1 files changed, 34 insertions, 3 deletions

diff --git a/carbslinux.texi b/carbslinux.texi
index 5ad5518..532bd38 100644
--- a/carbslinux.texi
+++ b/carbslinux.texi
@@ -207,12 +207,43 @@ sha256sum -c carbs-rootfs.tar.xz.sha256
 @subsection Signature verification
 
 It is highly recommended to verify the signature of the tarball. You will need
-GPG for this.
+the OpenBSD tool @samp{signify(1)} for this. Many distributions provide a package for
+it, if you are using a Carbs Linux host, you can also install the package
+@samp{otools} which provides @samp{signify}. Download the signature first.
 
 @example
 wget $URL/carbs-rootfs.tar.xz.sig
-gpg --recv-keys FF484BDFEFCEF8FF
-gpg --verify carbs-rootfs.tar.xz.sig
+@end example
+
+The signature file should say something similar to
+
+@example
+untrusted comment: verify with carbslinux-2021.04.pub
+RWTBBPDVQ+aHB3dme2Kerf8XY+vWkIISp7Za2ufKghtlnRXPyObAQQyvEJYrwMVTaCBlPEnSWcnHQz8Nka06YVOIeextNKZY3AQ=
+@end example
+
+
+Grab the key (which probably should be the latest one) that is written on the
+file from @uref{https://dl.carbslinux.org/keys/} so you can verify the signature. The
+latest Signify public key is also available on the @uref{https://git.carbslinux.org/repository, package repository}, so you can
+check the validity of the public key from multiple locations, or just copy paste
+that portion to a file and use that instead.
+
+@example
+PUBKEY=carbslinux-2021.04.pub
+wget https://dl.carbslinux.org/keys/$PUBKEY
+@end example
+
+You can now verify the distribution tarball with signify.
+
+@example
+signify -V -m carbs-rootfs.tar.xz -p $PUBKEY
+@end example
+
+If everything went alright, this should output:
+
+@example
+Signature Verified
 @end example
 
 @node Extracting the tarball