PUBKEY-CM.pub.asc       |   7 +++++++
 PUBKEY-SSH.pub          |   1 +
 PUBKEY-SSH.pub.asc      |   7 +++++++
 makedist                | 125 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 spec/.swgignore         |   2 ++
 spec/INSTALL            |   4 ++++
 spec/Integrity          |  11 +++++++++++
 spec/PUBKEY-CM.pub      |   1 +
 spec/PUBKEY-CM.pub.asc  |   1 +
 spec/PUBKEY-SSH.pub     |   1 +
 spec/PUBKEY-SSH.pub.asc |   1 +
 spec/download           |   4 ++++
 spec/index              |   3 +++
 spec/mk-html            |   1 +

diff --git a/PUBKEY-CM.pub b/PUBKEY-CM.pub
new file mode 100644
index 0000000000000000000000000000000000000000..5e6bc0f10fb3397b40840454685fb1835bd809512f1bb5bac856757653ec75dc
Binary files /dev/null and b/PUBKEY-CM.pub differ
diff --git a/PUBKEY-CM.pub.asc b/PUBKEY-CM.pub.asc
new file mode 100644
index 0000000000000000000000000000000000000000..45e9c40ad9b17b33f90b06f0aa1bd10bdbc066d677fd7f3bed0dd4a2528a7257
--- /dev/null
+++ b/PUBKEY-CM.pub.asc
@@ -0,0 +1,7 @@
+-----BEGIN PGP SIGNATURE-----
+
+iHUEABYKAB0WIQTbL/jtRAp+lJhvt3bSI36ECQhstwUCaGEDswAKCRDSI36ECQhs
+twPcAPwLJuuTjhU3y6sSRNqr/69Q452vv1a2TWUNxTCyxCPd0wD/fWPvM/PxO8aW
+lt/Yfko5vPVbnwFP/GczCzugHFGWZws=
+=ydWw
+-----END PGP SIGNATURE-----
diff --git a/PUBKEY-SSH.pub b/PUBKEY-SSH.pub
new file mode 100644
index 0000000000000000000000000000000000000000..455baf53b080a48bcc4bf00d912c9e1cd4ec494dda2ca10a7d31fbf8fa9ea0cc
--- /dev/null
+++ b/PUBKEY-SSH.pub
@@ -0,0 +1 @@
+keks@cypherpunks.su ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILy9ZiS9KFbm3jpie6SRjP5/ZlMQxozOP95Twsf0xNoU
diff --git a/PUBKEY-SSH.pub.asc b/PUBKEY-SSH.pub.asc
new file mode 100644
index 0000000000000000000000000000000000000000..d1f0e8ea797b36ff61a8205480770f75ac1691d46d3fdb5fb31a99128cfd098e
--- /dev/null
+++ b/PUBKEY-SSH.pub.asc
@@ -0,0 +1,7 @@
+-----BEGIN PGP SIGNATURE-----
+
+iHUEABYKAB0WIQTbL/jtRAp+lJhvt3bSI36ECQhstwUCaGECgwAKCRDSI36ECQhs
+t7PvAP9t+Mcieth/k7qRoQFuiU+mjr3tm2YghPp9HG17HXlwEwD9G6mlqrI9Y5nA
+WDO2u2PADcbzCbYnNx0mYG6RroHC+g4=
+=exd4
+-----END PGP SIGNATURE-----
diff --git a/makedist b/makedist
new file mode 100755
index 0000000000000000000000000000000000000000..955164e4e10d0b91b72f52f90f50b7cc4ab24dfa2ca3bd9521993ba868c7a567
--- /dev/null
+++ b/makedist
@@ -0,0 +1,125 @@
+#!/bin/sh -ex
+
+cur=$(pwd)
+tmp=$(mktemp -d ${TMPDIR:-/tmp}/keks-distXXXXXX)
+release=$1
+[ -n "$release" ]
+
+git clone . $tmp/keks-$release
+git checkout v$release || :
+
+cd $tmp/keks-$release
+echo $release >VERSION
+redo \
+    c/doc/keks.info \
+    c/lib/cm/pub.schema.keks.c.in \
+    go/cm/enc/encrypted.schema.keks \
+    go/cm/hash/prehash.schema.keks \
+    go/cm/sign/pub.schema.keks \
+    go/cm/sign/signed.schema.keks \
+    go/rpc/rpc.schema.keks
+rm -r c/doc/build c/doc/docstringer.log
+
+cd py3/tests
+mkdir fuzz-inputs
+cd fuzz-inputs
+PATH=../../../tcl:$PATH TCLLIBPATH=../../../tcl ../../../tcl/mk-fuzz-inputs
+
+cd ../../../go
+go mod vendor
+./mk-fuzz-testdata
+cd cmd/pp
+go mod vendor
+cd ../../cm
+go mod vendor
+rm -r vendor/golang.org/x/sys/windows
+cd ..
