installation: update signature checking information

- we are now using minisign for improved compatibility
- minisign-signed files means 'signify -C' doesn't work anymore, so
  remove that guidance; we can still use 'sha256 -C' if available,
  though
- minisign workaround didn't work, and isn't necessary any more

Author: ericonr

src/installation/index.md

@@ -67,9 +67,10 @@ on the image to ensure they haven't been tampered with.
 Current images are signed using a signify key that is specific to the release.
 If you're on Void already, you can obtain the keys from the `void-release-keys`
 package, which will be downloaded using your existing XBPS trust relationship
-with your mirror. You will also need a copy of
-[signify(1)](https://man.voidlinux.org/signify.1); on Void this is provided by
-the `outils` package.
+with your mirror and package signatures. You will also need a copy of
+[signify(1)](https://man.voidlinux.org/signify.1) or
+[minisign(1)](https://man.voidlinux.org/minisign.1); on Void, these are provided
+by the `outils` or `minisign` packages, respectively.
 
 To obtain `signify` when using a Linux distribution or operating system other
 than Void Linux:
@@ -81,37 +82,55 @@ than Void Linux:
    distribution.
 - Install `signify-osx` with homebrew in macOS.
 
-If you can't obtain `signify` for some reason (e.g. you are on Windows and can't
-use WSL or MinGW), you can use
-[minisign(1)](https://man.voidlinux.org/minisign.1) to verify the file.
+The `minisign` executable is usually provided by a package of the same name, and
+can also be installed on Windows, even without WSL or MinGW.
 
 If you are not currently using Void Linux, it will also be necessary to obtain
 the appropriate signing key from our Git repository
 [here](https://github.com/void-linux/void-packages/tree/master/srcpkgs/void-release-keys/files/).
 
 Once you've obtained the key, you can verify your image with the `sha256sum.sig`
-file. The following example demonstrates the verification of the GCP musl
-filesystem from the 20191109 release:
+and `sha256sum.txt` files. First, you need to verify the authenticity of the
+`sha256sum.txt` file.
+
+The following examples demonstrate the verification of the `sha256sum.txt` file
+for the 20210930 images. Firstly, with `signify`:
 
 ```
-$ signify -C -p /etc/signify/void-release-20191109.pub -x sha256sum.sig void-GCP-musl-PLATFORMFS-20191109.tar.xz
+$ signify -V -p /etc/signify/void-release-20210930.pub -x sha256sum.sig -m sha256sum.txt
 Signature Verified
-void-GCP-musl-PLATFORMFS-20191109.tar.xz: OK
 ```
 
-If the verification process does not produce the expected "OK" status, do not
-use it! Please alert the Void Linux team of where you got the image and how you
-verified it, and we will follow up on it.
+And secondly, with `minisign`:
+
+```
+$ minisign -V -p /etc/signify/void-release-20210930.pub -x sha256sum.sig -m sha256sum.txt
+Signature and comment signature verified
+Trusted comment: timestamp:1634597366	file:sha256sum.txt
+```
 
-For verification with `minisign`, it is necessary to rename the `sha256sum.sig`
-file to `sha256sum.txt.minisig` and remove the first line from the `.pub`
-release key. The following example demonstrates the verification of the
-`sha256sum.txt` file from the 20191109 release:
+Finally, you need to verify that the checksum for your image matches the one in
+the `sha256sum.txt` file. This can be done with the
+[sha256(1)](https://man.voidlinux.org/md5.1) utility, again from the `outils`
+package, as demonstrated below for the 20210930 `x86_64` image:
 
 ```
-$ minisign -Vm sha256sum.txt -f -p void-release-20191109.pub
-void-release-20191109.pub: Success
+$ sha256 -C sha256sum.txt void-live-x86_64-20210930.iso
+(SHA256) void-live-x86_64-20210930.iso: OK
 ```
 
-The same warning as above applies. If the verification process isn't successful,
-do not use the file - warn the Void Linux team about it.
+Alternatively, if the `sha256` utility isn't available to you, you can compute
+the SHA256 hash of the file, e.g. using
+[sha256sum(1)](https://man.voidlinux.org/sha256sum.1), and compare it to the
+value contained in `sha256sum.txt`:
+
+```
+$ sha256sum void-live-x86_64-20210930.iso
+45b75651eb369484e1e63ba803a34e9fe8a13b24695d0bffaf4dfaac44783294  void-live-x86_64-20210930.iso
+$ grep void-live-x86_64-20210930.iso sha256sum.txt
+SHA256 (void-live-x86_64-20210930.iso) = 45b75651eb369484e1e63ba803a34e9fe8a13b24695d0bffaf4dfaac44783294
+```
+
+If the verification process does not produce the expected "OK" status, do not
+use it! Please alert the Void Linux team of where you got the image and how you
+verified it, and we will follow up on it.