From 4d5fd1f6fbc710e8b59e522774e945bd09410b05 Mon Sep 17 00:00:00 2001
From: kmanwar89 <kmanwar89@noreply.gitea.com>
Date: Thu, 14 Aug 2025 21:51:45 +0000
Subject: [PATCH] Clarified GPG signature validation instructions to be more
 clear (#262)

Added instructions on how to download the signature file using wget, and fixed a typo in the wget commands that would have caused the command to fail when copied/pasted.

Reviewed-on: https://gitea.com/gitea/docs/pulls/262
Reviewed-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: kmanwar89 <kmanwar89@noreply.gitea.com>
Co-committed-by: kmanwar89 <kmanwar89@noreply.gitea.com>
---
 .../version-1.24/installation/from-binary.md  | 23 +++++++++++++++++--
 1 file changed, 21 insertions(+), 2 deletions(-)

diff --git a/versioned_docs/version-1.24/installation/from-binary.md b/versioned_docs/version-1.24/installation/from-binary.md
index 4f351966..d1281924 100644
--- a/versioned_docs/version-1.24/installation/from-binary.md
+++ b/versioned_docs/version-1.24/installation/from-binary.md
@@ -43,11 +43,30 @@ Note that the above command will download Gitea @version@ for 64-bit Linux.
 ## Verify GPG signature
 
 Gitea signs all binaries with a [GPG key](https://keys.openpgp.org/search?q=teabot%40gitea.io) to prevent against unwanted modification of binaries.
-To validate the binary, download the signature file which ends in `.asc` for the binary you downloaded and use the GPG command line tool.
+
+To validate the binary, download the signature file which ends in `.asc` for the binary you downloaded:
+
+```shell
+wget https://dl.gitea.com/gitea/@version@/gitea-@version@-linux-amd64.asc
+```
+
+Next, use the GPG command line tool to validate the signatures:
 
 ```sh
 gpg --keyserver hkps://keys.openpgp.org --recv 7C9E68152594688862D62AF62D9AE806EC1592E2
-gpg --verify gitea-@version@-linux-amd64.asc gitea-@version@-linux-amd64
+gpg --verify gitea-@version@-linux-amd64.asc gitea
+```
+
+An example output of a successful validation should look as follows:
+
+```shell
+gpg: Signature made Mon 04 Aug 2025 06:57:27 PM UTC
+gpg:                using RSA key CC64B1DB67ABBEECAB24B6455FC346329753F4B0
+gpg: Good signature from "Teabot <teabot@gitea.io>" [unknown]
+gpg: WARNING: This key is not certified with a trusted signature!
+gpg:          There is no indication that the signature belongs to the owner.
+Primary key fingerprint: 7C9E 6815 2594 6888 62D6  2AF6 2D9A E806 EC15 92E2
+     Subkey fingerprint: CC64 B1DB 67AB BEEC AB24  B645 5FC3 4632 9753 F4B0
 ```
 
 Look for the text `Good signature from "Teabot <teabot@gitea.io>"` to assert a good binary,