At the moment we mention the signature but don't actually say what it
is or how to check it. Lets surface the fingerprint on the information
along with a guide of how to verify the download.
Signed-off-by: Alex Bennée <alex.ben...@linaro.org>
Cc: Michael Roth <mdr...@linux.vnet.ibm.com>
Cc: Stefan Hajnoczi <stefa...@redhat.com>
---
_download/source.html | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/_download/source.html b/_download/source.html
index 35fd156..6c2f6f6 100644
--- a/_download/source.html
+++ b/_download/source.html
@@ -8,14 +8,21 @@
<div id="releases">
{% include releases.html %}
</div>
- <p>or stay on the bleeding edge with the
- <a href="https://gitlab.com/qemu-project/qemu";>git
repository!</a></p>
-
+ <p>
+ Our source code tarballs are signed with the release
+ managers key, fingerprint:
+ <pre><code>CEAC C9E1 5534 EBAB B82D 3FA0 3353 C9CE F108
B584</code></pre>.
+ Alternatively stay on the bleeding edge with the
+ <a href="https://gitlab.com/qemu-project/qemu";>git repository!</a></p>
<h2>Build instructions</h2>
{% for release in site.data.releases offset: 0 limit: 1 %}
<p>To download and build QEMU {{release.branch}}.{{release.patch}}:</p>
<pre>wget
https://download.qemu.org/qemu-{{release.branch}}.{{release.patch}}.tar.xz
+# optional verify signature
+wget
https://download.qemu.org/qemu-{{release.branch}}.{{release.patch}}.tar.xz.sig
+gpg --output qemu-{{release.branch}}.{{release.patch}}.tar.xz --verify
qemu-{{release.branch}}.{{release.patch}}.tar.xz.sig
+# extract and build
tar xvJf qemu-{{release.branch}}.{{release.patch}}.tar.xz
cd qemu-{{release.branch}}.{{release.patch}}
./configure
--
2.20.1
