From 58b4cb6cb9dea106e93c1ac1eadaf3457e0e06d6 Mon Sep 17 00:00:00 2001
From: Matt Holt <mholt@users.noreply.github.com>
Date: Sat, 22 Apr 2017 17:22:26 -0600
Subject: [PATCH] Created Verifying Archive Signatures (markdown)

---
 Verifying-Archive-Signatures.md | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)
 create mode 100644 Verifying-Archive-Signatures.md

diff --git a/Verifying-Archive-Signatures.md b/Verifying-Archive-Signatures.md
new file mode 100644
index 0000000..1cb06d9
--- /dev/null
+++ b/Verifying-Archive-Signatures.md
@@ -0,0 +1,23 @@
+[Caddy's download page](https://caddyserver.com/download) distributes Caddy in an archive file with several files inside it, one of them being the `caddy(.exe)` binary. Because the build server also signs its builds with Caddy's private key, you can verify that your download has not been tampered with or corrupted. This check is performed with gpg.
+
+
+Make sure you've downloaded both the Caddy archive file and its associated signature using these links on the Download page:
+
+![Download links](https://i.imgur.com/yPB7KEF.png)
+
+Make sure [Caddy's public key](https://keybase.io/caddy) is in your keyring and is trusted. Then you can verify the downloaded file against the signature:
+
+```bash
+gpg --verify caddy_archive_file.asc caddy_archive_file
+```
+
+Replace "caddy_archive_file" with the name of the archive file you downloaded.
+
+If you see something like this:
+
+```plain
+gpg: Signature made Thu Apr 20 11:58:34 2017 MDT using RSA key ID CA56EA34
+gpg: Good signature from "Caddy Web Server <contact@caddyserver.com>"
+```
+
+Then you're good to go!
\ No newline at end of file