download: update verification procedure for macOS

checked with macOS Monterey (12.6.5) on M1 MacBook Air

Author: pinheadmz

_includes/templates/download.html

@@ -24,9 +24,12 @@
 {% endcapture %}
 
 {% assign GPG_DOWNLOAD_URL = "https://www.gnupg.org/download/index.en.html#binary" %}
+{% assign GPG_VERIFY_KEYS_URL = "https://www.gnupg.org/gph/en/manual/x334.html" %}
 {% assign GPG_MACOS_DOWNLOAD_URL = "https://gpgtools.org/" %}
 {% assign GPG_WINDOWS_DOWNLOAD_URL = "https://gpg4win.org/download.html" %}
 {% assign GUIX_REPOSITORY_URL = "https://github.com/bitcoin-core/guix.sigs" %}
+{% assign GUIX_REPOSITORY_NAME = "guix.sigs" %}
+{% assign BUILDER_KEYS_DIR = "builder-keys" %}
 {% endcapture %}
 <link rel="alternate" type="application/rss+xml" href="/en/releasesrss.xml" title="Bitcoin Core releases">
 <div class="download">
@@ -207,7 +210,9 @@ <h2 style="text-align: center" id="{{page.verify_download | slugify}}">{{page.ve
 
         <p>{{page.release_key_obtained}}</p></li>
 
-      <li><p>{{page.choosing_builders | replace: '$(BUILDER_KEYS_URL)', page.builder_keys_url }}</p></li>
+      <li>{{page.choosing_builders}}
+
+        <pre class="highlight"><code>git clone {{GUIX_REPOSITORY_URL}}</code><br><code>gpg --import {{GUIX_REPOSITORY_NAME}}/{{BUILDER_KEYS_DIR}}/*</code></pre></li>
 
       <li>{{page.verify_checksums_file}}
 
@@ -218,7 +223,9 @@ <h2 style="text-align: center" id="{{page.verify_download | slugify}}">{{page.ve
           <li><p>{{page.complete_line_saying}} <code>{{page.localized_gpg_primary_fingerprint}} {{SIGNING_KEY_FINGERPRINT_EXPLODED}}</code></p></li>
         </ol>
 
-        <p>{{page.gpg_trust_warning | replace: '$(SHORT_BUILDER_KEY)', SHORT_BUILDER_KEY }}</p></li>
+        <p>{{page.gpg_trust_warning | replace: '$(SHORT_BUILDER_KEY)', SHORT_BUILDER_KEY }}
+           <a href="{{GPG_VERIFY_KEYS_URL}}">{{page.verify_keys}}</a>
+        </p></li>
     </ol>
   </details>
 

_posts/en/pages/2017-01-01-download.md

@@ -97,18 +97,17 @@ obtain_release_key: >
 
 choosing_builders: >
   It is recommended that you choose a few individuals from this list who you find
-  trustworthy and import their keys as above, or import all the keys per the
-  instructions in the <a href="$(BUILDER_KEYS_URL)"><code>contrib/builder-key</code>
-  README</a>. You will later use their keys to check the signature attesting to the
-  validity of the checksums you use to check the binaries.
+  trustworthy and import their keys as above. You will later use their keys to
+  check the signature attesting to the validity of the checksums you use to check
+  the binaries. You can import all keys at once by cloning the repo and importing the directory:
 
 release_key_obtained: "The output of the command above should say that one key was imported, updated, has new signatures, or remained unchanged."
 
 verify_checksums_file: "Verify that the checksums file is PGP signed by a sufficient amount of keys you trust and have imported into your keychain:"
 
 check_gpg_output: >
   The command above will output a series of signature checks for each of the public
-  keys that signed the checksums. Each signature will show the following text:
+  keys that signed the checksums. Each valid signature will show the following text:
 
 line_starts_with: "A line that starts with:"
 complete_line_saying: "A complete line saying:"
@@ -120,6 +119,8 @@ gpg_trust_warning: >
   <code>$(SHORT_BUILDER_KEY)</code>) listed in the second line above matches what
   you had expected for the signers public key.
 
+verify_keys: "See the GNU handbook section on key management for more details."
+
 localized_checksum_ok: "OK"
 localized_gpg_good_sig: "Good signature"
 localized_gpg_primary_fingerprint: "Primary key fingerprint:"