+$HOME/work/sgodup/sgodup -basedir cm/vendor -dupdir cmd/pp/vendor -action hardlink
+$HOME/work/sgodup/sgodup -basedir cm/vendor -dupdir vendor -action hardlink
+cd ..
+
+cd spec
+swg info >../spec.info
+./mk-html
+mv ../spec.info .
+cd ..
+
+redo-cleanup full
+rm -fr .git makedist
+mkdir third-party
+
+cd ..
+zstd -d <$HOME/work/bass/build/distfiles/libtap-0.1.0-44-gb53e4ef.tar.zst >keks-"$release"/third-party/libtap-0.1.0-44-gb53e4ef.tar
+zstd -d <$HOME/src/monocypher-4.0.2.tar.zst >keks-"$release"/third-party/monocypher-4.0.2.tar
+zstd -d <$HOME/work/goredo/doc/goredo.html/download/goredo-2.6.4.tar.zst >keks-"$release"/third-party/goredo-2.6.4.tar
+
+git clone $HOME/work/sharness sharness-v1.2.1
+cd sharness-v1.2.1
+git checkout v1.2.1
+rm -fr .git
+cd ..
+detpax sharness-v1.2.1 >keks-"$release"/third-party/sharness-v1.2.1.tar
+
+git clone $HOME/work/swg swg-v1.0.0
+cd swg-v1.0.0
+git checkout v1.0.0
+rm -fr .git
+cd ..
+detpax swg-v1.0.0 >keks-"$release"/third-party/swg-v1.0.0.tar
+
+detpax keks-"$release" >keks-"$release".tar
+zstd -22 --ultra -v keks-"$release".tar
+tarball=keks-"$release".tar.zst
+ssh-keygen -Y sign -f ~/.ssh/sign/keks@cypherpunks.su -n file "$tarball"
+meta4ra-create -fn "$tarball" -mtime "$tarball" \
+    -sig-ssh "$tarball".sig \
+    http://www.keks.cypherpunks.su/download/"$tarball" \
+    http://y.www.keks.cypherpunks.su/download/"$tarball" <"$tarball" >"$tarball".meta4
+cmsigtool -d 4<$HOME/.cm/sign/keks@cypherpunks.su.pub \
+    8<$HOME/.cm/sign/keks@cypherpunks.su.prv <"$tarball" >"$tarball".sig
+touch -r "$tarball" "$tarball".sig
+
+size=$(( $(stat -f %z $tarball) / 1024 ))
+release_date=$(date "+%Y-%m-%d")
+cat <<EOF
+An entry for documentation:
+$release | $release_date | $size KiB
+    => download/$tarball.meta4
+    => download/$tarball
+    => download/$tarball.sig
+EOF
+
+mv "$tarball" "$tarball".meta4 "$tarball".sig $cur/spec/spec.html/download
+
+cat <<EOF
+Subject: KEKS $release release announcement
+
+I am pleased to announce KEKS $release release availability!
+
+KEKS is compact, deterministic, concise and streaming binary
+serialisation format. It is aimed to be lightweight in terms of CPU,
+memory, storage and codec implementation size usage. It supports wide
+range of data types, making it able to transparently replace JSON.
+
+------------------------ >8 ------------------------
+
+The main improvements for that release are:
+
+
+------------------------ >8 ------------------------
+
+KEKS's home page is: http://www.keks.cypherpunks.su/
+
+Source code and its signature for that version can be found here:
+
+    http://www.keks.cypherpunks.su/download/keks-${release}.tar.zst ($size KiB)
+    http://www.keks.cypherpunks.su/download/keks-${release}.tar.zst.sig
+
+OpenSSH key: SHA256:egDNCXj0/8mCSWVEc3mlB788/yM86m0C5UYitppZyc8
+cm/signed key: C8E1B383FADA392E08F8F9F6B07C2F11861F14BE6D98C008C9AB8A9185527B5F
+EOF
+echo mutt -s \"KEKS $release release announcement\" \
+    keks@lists.cypherpunks.su \
+    -a $cur/spec/spec.html/download/"$tarball".meta4
+
+rm -fr $tmp
diff --git a/spec/.swgignore b/spec/.swgignore
index fc8ef183e2da2461a1af71bdbc93aa24aa98f52116a9d58e25cd4dc2ca5acb99..9f870032c73c40b20de8a1ff57f855c82299c334ca5b085b36e78de703d14ecb 100644
--- a/spec/.swgignore
+++ b/spec/.swgignore
@@ -1,2 +1,4 @@
 ^mk-html$
+^PUBKEY-
 ^spec.html/
+^spec.info$
diff --git a/spec/INSTALL b/spec/INSTALL
index b45bcd789aaa3ffecc42c2614cfae28f6c388d92d20f4a54109de51bb3ad90dc..9e31622b7a151e161178bae98d9f36f1a7329da9fef5b63b5d13b4239d2f94a1 100644
--- a/spec/INSTALL
+++ b/spec/INSTALL
@@ -1,6 +1,10 @@
 Currently there are draft versions of the codec written in
 C99, Go, Python3 and Tcl.
