Add Verification Documentation

[ghost]

- 1. First download the public key from firo.org or github

wget https://raw.githubusercontent.com/firoorg/firo/master/reuben.asc

(Can't wget or curl key over Tor with torsocks from firo.org (cloudflare issue)

wget https://firo.org/reuben.asc

curl -f https://firo.org/reuben.asc

both show 403 or refused

- 2. Import Reuben’s key (Signing-key)

gpg --import < reuben.asc

3. Check that the public key is the legit fingerprint

(Didn’t see the Fingerprint of this key listed)

it should be listed multiple places like Git, firo.org, other places

Example QubesOS signing key fingerpint listed multiple places

gpg --fingerprint [[email protected]](mailto:[email protected])

pub   ed25519/0x1290A1D0FA7EE109 2020-11-18 [SC]
      Key fingerprint = 0186 454D 63E8 3D85 EF91  DE4E 1290 A1D0 FA7E E109
uid                   [ unknown] [email protected] <[email protected]>
sub   cv25519/0xDFA6985F7E97E84A 2020-11-18 [E]
      Key fingerprint = FB18 BD33 74DF 475A 40A1  BDC8 DFA6 985F 7E97 E84A

[Key fingerprint = 0186 454D 63E8 3D85 EF91 DE4E 1290 A1D0 FA7E E109]

4. Download the wallet for your OS and hashs (SHA256SUMS) from github

5. Verify hashes

gpg --verify SHA256SUMS

Should say Good signature from reubens key and dates should match when it was signed:

gpg: Signature made Sat 25 Feb 2023 04:41:56 PM UTC
gpg:                using EDDSA key 0186454D63E83D85EF91DE4E1290A1D0FA7EE109
gpg: Good signature from "[email protected] <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 0186 454D 63E8 3D85 EF91  DE4E 1290 A1D0 FA7E E109

then calculate the sha256sums of the wallet (Firo-Electrum-x.x.x.x-version.etc)

sha256sum Firo-Electrum-4.1.5.2-x86_64.AppImage

Make sure its the same as in signed SHA256SUMS and that they match.