From e2996e29c7fb4697b9d95fe17d316bd2dded9d17 Mon Sep 17 00:00:00 2001
From: John Terpstra <jht@samba.org>
Date: Sun, 13 Apr 2003 13:50:45 +0000
Subject: Adding more docs. (This used to be commit
 8b75c925b9a237e967a92f17a9b85562c1da8733)

---
 docs/docbook/projdoc/Compiling.sgml | 57 +++++++++++++++++++++++++++++++++++--
 1 file changed, 55 insertions(+), 2 deletions(-)

(limited to 'docs/docbook/projdoc/Compiling.sgml')

diff --git a/docs/docbook/projdoc/Compiling.sgml b/docs/docbook/projdoc/Compiling.sgml
index b8471508f6..15b5acc594 100644
--- a/docs/docbook/projdoc/Compiling.sgml
+++ b/docs/docbook/projdoc/Compiling.sgml
@@ -13,8 +13,10 @@
 
 <title>How to compile SAMBA</title>
 
-<para>You can obtain the samba source from the <ulink url="http://samba.org/">samba website</ulink>. To obtain a development version, 
-you can download samba from CVS or using rsync. </para>
+<para>
+You can obtain the samba source from the <ulink url="http://samba.org/">samba website</ulink>. To obtain a development version, 
+you can download samba from CVS or using rsync.
+</para>
 
 <sect1>
 <title>Access Samba source code via CVS</title>
@@ -177,6 +179,57 @@ on this system just substitute the correct package name
 	</para>
 </sect1>
 
+<sect1>
+<title>Verifying Samba's PGP signature</title>
+
+<para>
+In these days of insecurity, it's strongly recommended that you verify the PGP signature for any
+source file before installing it. According to Jerry Carter of the Samba Team, only about 22% of
+all Samba downloads have had a corresponding PGP signature download (a very low percentage, which
+should be considered a bad thing). Even if you're not downloading from a mirror site, verifying PGP
+signatures should be a standard reflex.
+</para>
+
+
+<para>
+With that said, go ahead and download the following files:
+</para>
+
+<para><programlisting>
+     $ wget http://us1.samba.org/samba/ftp/samba-2.2.8a.tar.asc
+     $ wget http://us1.samba.org/samba/ftp/samba-pubkey.asc
+</programlisting></para>
+
+<para>
+The first file is the PGP signature for the Samba source file; the other is the Samba public
+PGP key itself. Import the public PGP key with:
+</para>
+
+<programlisting>
+     $ gpg --import samba-pubkey.asc
+</programlisting>
+
+<para>
+And verify the Samba source code integrity with:
+</para>
+
+<programlisting>
+     $ gzip -d samba-2.2.8a.tar.gz
+     $ gpg --verify samba-2.2.8a.tar.asc
+</programlisting>
+
+<para>
+If you receive a message like, "Good signature from Samba Distribution Verification Key..."
+then all is well. The warnings about trust relationships can be ignored. An example of what
+you would not want to see would be:
+</para>
+
+<programlisting>
+     gpg: BAD signature from "Samba Distribution Verification Key"
+</programlisting>
+
+</sect1>
+
 <sect1>
 	<title>Building the Binaries</title>
 	
-- 
cgit