From 2d800284135597273fcb35f2983212ecbb73174a737ff4d51be64fca7c220dac Mon Sep 17 00:00:00 2001
From: Sergey Matveev <stargrave@stargrave.org>
Date: Mon, 30 Jun 2025 11:24:55 +0300
Subject: [PATCH] Example signature verification command

---
 makedist       |  9 +++++++--
 spec/Integrity | 15 ++++++++++-----
 spec/download  |  4 ++++
 3 files changed, 21 insertions(+), 7 deletions(-)

diff --git a/makedist b/makedist
index f269b7b..760ac1f 100755
--- a/makedist
+++ b/makedist
@@ -47,6 +47,10 @@ $HOME/work/sgodup/sgodup -basedir cm/vendor -dupdir vendor -action hardlink
 cd ..
 
 cd spec
+cat >download <<EOF
+You can obtain releases source code prepared tarballs on
+=> http://www.keks.cypherpunks.su/
+EOF
 swg info >../spec.info
 ./mk-html
 mv ../spec.info .
@@ -123,8 +127,9 @@ Source code and its signature for that version can be found here:
     http://www.keks.cypherpunks.su/download/keks-${release}.tar.zst ($size KiB)
     http://www.keks.cypherpunks.su/download/keks-${release}.tar.zst.sig
 
-OpenSSH key: SHA256:egDNCXj0/8mCSWVEc3mlB788/yM86m0C5UYitppZyc8
-cm/signed key: C8E1B383FADA392E08F8F9F6B07C2F11861F14BE6D98C008C9AB8A9185527B5F
+Signing key fingerprints:
+    OpenSSH: SHA256:egDNCXj0/8mCSWVEc3mlB788/yM86m0C5UYitppZyc8
+    cm/signed: C8E1B383FADA392E08F8F9F6B07C2F11861F14BE6D98C008C9AB8A9185527B5F
 EOF
 echo mutt -s \"KEKS $release release announcement\" \
     keks@lists.cypherpunks.su \
diff --git a/spec/Integrity b/spec/Integrity
index c49d86a..a6de51b 100644
--- a/spec/Integrity
+++ b/spec/Integrity
@@ -1,11 +1,16 @@
 You *have to* verify downloaded tarballs authenticity to be sure that
-you retrieved trusted and untampered software. Metalink4 file contains
-its OpenSSH signature, that can be verified with
+you retrieved trusted and untampered software.
+
+Metalink4 file contains its OpenSSH signature.
 => PUBKEY-SSH.pub
 => PUBKEY-SSH.pub.asc
-[cm/signed/] .sig file can be verified with
+=> https://www.openssh.com/ OpenSSH
+=> https://gnupg.org/ GnuPG
+=> https://datatracker.ietf.org/doc/html/rfc5854 Metalink4
+
+[cm/signed/] .sig file can be verified with:
 => PUBKEY-CM.pub
 => PUBKEY-CM.pub.asc
 
-=> https://www.openssh.com/ OpenSSH
-=> https://gnupg.org/ GnuPG
+    $ cat keks-$version.tar.zst.sig keks-$version.tar.zst |
+        cmsigtool -v -d 4<PUBKEY-CM.pub
diff --git a/spec/download b/spec/download
index f02f1fb..f4cde91 100644
--- a/spec/download
+++ b/spec/download
@@ -1,3 +1,7 @@
+$ version=0.1.0
+$ [fetch|wget] http://www.keks.cypherpunks.su/download/keks-$version.tar.zst
+$ [fetch|wget] http://www.keks.cypherpunks.su/download/keks-$version.tar.zst.sig
+
 0.1.0 | XXXX-XX-XX | XXX KiB
     => download/keks-0.1.0.tar.zst.meta4
     => download/keks-0.1.0.tar.zst
-- 
2.50.0