From 18490bbb17067888ade3c94841077bd01f293402 Mon Sep 17 00:00:00 2001
From: Audric Ackermann <audric@loki.network>
Date: Mon, 24 May 2021 10:11:01 +1000
Subject: [PATCH] add verify sha instructions in README

---
 README.md | 33 +++++++++++++++++++++++++++++++++
 1 file changed, 33 insertions(+)

diff --git a/README.md b/README.md
index 5e41159c45..e3f06a301d 100644
--- a/README.md
+++ b/README.md
@@ -20,6 +20,39 @@ Please search for any [existing issues](https://github.com/oxen-io/session-andro
 
 Build instructions can be found in [BUILDING.md](BUILDING.md).
 
+## Verifing signatures
+
+Get Kee's key and import it:
+
+```
+wget https://raw.githubusercontent.com/oxen-io/oxen-core/master/utils/gpg_keys/KeeJef.asc
+gpg --import KeeJef.asc
+```
+
+Get the signed hash for this release, the SESSION_VERSION needs to be updated for the release you want to verify
+
+```
+export SESSION_VERSION=1.10.4
+wget https://github.com/oxen-io/session-android/releases/download/$SESSION_VERSION/signatures.asc
+```
+
+Verify the signature of the hashes of the files
+
+```
+gpg --verify signatures.asc 2>&1 |grep "Good signature from"
+```
+
+The command above should print "`Good signature from "Kee Jefferys...`"
+If it does, the hashes are valid but we still have to make the sure the signed hashes matches the downloaded files.
+
+Make sure the two commands below returns the same hash.
+If they do, files are valid.
+
+```
+sha256sum session-$SESSION_VERSION-universal.apk
+grep universal.apk signatures.asc
+```
+
 ## License
 
 Copyright 2011 Whisper Systems