Document verifying build artifacts

Signed-off-by:	Shawn Webb <shawn.webb@hardenedbsd.org>

Home.md

@@ -40,6 +40,7 @@ Some of the branches, but not all, are listed below:
 
 1. HEAD -> hardened/current/master
 1. stable/13 -> hardened/13-stable/master
+1. stable/14 -> hardened/14-stable/master
 
 # Features
 
@@ -68,6 +69,38 @@ HardenedBSD has successfully implemented the following features:
 1. Kernel malloc hardening
 1. Shared memory hardening
 
+# Verifying Build Artifacts
+
+The HardenedBSD build artifacts are signed with an SSH key. SSH keys are used so
+that artifacts can be validated using only tools included in the base operating
+system.
+
+First, download the SSH public key:
+
+```
+$ fetch https://installers.hardenedbsd.org/pub/keys/ssh.pub.txt
+```
+
+Then download the build artifact. For purposes of this documentation, the
+compressed memstick installation image for HardenedBSD 14-STABLE will be used.
+
+```
+$ fetch https://installers.hardenedbsd.org/pub/14-stable/amd64/amd64/installer/LATEST/memstick.img.xz
+$ fetch https://installers.hardenedbsd.org/pub/14-stable/amd64/amd64/installer/LATEST/memstick.img.xz.sig
+```
+
+Next, generate an `allowed_signers` file which contains the SSH public key:
+
+```
+$ echo "hbsd-os-build-01 $(cat ssh.pub.txt)" > allowed_signers
+```
+
+Now the signature file can be verified:
+
+```
+$ ssk-keygen -Y verify -f allowed_signers -I hbsd-os-build-01 -n file -s memstick.img.xz.sig < memstick.img.xz
+```
+
 # Generic Kernel Options
 
 All of HardenedBSD's features that rely on kernel code require the