update installation manual

3 files changed, 116 insertions, 9 deletions

diff --git a/carbslinux.org b/carbslinux.org
index 0cbe33b..05ad080 100644
--- a/carbslinux.org
+++ b/carbslinux.org
@@ -13,6 +13,11 @@ are used for assigning IDs to contribution guidelines.
 #+MACRO: contid [@@texinfo:@anchor{$1}@@$1]
 #+MACRO: sectid $2 [@@texinfo:@anchor{$1}@@$1]
 
+#+NAME: pubkey
+#+begin_src sh :exports none
+PUBKEY=carbslinux-2021.04.pub
+#+end_src
+
 This is the full documentation of [[https://carbslinux.org][Carbs Linux]], from the details of the
 distribution, installation, to the package manager. It is not yet complete.
 
@@ -150,14 +155,49 @@ sha256sum -c carbs-rootfs.tar.xz.sha256
 :END:
 
 It is highly recommended to verify the signature of the tarball. You will need
-GPG for this.
+the OpenBSD tool =signify(1)= for this. Many distributions provide a package for
+it, if you are using a Carbs Linux host, you can also install the package
+=otools= which provides =signify=. Download the signature first.
 
 #+BEGIN_SRC sh
 wget $URL/carbs-rootfs.tar.xz.sig
-gpg --recv-keys FF484BDFEFCEF8FF
-gpg --verify carbs-rootfs.tar.xz.sig
 #+END_SRC
 
+The signature file should say something similar to
+
+#+begin_src sh :exports results :results verbatim
+curl -L https://dl.carbslinux.org/releases/x86_64/carbs-rootfs.tar.xz.sig
+#+end_src
+
+#+RESULTS:
+: untrusted comment: verify with carbslinux-2021.04.pub
+: RWTBBPDVQ+aHB3dme2Kerf8XY+vWkIISp7Za2ufKghtlnRXPyObAQQyvEJYrwMVTaCBlPEnSWcnHQz8Nka06YVOIeextNKZY3AQ=
+
+Grab the key (which probably should be the latest one) that is written on the
+file from [[https://dl.carbslinux.org/keys/]] so you can verify the signature. The
+latest Signify public key is also available on the [[https://git.carbslinux.org/repository][package repository]], so you can
+check the validity of the public key from multiple locations, or just copy paste
+that portion to a file and use that instead.
+
+#+begin_src sh :noweb yes
+<<pubkey>>
+wget https://dl.carbslinux.org/keys/$PUBKEY
+#+end_src
+
+You can now verify the distribution tarball with signify.
+
+#+begin_src sh
+signify -V -m carbs-rootfs.tar.xz -p $PUBKEY
+#+end_src
+
+If everything went alright, this should output:
+
+#+begin_example
+Signature Verified
+#+end_example
+
+
+
 *** Extracting the tarball
 :PROPERTIES:
 :DESCRIPTION: Extracting the root filesystem to the desired location
diff --git a/carbslinux.texi b/carbslinux.texi
index 5ad5518..532bd38 100644
--- a/carbslinux.texi
+++ b/carbslinux.texi
@@ -207,12 +207,43 @@ sha256sum -c carbs-rootfs.tar.xz.sha256
 @subsection Signature verification
 
 It is highly recommended to verify the signature of the tarball. You will need
-GPG for this.
+the OpenBSD tool @samp{signify(1)} for this. Many distributions provide a package for
+it, if you are using a Carbs Linux host, you can also install the package
+@samp{otools} which provides @samp{signify}. Download the signature first.
 
 @example
 wget $URL/carbs-rootfs.tar.xz.sig
-gpg --recv-keys FF484BDFEFCEF8FF
-gpg --verify carbs-rootfs.tar.xz.sig
+@end example
+
+The signature file should say something similar to
+
+@example
+untrusted comment: verify with carbslinux-2021.04.pub
+RWTBBPDVQ+aHB3dme2Kerf8XY+vWkIISp7Za2ufKghtlnRXPyObAQQyvEJYrwMVTaCBlPEnSWcnHQz8Nka06YVOIeextNKZY3AQ=
+@end example
+
+
+Grab the key (which probably should be the latest one) that is written on the
+file from @uref{https://dl.carbslinux.org/keys/} so you can verify the signature. The
+latest Signify public key is also available on the @uref{https://git.carbslinux.org/repository, package repository}, so you can
+check the validity of the public key from multiple locations, or just copy paste
+that portion to a file and use that instead.
+
+@example
+PUBKEY=carbslinux-2021.04.pub
+wget https://dl.carbslinux.org/keys/$PUBKEY
+@end example
+
+You can now verify the distribution tarball with signify.
+
+@example
+signify -V -m carbs-rootfs.tar.xz -p $PUBKEY
+@end example
+
+If everything went alright, this should output:
+
+@example
+Signature Verified
 @end example
 
 @node Extracting the tarball
diff --git a/install.txt b/install.txt
index bfe8cae..59e892e 100644
--- a/install.txt
+++ b/install.txt
@@ -82,14 +82,50 @@ can be acquired as plain-text to be viewed offline with a pager from
 ~~~~~~~~~~~~~~~~~~~~~~~~~~
 
   It is highly recommended to verify the signature of the tarball. You
-  will need GPG for this.
+  will need the OpenBSD tool `signify(1)' for this. Many distributions
+  provide a package for it, if you are using a Carbs Linux host, you can
+  also install the package `otools' which provides `signify'. Download
+  the signature first.
 
   ,----
   | wget $URL/carbs-rootfs.tar.xz.sig
-  | gpg --recv-keys FF484BDFEFCEF8FF
-  | gpg --verify carbs-rootfs.tar.xz.sig
   `----
 
+  The signature file should say something similar to
+
+  ,----
+  | untrusted comment: verify with carbslinux-2021.04.pub
+  | RWTBBPDVQ+aHB3dme2Kerf8XY+vWkIISp7Za2ufKghtlnRXPyObAQQyvEJYrwMVTaCBlPEnSWcnHQz8Nka06YVOIeextNKZY3AQ=
+  `----
+
+
+  Grab the key (which probably should be the latest one) that is written
+  on the file from <https://dl.carbslinux.org/keys/> so you can verify
+  the signature. The latest Signify public key is also available on the
+  [package repository], so you can check the validity of the public key
+  from multiple locations, or just copy paste that portion to a file and
+  use that instead.
+
+  ,----
+  | PUBKEY=carbslinux-2021.04.pub
+  | wget https://dl.carbslinux.org/keys/$PUBKEY
+  `----
+
+  You can now verify the distribution tarball with signify.
+
+  ,----
+  | signify -V -m carbs-rootfs.tar.xz -p $PUBKEY
+  `----
+
+  If everything went alright, this should output:
+
+  ,----
+  | Signature Verified
+  `----
+
+
+[package repository] <https://git.carbslinux.org/repository>
+
 
 1.3 Extracting the tarball
 ~~~~~~~~~~~~~~~~~~~~~~~~~~