docs: update instructions for verifying dcrinstall

README.md

@@ -13,47 +13,70 @@ go to [decred-binaries](https://github.com/decred/decred-binaries).
 
 ## Verifying dcrinstall
 
-Each release contains a manifest file with sha256 hashes for the
-installers in that release.  To verify these, you will need:
+For your security, we recommend that you verify binaries before running them.
+Each release contains a manifest file with SHA-256 hashes for each released
+binary. To ensure your downloads are authentic, you should verify that the
+manifest file is signed by `[email protected]`, and that your hashed binary
+matches the manifest.
 
-* SHA256 - Once you download your file(s), you need to check their
-  SHA256 hashes, so you may need to download a tool to do this,
-  depending on your OS.
-* GnuPG or PGP - This is required to import public keys and verify
-  signatures. Examples below use GnuPG.
+Detailed instructions can be found in the Decred Documentation:
+[Verifying Binaries](https://docs.decred.org/advanced/verifying-binaries/).
+New users should start there.
 
-The steps to verify the binaries are as follows:
+If you've already done this before and you still have the Decred Release keys
+on your GnuPG keyring, the following shorthand instructions are provided as a
+quick refresher:
 
-1. Download the file manifest (manifest-dcrinstall-vX.X.X.txt), the signature for the file manifest (manifest-dcrinstall-vX.X.X.txt.asc), and the installer for your OS from [here](https://github.com/decred/decred-release/releases).
-2. Obtain the SHA256 value for the installer for your OS and check that it matches the value in the file manifest, e.g. for 64-bit Linux
+1. Download:
+
+   * The zip/tarball for your specific OS / architecture
+   * The file manifest and hashes, ending in `-manifest.txt`
+   * The signature for the manifest, ending in `-manifest.txt.asc`
+
+2. Verify that the manifest was directly signed by the Decred project:
 
    ```
-   $ sha256sum dcrinstall-linux-amd64-v0.3.0
-   a53004599daeab51c0e86af026748b7aa55ff9e5d4844bef3b7d8ccf8a5d72a9  dcrinstall-linux-amd64-v0.3.0
+   $ gpg --verify dcrinstall-v1.5.1-manifest.txt.asc
    ```
 
-3. Import the Decred Release Signing Key in GnuPG.
+   Example output:
    ```
-   $ gpg --keyserver pgp.mit.edu --recv-keys 0x6D897EDF518A031D
-      gpg: requesting key 518A031D from hkp server pgp.mit.edu
-      gpg: /home/user/.gnupg/trustdb.gpg: trustdb created
-      gpg: key 7608AF04: public key "Decred Release <[email protected]>" imported
-      gpg: Total number processed: 1
-      gpg: imported: 1 (RSA: 1)
-   ```
-4. Verify the signature for the file manifest is valid and created by
-the Decred Release Signing Key.
-
-	```
-   $ gpg --verify manifest-dcrinstall-v0.3.0.txt.asc
-      gpg: assuming signed data in `manifest-dcrinstall-v0.3.0.txt'
-      gpg: Signature made Wed 27 Jan 2016 08:56:59 PM UTC using RSA key ID 518A031D
-      gpg: Good signature from "Decred Release <[email protected]>"
-      gpg: WARNING: This key is not certified with a trusted signature!
-      gpg: There is no indication that the signature belongs to the owner.
-          Primary key fingerprint: FD13 B683 5E24 8FAF 4BD1 838D 6DF6 34AA 7608 AF04
-           Subkey fingerprint: F516 ADB7 A069 852C 7C28 A02D 6D89 7EDF 518A 031D
+   gpg: assuming signed data in 'dcrinstall-v1.5.1-manifest.txt'
+   gpg: Signature made 01/29/20 15:17:45 Eastern Standard Time
+   gpg:                using RSA key F516ADB7A069852C7C28A02D6D897EDF518A031D
+   gpg: Good signature from "Decred Release <[email protected]>" [unknown]
+   gpg: WARNING: This key is not certified with a trusted signature!
+   gpg:          There is no indication that the signature belongs to the owner.
+   Primary key fingerprint: FD13 B683 5E24 8FAF 4BD1  838D 6DF6 34AA 7608 AF04
+      Subkey fingerprint: F516 ADB7 A069 852C 7C28  A02D 6D89 7EDF 518A 031D
    ```
 
-The installer for your platform is now verified and you can be confident
-it was generated by the Decred team.
+   If you see `Good signature from "Decred Release <[email protected]>"`, then
+   you're successful! You can trust that the `manifest.txt` came directly from the
+   Decred project.
+
+3. Verify that the hash of your downloaded zip/tarball matches the manifest hash:
+
+   * Windows:
+
+      * If you have [7-Zip](https://7-zip.org/) installed, simply open up Windows
+      Explorer, right click on the file, mouseover `CRC SHA`, then click `SHA-256`.
+
+      * `$ certutil -hashfile <your file> SHA256`
+
+   * macOS
+
+      * `$ shasum -a 256 <your file>`
+
+   * Linux
+
+      * `$ sha256sum <your file>`
+
+   Example output:
+   ```
+   9c346bbdb5dbd9671f2ef6731f52c228f5972000960be8dfdc9346f52bab48b2 *dcrinstall-linux-amd64-v1.5.1
+   ```
+
+If your output hash matches the hash from the manifest, you're done! The binary
+for your platform is now verified and you can be confident it was generated by
+the Decred Project. It's safe to install the software.