From 9ff10fc9086ee3781f41837ef77b3ec6ba0b0b84 Mon Sep 17 00:00:00 2001
From: Ryan ZHAO <>
Date: Wed, 26 Mar 2025 11:28:04 +1100
Subject: [PATCH] update readme with signatures verification

---
 README.md | 39 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 39 insertions(+)

diff --git a/README.md b/README.md
index a95bbb2e2..ef2301ee6 100644
--- a/README.md
+++ b/README.md
@@ -16,6 +16,45 @@ Please search for any [existing issues](https://github.com/loki-project/session-
 
 Build instructions can be found in [BUILDING.md](BUILDING.md).
 
+## Verifying signatures
+
+**Step 1:**
+
+Add Jason's GPG key. Jason Rhinelander, a member of the [Session Technology Foundation](https://session.foundation/) and is the current signer for all Session iOS releases. His GPG key can be found on his GitHub and other sources.
+
+```sh
+wget https://github.com/jagerman.gpg
+gpg --import jagerman.gpg
+```
+
+**Step 2:**
+
+Get the signed hashes for this release. `SESSION_VERSION` needs to be updated for the release you want to verify.
+
+```sh
+export SESSION_VERSION=2.9.1
+wget https://github.com/session-foundation/session-ios/releases/download/$SESSION_VERSION/signature.asc
+```
+
+**Step 3:**
+
+Verify the signature of the hashes of the files.
+
+```sh
+gpg --verify signature.asc 2>&1 |grep "Good signature from"
+```
+
+The command above should print "`Good signature from "Jason Rhinelander...`". If it does, the hashes are valid but we still have to make the sure the signed hashes match the downloaded files.
+
+**Step 4:**
+
+Make sure the two commands below return the same hash for the file you are checking. If they do, file is valid.
+
+```
+sha256sum session-$SESSION_VERSION.ipa
+grep .ipa signature.asc
+```
+
 ## Translations
 
 Want to help us translate Session into your language? You can do so at https://crowdin.com/project/session-ios!