From 5298fc219864e60b07f631cfbf89b0b3566665c9 Mon Sep 17 00:00:00 2001
From: Riccardo Spagni <ric@spagni.net>
Date: Mon, 23 Feb 2015 20:38:39 +0200
Subject: [PATCH] added GPG-signed file hashes

---
 downloads/hashes.txt | 25 +++++++++++++++++++++++++
 downloads/index.md   |  2 ++
 2 files changed, 27 insertions(+)
 create mode 100644 downloads/hashes.txt

diff --git a/downloads/hashes.txt b/downloads/hashes.txt
new file mode 100644
index 00000000..5afca13a
--- /dev/null
+++ b/downloads/hashes.txt
@@ -0,0 +1,25 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
+This GPG-signed message exists to confirm the SHA sums on Monero binaries.
+
+Please verify the signature against the signature for fluffypony in the
+source code repository (/utils/gpg_keys).
+
+monero.freebsd.x64.v0-8-8-6.tar.bz: 9fd0005b697e146a26a0bf9e3cd0c89b978f7fbd
+monero.linux.x64.v0-8-8-6b.tar.bz2: 16f3f55bcfbfae6135cbeda6574f651890a8be64
+monero.mac.x64.v0-8-8-6.tar.bz2: 7069de92083fb7831b063cc152e8f35508ff61bf
+monero.win.x64.v0-8-8-6.zip: facbeb2e408cf8b9a46534363eba161dbb047654
+
+Riccardo "fluffypony" Spagni
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2
+
+iQEcBAEBAgAGBQJU63MyAAoJEFVDLfMczU/N6ksIAIuJkAfnl+xP+1AMvAqQR2jq
+xIBbQ5ZPnH3PvQevKNqJkRE+To3Qbf6xYv8iPZFBKz68Fc06+lOXXSMQnqA4mDTj
+Lh2M4YJJnOxkjf8gnWEW1jI666Y+oiA97luYT04ytNIXCoUGZFQmP+MGAo6Q/s3K
+JsT6d/u/LxavWaGReG61EvLx+ey8WcInIabGMcZsnTZn2GBQFfXiz6MKfcnhM7nY
+xk+oe+oqL2Tohpi7/zRkFfy6nKk6wcv98sfoAen0c+VprBZwotypvccL6kTjF57F
+51bXAK1RnbzencfFpaGBhShyVnzPXWgZro+nLEWMemhlua4xNg9fjYddDzqp7Cc=
+=VF+L
+-----END PGP SIGNATURE-----
\ No newline at end of file
diff --git a/downloads/index.md b/downloads/index.md
index dd047aa2..e7886823 100644
--- a/downloads/index.md
+++ b/downloads/index.md
@@ -15,6 +15,8 @@ Monero Core consists of several applications, including bitmonerod (the daemon u
 
 If you are using Monero Core for the first time you may want to download a @blockchain bootstrap to get you started. A link to download the @blockchain bootstrap is included in the listings below.
 
+Note: the SHA hashes are listed by the downloads for convenience, but a GPG-signed list of the hashes is at [getmonero.org/downloads/hashes](https://getmonero.org/downloads/hashes) and should be treated as canonical, with the signature checked against the appropriate GPG key in the source code (in /utils/gpg_keys).
+
 <div class="row">
 
 {% for data_downloads in site.data.downloads %}