From d888c305970d73e9ca75e90b7705183299b36b04 Mon Sep 17 00:00:00 2001
From: Nikolaus Rath <Nikolaus@rath.org>
Date: Wed, 5 Jul 2023 11:03:07 +0100
Subject: Use signify to sign releases.

---
 README.md | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

(limited to 'README.md')

diff --git a/README.md b/README.md
index 1b02149..cf76978 100644
--- a/README.md
+++ b/README.md
@@ -52,9 +52,20 @@ Installation
 You can download libfuse from
 https://github.com/libfuse/libfuse/releases. To build and install, you
 must use [Meson](http://mesonbuild.com/) and
-[Ninja](https://ninja-build.org).  After extracting the libfuse
-tarball, create a (temporary) build directory and run Meson:
+[Ninja](https://ninja-build.org).  After downloading the tarball, verify
+it using [signify])(https://www.openbsd.org/papers/bsdcan-signify.html):
 
+    signify -V -z -m fuse-X.Y.Z.tar.gz -p fuse-X.Y.pub
+    
+The `fuse-X.Y.pub` file contains the signing key and needs to be obtained from a
+trustworthy source. Each libfuse release contains the signing key for the release after it
+in the `signify` directory, so you only need to manually acquire this file once when you
+install libfuse for the first time.
+
+After you have validated the tarball, extract it, create a (temporary) build directory and
+run Meson:
+
+    $ tar xzf fuse-X.Y.Z.tar.gz; cd fuse-X.Y.Z
     $ mkdir build; cd build
     $ meson setup ..
 
-- 
cgit v1.2.3