Add signature verification instructions to README

2026-05-06 12:19:11 -07:00 · 2026-04-04 21:31:36 +02:00
parent 5d78aac091
commit 05f718b092
1 changed files with 15 additions and 0 deletions
--- a/README.md
+++ b/README.md
@@ -33,6 +33,21 @@ sudo apt install gstreamer1.0-plugins-base gstreamer1.0-plugins-good gstreamer1.
 sudo dnf install gstreamer1-plugins-base gstreamer1-plugins-good gstreamer1-libav
 ```

+### Verifying signatures
+
+Release updater artifacts (`.tar.gz`, `.nsis.zip`, `.app.tar.gz`) include `.sig` files signed with minisign. To verify:
+
+```bash
+# Save the public key
+echo "untrusted comment: minisign public key: F9D2C39297592652
+RWRSJlmXksPS+cSpOrnmUpmJSebrbT1gxNeS33X/S7fxBAb/SdvWewNm" > vega.pub
+
+# Verify an artifact
+minisign -Vm vega_0.12.1_amd64.AppImage.tar.gz -p vega.pub
+```
+
+**Note:** The standalone `.deb`, `.rpm`, and `.dmg` installers do not have signatures yet — only the updater bundles do.
+
 ## Features

 **Identity & accounts**