From 8ceffb2f34a5e8fe156f6e44e404f3eaafa6799a Mon Sep 17 00:00:00 2001
From: Ricardo Wurmus <rekado@elephly.net>
Date: Fri, 23 Jun 2017 09:24:58 +0200
Subject: doc: Encourage signature verification.

* doc/contributing.texi (Submitting Patches): Remind contributors to verify
cryptographic signatures.
---
 doc/contributing.texi | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'doc/contributing.texi')

diff --git a/doc/contributing.texi b/doc/contributing.texi
index 925c584e42..0073f24518 100644
--- a/doc/contributing.texi
+++ b/doc/contributing.texi
@@ -333,6 +333,12 @@ distribution to make transverse changes such as applying security
 updates for a given software package in a single place and have them
 affect the whole system---something that bundled copies prevent.
 
+@item
+If the authors of the packaged software provide a cryptographic
+signature for the release tarball, make an effort to verify the
+authenticity of the archive.  For a detached GPG signature file this
+would be done with the @code{gpg --verify} command.
+
 @item
 Take a look at the profile reported by @command{guix size}
 (@pxref{Invoking guix size}).  This will allow you to notice references
-- 
cgit v1.2.3