From 785bfa7ce351960a9c4603cc42fe81f9429a8752 Mon Sep 17 00:00:00 2001
From: Andrew David Wong <adw@qubes-os.org>
Date: Mon, 6 Mar 2017 19:22:16 -0800
Subject: [PATCH] Add git commit signature verification instructions

---
 installing/verifying-signatures.md | 20 ++++++++++++++++----
 1 file changed, 16 insertions(+), 4 deletions(-)

diff --git a/installing/verifying-signatures.md b/installing/verifying-signatures.md
index 088b6c14..2d0e15e2 100644
--- a/installing/verifying-signatures.md
+++ b/installing/verifying-signatures.md
@@ -284,14 +284,26 @@ came from the Qubes devs.
 Verifying Qubes Code
 --------------------
 
-Developers who fetch code from our Git server should always verify tags on the
-latest commit. Any commits that are not followed by a signed tag should not be
-trusted!
+Developers who fetch code from our Git server should always verify the PGP signature of the tag on the latest commit.
+In some cases, commits themselves may also be signed.
+Any unsigned commit that is not followed by a signed tag should not be trusted!
 
-To verify a signature on a git tag, you can use:
+To verify a signature on a git tag:
 
     $ git tag -v <tag name>
 
+or
+
+    $ git verify-tag <tag name>
+
+To verify a signature on a git commit:
+
+    $ git log --show-signature <commit ID>
+
+or
+
+    $ git verify-commit <commit ID>
+
 
 [Qubes Master Signing Key]: https://keys.qubes-os.org/keys/qubes-master-signing-key.asc
 [keyserver]: https://en.wikipedia.org/wiki/Key_server_%28cryptographic%29#Keyserver_examples