 
+<<[download]
+
+<<[Integrity]
+
 You can obtain development source code with:
     git clone git://git.cypherpunks.su/keks.git
 
diff --git a/spec/Integrity b/spec/Integrity
new file mode 100644
index 0000000000000000000000000000000000000000..c49d86acc79afae46d8001fff44b1f792bbdd971a25864873b3f70f5c3e389d6
--- /dev/null
+++ b/spec/Integrity
@@ -0,0 +1,11 @@
+You *have to* verify downloaded tarballs authenticity to be sure that
+you retrieved trusted and untampered software. Metalink4 file contains
+its OpenSSH signature, that can be verified with
+=> PUBKEY-SSH.pub
+=> PUBKEY-SSH.pub.asc
+[cm/signed/] .sig file can be verified with
+=> PUBKEY-CM.pub
+=> PUBKEY-CM.pub.asc
+
+=> https://www.openssh.com/ OpenSSH
+=> https://gnupg.org/ GnuPG
diff --git a/spec/PUBKEY-CM.pub b/spec/PUBKEY-CM.pub
new file mode 120000
index 0000000000000000000000000000000000000000..524a15e15b9b8dff6cb94c11c84db12553a3e1ffc17b424d7128b5faa8d72a29
--- /dev/null
+++ b/spec/PUBKEY-CM.pub
@@ -0,0 +1 @@
+../PUBKEY-CM.pub
\ No newline at end of file
diff --git a/spec/PUBKEY-CM.pub.asc b/spec/PUBKEY-CM.pub.asc
new file mode 120000
index 0000000000000000000000000000000000000000..82d0d43b6ed6bc2111e444aaa465bd2b01a62737afcf78818f823820e7be4a44
--- /dev/null
+++ b/spec/PUBKEY-CM.pub.asc
@@ -0,0 +1 @@
+../PUBKEY-CM.pub.asc
\ No newline at end of file
diff --git a/spec/PUBKEY-SSH.pub b/spec/PUBKEY-SSH.pub
new file mode 120000
index 0000000000000000000000000000000000000000..7b8572cf63c7940002cc9ff851761612b41f560f08ff9b10002856627d344a9c
--- /dev/null
+++ b/spec/PUBKEY-SSH.pub
@@ -0,0 +1 @@
+../PUBKEY-SSH.pub
\ No newline at end of file
diff --git a/spec/PUBKEY-SSH.pub.asc b/spec/PUBKEY-SSH.pub.asc
new file mode 120000
index 0000000000000000000000000000000000000000..2151320868dcd44d9c9376aa24df855c431435daf756555d5ec47bbe8df74246
--- /dev/null
+++ b/spec/PUBKEY-SSH.pub.asc
@@ -0,0 +1 @@
+../PUBKEY-SSH.pub.asc
\ No newline at end of file
diff --git a/spec/download b/spec/download
new file mode 100644
index 0000000000000000000000000000000000000000..f02f1fb86b7a4ff7706bf39225f50d33a21c8744e11d16a237c511d9febc8bef
--- /dev/null
+++ b/spec/download
@@ -0,0 +1,4 @@
+0.1.0 | XXXX-XX-XX | XXX KiB
+    => download/keks-0.1.0.tar.zst.meta4
+    => download/keks-0.1.0.tar.zst
+    => download/keks-0.1.0.tar.zst.sig
diff --git a/spec/index b/spec/index
index 45b0c911d85fbe5985ee003a1bae09c8e3881cfd5d2d71c986cc0e5d863a4508..42c8e2209c9f10d24a711d7c783ca1bf470fa53f911e9a5955383a6ba4c9d5ae 100644
--- a/spec/index
+++ b/spec/index
@@ -36,4 +36,7 @@       [cm/] -- Cryptographic Messages
       [RPC] -- Remote Procedure Call
    [THANKS]
 
+Announcements go to:
+=> http://lists.cypherpunks.su/keks.html maillist
+
 Copyright © 2024-2025 Sergey Matveev <stargrave@stargrave.org>
diff --git a/spec/mk-html b/spec/mk-html
index 6b8bfbdf61712eafecad02e6f3f2985b88119a5d0c8c5a56f03250aa88a3c64d..43489634257d7cf910f37eca8d85bc018fc6efd721da3908fa4759a6cdb6b0b7 100755
--- a/spec/mk-html
+++ b/spec/mk-html
@@ -4,5 +4,6 @@
 html=spec.html
 SWG_DO_BACKS=0 SWG_DO_SRC=0 swg htmls $html
 perl -i -npe 's#^<title>.*$#<title>KEKS</title>#' $html/index.html
+cp ../PUBKEY-* $html
 find $html -type d -exec chmod 755 {} +
 find $html -type f -exec chmod 644 {} +