Created Verifying Archive Signatures (markdown)

Verifying-Archive-Signatures.md

@@ -0,0 +1,23 @@
+[Caddy's download page](https://caddyserver.com/download) distributes Caddy in an archive file with several files inside it, one of them being the `caddy(.exe)` binary. Because the build server also signs its builds with Caddy's private key, you can verify that your download has not been tampered with or corrupted. This check is performed with gpg.
+
+
+Make sure you've downloaded both the Caddy archive file and its associated signature using these links on the Download page:
+
+![Download links](https://i.imgur.com/yPB7KEF.png)
+
+Make sure [Caddy's public key](https://keybase.io/caddy) is in your keyring and is trusted. Then you can verify the downloaded file against the signature:
+
+```bash
+gpg --verify caddy_archive_file.asc caddy_archive_file
+```
+
+Replace "caddy_archive_file" with the name of the archive file you downloaded.
+
+If you see something like this:
+
+```plain
+gpg: Signature made Thu Apr 20 11:58:34 2017 MDT using RSA key ID CA56EA34
+gpg: Good signature from "Caddy Web Server <contact@caddyserver.com>"
+```
+
+Then you're good to go!