-All released versions of this page will be GPG signed by moneromooo, to avoid trojaned versions
-being passed around. It is in your interest to check the signature.
-
-moneromooo's GPG key
-can be found in the Monero source tree.
-
-You can check for up to date versions of this page
-here.
-
-
-
+How to verify GPG signatures
+
+
+All released versions of this page will be GPG signed by moneromooo, to avoid trojaned versions
+being passed around. It is in your interest to check the signature.
+
+
+This page is maintained as a
+git repository.
+All commits are signed. In addition, released versions of the page are signed separately.
+In order to check either, you first need to import
+moneromooo's GPG key
+from the Monero source tree:
+
+
+
+gpg --import moneromooo.asc
+
+
+Checking a standalone signature
+
+
+You need to get the signature file corresponding to the version of the page you're using.
+Original signature files are
+in the git repository
+as well. Save it as monero-wallet-generator.html.asc, then:
+
+
+
+gpg --verify monero-wallet-generator.html.asc
+
+
+
+You should see a message similar to:
+
+
+
+gpg: Good signature from "moneromooo-monero <moneromooo-monero@users.noreply.github.com>"
+
+
+
+Check the signature is from the key you imported previously! If not, you may be checking
+that file was properly signed by an attacker instead of moneromooo. Beware that anyone can
+place any email address in a new GPG key, so the right email being shown is no guarantee.
+
+
+
+If you want to verify an old version of the file, you will have to retrieve the matching
+signature file from git.
+
+
+Checking a git commit's signature
+
+
+If you're using git to get the latest and greatest, it's even simpler:
+
+
+
+git show --show-signature
+
+
+
+You should see a message similar to:
+
+
+
+gpg: Good signature from "moneromooo-monero <moneromooo-monero@users.noreply.github.com>"
+
+
+
+Check the signature is from the key you imported previously! If not, you may be checking
+that file was properly signed by an attacker instead of moneromooo. Beware that anyone can
+place any email address in a new GPG key, so the right email being shown is no guarantee.
+
+
+
+