From 0b743b56f0eb468db58a80a5d8822ac076de78ff Mon Sep 17 00:00:00 2001
From: Cem Keylan <cem@ckyln.com>
Date: Wed, 7 Apr 2021 10:36:48 +0300
Subject: carbslinux.txt: update

---
 carbslinux.txt | 43 ++++++++++++++++++++++++++++++++++++++++---
 1 file changed, 40 insertions(+), 3 deletions(-)

diff --git a/carbslinux.txt b/carbslinux.txt
index a969c74..1451ef2 100644
--- a/carbslinux.txt
+++ b/carbslinux.txt
@@ -138,6 +138,7 @@ with the info reader. It is divided into sections and easier to read.
   URL variable so that we don't have to write it every time.
 
   ,----
+  | URL=https://dl.carbslinux.org/releases/x86_64
   | wget $URL/carbs-rootfs.tar.xz.sha256
   | sha256sum -c carbs-rootfs.tar.xz.sha256
   `----
@@ -147,14 +148,50 @@ with the info reader. It is divided into sections and easier to read.
 ----------------------------
 
   It is highly recommended to verify the signature of the tarball. You
-  will need GPG for this.
+  will need the OpenBSD tool `signify(1)' for this. Many distributions
+  provide a package for it, if you are using a Carbs Linux host, you can
+  also install the package `otools' which provides `signify'. Download
+  the signature first.
 
   ,----
   | wget $URL/carbs-rootfs.tar.xz.sig
-  | gpg --recv-keys FF484BDFEFCEF8FF
-  | gpg --verify carbs-rootfs.tar.xz.sig
   `----
 
+  The signature file should say something similar to
+
+  ,----
+  | untrusted comment: verify with carbslinux-2021.04.pub
+  | RWTBBPDVQ+aHB3dme2Kerf8XY+vWkIISp7Za2ufKghtlnRXPyObAQQyvEJYrwMVTaCBlPEnSWcnHQz8Nka06YVOIeextNKZY3AQ=
+  `----
+
+
+  Grab the key (which probably should be the latest one) that is written
+  on the file from <https://dl.carbslinux.org/keys/> so you can verify
+  the signature. The latest Signify public key is also available on the
+  [package repository], so you can check the validity of the public key
+  from multiple locations, or just copy paste that portion to a file and
+  use that instead.
+
+  ,----
+  | PUBKEY=carbslinux-2021.04.pub
+  | wget https://dl.carbslinux.org/keys/$PUBKEY
+  `----
+
+  You can now verify the distribution tarball with signify.
+
+  ,----
+  | signify -V -m carbs-rootfs.tar.xz -p $PUBKEY
+  `----
+
+  If everything went alright, this should output:
+
+  ,----
+  | Signature Verified
+  `----
+
+
+[package repository] <https://git.carbslinux.org/repository>
+
 
 2.1.3 Extracting the tarball
 ----------------------------
-- 
cgit v1.2.3