doc: Mention how to verify signatures.

* doc/guix.texi (Binary Installation): Be more precise about signature verification. Suggested by Carl Hansen <carlhansen1234@gmail.com>.
2016-01-01 19:01:05 +01:00 · 2016-01-01 19:01:05 +01:00 · daa8922abc
parent 45147b0caa
commit daa8922abc
1 changed files with 21 additions and 5 deletions
--- a/doc/guix.texi
+++ b/doc/guix.texi
@ -312,11 +312,27 @@ Installing goes along these lines:
@enumerate
@item
 Download the binary tarball from
-@indicateurl{ftp://alpha.gnu.org/gnu/guix/guix-binary-@value{VERSION}.@var{system}.tar.xz}@footnote{As
-usual, make sure to download the associated @file{.sig} file and to
-verify the authenticity of the tarball against it!}, where @var{system}
-is @code{x86_64-linux} for an @code{x86_64} machine already running the
-kernel Linux, and so on.
+@indicateurl{ftp://alpha.gnu.org/gnu/guix/guix-binary-@value{VERSION}.@var{system}.tar.xz},
+where @var{system} is @code{x86_64-linux} for an @code{x86_64} machine
+already running the kernel Linux, and so on.
+
+Make sure to download the associated @file{.sig} file and to verify the
+authenticity of the tarball against it, along these lines:
+
+@example
+$ wget ftp://alpha.gnu.org/gnu/guix/guix-binary-@value{VERSION}.@var{system}.tar.xz.sig
+$ gpg --verify guix-binary-@value{VERSION}.@var{system}.tar.xz.sig
+@end example
+
+If that command fails because you don't have the required public key,
+then run this command to import it:
+
+@example
+$ gpg --keyserver keys.gnupg.net --recv-keys 3D9AEBB5
+@end example
+
+@noindent
+and rerun the @code{gpg --verify} command.

@item
 As @code{root}, run: