missing instructions to verify download

[jmgurney]

I downloaded ziglang from: https://ziglang.org/download/ and went to verify the signature, but the documentation for doing so is missing. I'm not familar w/ minisign and I assume many people are not either, and requiring people to look up how to verify with minisign means most people won't verify the download. Putting the public key on the page is not enough.

I'd recommend you add instructions to download the file plus it's minisig file, and ru the command:

minisign -P 'RWSGOq2NVecA2UPNdBUZykf1CCb147pkmdtYxgb3Ti+JO/wCYvhbAb/U' -V -m zig-macos-aarch64-0.11.0-dev.2297+28d6dd75a.tar.xz

(or equivalent) to the download page to save people time from having to read the man page [very carefully], and fail at verifying the first time:

$ minisign -V -m zig-macos-aarch64-0.11.0-dev.2297+28d6dd75a.tar.xz
minisign.pub: No such file or directory

and the second time:

$ echo 'RWSGOq2NVecA2UPNdBUZykf1CCb147pkmdtYxgb3Ti+JO/wCYvhbAb/U' > minisign.pub
$ minisign -V -m zig-macos-aarch64-0.11.0-dev.2297+28d6dd75a.tar.xz
Error while loading the public key file

Also, I'd recommend using a program that isn't major version 0 for security, as per semver, major version 0 has zero compatibility guarantees, so there's no reason that 0.12 will be compatible w/ 0.11, and your page also doesn't list a required minisign version as well.

[saurabh-sm]

The easiest way to verify may be:

• Download Zig bundle for operating system and it's corresponding minisig file

• Install minisign

• Verify the image by:

  minisign -Vm zig-macos-aarch64-0.11.0-dev.3934+ba6e5e65a.tar.xz -P "RWSGOq2NVecA2UPNdBUZykf1CCb147pkmdtYxgb3Ti+JO/wCYvhbAb/U"