@node Integrity
@section Tarballs integrity check
-You @strong{have to} verify downloaded archives integrity and check
+You @strong{have to} check downloaded archives integrity and verify
their signature to be sure that you have got trusted, untampered
software. For integrity and authentication of downloaded binaries
@url{https://www.gnupg.org/, The GNU Privacy Guard} is used. You must
-download signature (.sig) provided with the tarball.
+download signature (@file{.sig}) provided with the tarball.
-For the very first time you need to import signing public keys. They
-are provided below, but be sure that you are reading them from the
-trusted source. Alternatively check this page from
-@ref{Contacts, other sources} and look for the mailing list announcements.
+For the very first time you need to import signing public key. It is
+provided below, but it is better to check alternative resources with it.
-@include pubkey.texi
+@verbatim
+pub rsa2048/0xF2F59045FFE2F4A1 2015-03-10
+ D269 9B73 3C41 2068 D8DA 656E F2F5 9045 FFE2 F4A1
+uid GoVPN releases <releases at govpn dot info>
+@end verbatim
+
+@itemize
+
+@item This website @ref{Contacts, alternates} and maillist containing
+public key fingerprint.
+
+@item
+@verbatim
+% gpg --keyserver hkp://keys.gnupg.net/ --recv-keys 0xF2F59045FFE2F4A1
+% gpg --auto-key-locate dane --locate-keys releases at govpn dot info
+% gpg --auto-key-locate wkd --locate-keys releases at govpn dot info
+% gpg --auto-key-locate pka --locate-keys releases at govpn dot info
+@end verbatim
+
+@item
+@verbatiminclude .well-known/openpgpkey/hu/i4cdqgcarfjdjnba6y4jnf498asg8c6p.asc
+
+@end itemize
+
+Then you could verify tarballs signature:
+@verbatim
+% gpg --verify govpn-2.3.tar.xz.sig govpn-2.3.tar.xz
+@end verbatim