting>
+ </para>
+
+ <para>
+ For more information on using <application>git</application> see
+ <ulink url="http://git-scm.org/">git-scm.org</ulink>.
+ </para>
+
+ </sect2>
+
+ <sect2>
+ <title>Downloading release source tarballs</title>
+
+ <para>
+ Official BDR release source code is uploaded as tarballs to the
+ &bdr; website along with a tarball checksum and a matching GnuPG
+ signature. See
+ <ulink url="http://2ndquadrant.com/bdr">http://2ndquadrant.com/bdr</ulink>
+ for the download information. See <xref linkend="appendix-signatures">
+ for information on verifying digital signatures.
+ </para>
+
+ <para>
+ You will need to download <emphasis>both</emphasis> the patched
+ PostgreSQL source (<filename>postgresql-bdr-[...].tar.gz</filename>) and
+ the associated BDR release (<filename>bdr-[...].tar.gz</filename>).
+ </para>
+
+ <para>
+ You may optionally verify the package checksums from the
+ <literal>.md5</literal> files and/or verify the GnuPG signatures
+ per <xref linkend="appendix-signatures">.
+ </para>
+
+ <para>
+ After you unpack the source code archives using <literal>tar xf</literal>
+ the installation process is the same as if you were installing from a git
+ clone.
+ </para>
+
+ </sect2>
+
+ </sect1>
+
<sect1 id="installation-bdr-source">
<title>Installation of &bdr; from source</title>
<para>
projects / 2ndquadrant_bdr.git / commitdiff