Document Download Verification (PGP, GPG)

[maltfield]

Description

Currently it is not documented how to verify the authenticity or cryptographic integrity of the downoads from parrotsec.org or parrot.sh.

This makes it hard for Parrto OS users to safely download Parrot ISOs, and it introduces them (and potentially their clients) to watering hole attacks.

Steps to Reproduce

1. Go to the Parrot OS Documentation https://parrotsec.org/docs
2. Navigate to Introduction -> Download Parrot https://parrotsec.org/docs/introduction/download-parrot
3. Look for info on cryptographic verificaton
4. ???
5. Get confused and open ticket

Expected behavior: [What you expected to happen]

A few things are expected:

1. I should be able to download the Parrot OS Release Signing PGP key out-of-band from popular third-party keyservers (eg https://keys.openpgp.org/)
2. The documentation (https://parrotsec.org/docs/introduction/download-parrot) should include a page that describes [a] how to download the official Parrot OS Release Signing PGP Key, [b] how to download the signed-hashes.txt file, [c] how to use gpg to verify that the signature of the signed-hashes.txt is authentic, and [d] how to use sha256sum --check (or similar tool) to verify that the integrity of the downloaded release file.
3. The downloads page itself (https://parrotsec.org/download/) should include a link to the documentation page above

Actual behavior: [What actually happened]

There's just literally no information on verifying downloads in the documentation.

[maltfield]

I also recommend adding a KEYS file to the root of your repo (located along-side files like COPYING and AUTHORS), per the KEYS standard established by Apache

• https://infra.apache.org/release-signing#keys-policy

For more best-practices, see also:

1. https://infra.apache.org/release-signing
2. https://docs.opendev.org/opendev/system-config/latest/signing.html
3. https://wiki.debian.org/Subkeys
4. https://riseup.net/en/security/message-security/openpgp/best-practices