From 5aa0bf2d14c50bbe03df869b585d6c8148888717 Mon Sep 17 00:00:00 2001
From: Joshua Tauberer <jt@occams.info>
Date: Wed, 1 Apr 2015 10:38:09 -0400
Subject: [PATCH] add instructions for verifying the signed tags to the README

---
 README.md | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/README.md b/README.md
index 60910e0a..e9676c83 100644
--- a/README.md
+++ b/README.md
@@ -28,6 +28,29 @@ The Box
 
 Mail-in-a-Box turns a fresh Ubuntu 14.04 LTS 64-bit machine into a working mail server, including SMTP ([postfix](http://www.postfix.org/)), IMAP ([dovecot](http://dovecot.org/)), Exchange ActiveSync ([z-push](https://github.com/fmbiete/Z-Push-contrib)), webmail ([Roundcube](http://roundcube.net/)), spam filtering ([spamassassin](https://spamassassin.apache.org/)), greylisting ([postgrey](http://postgrey.schweikert.ch/)), CardDAV/CalDAV ([ownCloud](http://owncloud.org/)), DNS, [SPF](https://en.wikipedia.org/wiki/Sender_Policy_Framework), DKIM ([OpenDKIM](http://www.opendkim.org/)), [DMARC](https://en.wikipedia.org/wiki/DMARC), [DNSSEC](https://en.wikipedia.org/wiki/DNSSEC), [DANE TLSA](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities), [SSHFP](https://tools.ietf.org/html/rfc4255), and basic system services like a firewall, intrusion protection, and setting the system clock.
 
+Authenticity
+------------
+
+I sign the release tags. To verify that a tag is signed by me, you can perform the following steps:
+
+	# Download my PGP key.
+	$ curl -s https://keybase.io/joshdata/key.asc | gpg --import
+	gpg: key C10BDD81: public key "Joshua Tauberer <jt@occams.info>" imported
+
+	# Clone this repository.
+	$ git clone https://github.com/mail-in-a-box/mailinabox
+	$ cd mailinabox
+
+	# Verify the tag.
+	$ git verify-tag v0.08
+	gpg: Signature made ..... using RSA key ID C10BDD81
+	gpg: Good signature from "Joshua Tauberer <jt@occams.info>"
+	gpg: WARNING: This key is not certified with a trusted signature!
+	gpg:          There is no indication that the signature belongs to the owner.
+	Primary key fingerprint: 5F4C 0E73 13CC D744 693B  2AEA B920 41F4 C10B DD81
+
+The key ID and fingerprint above should match my [Keybase.io key](https://keybase.io/joshdata) and the fingerprint I publish on [my homepage](https://razor.occams.info/).
+
 The Acknowledgements
 --------------------