X-Git-Url: http://www.git.cypherpunks.ru/?p=pygost.git;a=blobdiff_plain;f=integrity.texi;fp=integrity.texi;h=a378666bddc40163817407d0627f7ca6bdc48f72;hp=0000000000000000000000000000000000000000;hb=b9ccf524fdce4b77dab1aa8020b09d7c7e1e55af;hpb=f3806b3cf5a9ccae5c358c1942262cf0f1d16227

diff --git a/integrity.texi b/integrity.texi
new file mode 100644
index 0000000..a378666
--- /dev/null
+++ b/integrity.texi
@@ -0,0 +1,34 @@
+You @strong{have to} verify downloaded tarballs authenticity to be sure
+that you retrieved trusted and untampered software. There are two options:
+
+@table @asis
+
+@item @url{https://www.openpgp.org/, OpenPGP} @file{.asc} signature
+    Use @url{https://www.gnupg.org/, GNU Privacy Guard} free software
+    implementation.
+    For the very first time it is necessary to get signing public key and
+    import it. It is provided @url{PUBKEY-PGP.asc, here}, but you should
+    check alternate resources.
+
+@verbatim
+pub   rsa2048/0xE6FD1269CD0C009E 2016-09-13
+      F55A 7619 3A0C 323A A031  0E6B E6FD 1269 CD0C 009E
+uid   PyGOST releases <pygost at cypherpunks dot ru>
+@end verbatim
+
+@example
+$ gpg --auto-key-locate dane --locate-keys pygost at cypherpunks dot ru
+$ gpg --auto-key-locate  wkd --locate-keys pygost at cypherpunks dot ru
+@end example
+
+@item @url{https://www.openssh.com/, OpenSSH} @file{.sig} signature
+    @url{PUBKEY-SSH.pub, Public key} and its OpenPGP
+    @url{PUBKEY-SSH.pub.asc, signature} made with the key above.
+    Its fingerprint: @code{SHA256:/Z3T/T2sXaaunefAL6tz3ZykHTDYIMh5TLd9Hh9mxlU}.
+
+@example
+$ ssh-keygen -Y verify -f PUBKEY-SSH.pub -I pygost@@cypherpunks.ru -n file \
+    -s pygost-@value{VERSION}.tar.zst.sig < pygost-@value{VERSION}.tar.zst
+@end example
+
+@end table