From e4a0845da31aedce4550c2fd187cf4a07e195539 Mon Sep 17 00:00:00 2001
From: Ben Hutchings <ben@decadent.org.uk>
Date: Tue, 15 Mar 2016 00:59:32 +0000
Subject: [PATCH] README.source: Add instructions to verify upstream tag and
 file signatures

---
 debian/README.source | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/debian/README.source b/debian/README.source
index 62d9cefeb..0d604ce5c 100644
--- a/debian/README.source
+++ b/debian/README.source
@@ -12,6 +12,30 @@ unifdef packages installed.
    * git://kernel.ubuntu.com/ubuntu/linux.git
 
    However, it is also possible to use upstream tarball and patch releases.
+   Both tags and files should be signed by the relevant maintainer, which
+   you *must* verify using commands such as:
+
+   $ git tag -v v4.5
+   $ xzcat linux-4.5.tar.xz | gpg --verify linux-4.5.tar.sign -
+   $ xzcat patch-4.5.1.xz | gpg --verify patch-4.5.1.sign -
+
+   The upstream maintainers' key fingerprints are:
+
+   pub   2048R/00411886 2011-09-20
+         Key fingerprint = ABAF 11C6 5A29 70B1 30AB  E3C4 79BE 3E43 0041 1886
+   uid                  Linus Torvalds <torvalds@linux-foundation.org>
+   sub   2048R/012F54CA 2011-09-20
+
+   pub   4096R/6092693E 2011-09-23
+         Key fingerprint = 647F 2865 4894 E3BD 4571  99BE 38DB BDC8 6092 693E
+   uid                  Greg Kroah-Hartman (Linux kernel stable release signing key) <greg@kroah.com>
+   sub   4096R/76D54749 2011-09-23
+
+   pub   4096R/FDCE24FC 2011-12-10
+         Key fingerprint = D4E1 E317 4470 9144 B0F8  101A DB74 AEB8 FDCE 24FC
+   uid                  Luis Henriques <luis.henriques@canonical.com>
+   uid                  Luis Henriques <henrix@camandro.org>
+   sub   4096R/EFBC394A 2011-12-10
 
 2) Run: ./debian/bin/genorig.py <repository>
    or:  ./debian/bin/genorig.py <tarball> [patch]