makedist       |  9 +++++++--
 spec/Integrity | 15 ++++++++++-----
 spec/download  |  4 ++++

diff --git a/makedist b/makedist
index f269b7b98bf3cd78a34ee5f82e49d8df9c154d3f244b8501019c2baa4f27d902..760ac1ff6d91fab1484a7519a1eaa5da0c2b414ad3c46a0d6337d38cf9533e2c 100755
--- a/makedist
+++ b/makedist
@@ -47,6 +47,10 @@ $HOME/work/sgodup/sgodup -basedir cm/vendor -dupdir vendor -action hardlink
 cd ..
 
 cd spec
+cat >download <<EOF
+You can obtain releases source code prepared tarballs on
+=> http://www.keks.cypherpunks.su/
+EOF
 swg info >../spec.info
 ./mk-html
 mv ../spec.info .
@@ -123,8 +127,9 @@
     http://www.keks.cypherpunks.su/download/keks-${release}.tar.zst ($size KiB)
     http://www.keks.cypherpunks.su/download/keks-${release}.tar.zst.sig
 
-OpenSSH key: SHA256:egDNCXj0/8mCSWVEc3mlB788/yM86m0C5UYitppZyc8
-cm/signed key: C8E1B383FADA392E08F8F9F6B07C2F11861F14BE6D98C008C9AB8A9185527B5F
+Signing key fingerprints:
+    OpenSSH: SHA256:egDNCXj0/8mCSWVEc3mlB788/yM86m0C5UYitppZyc8
+    cm/signed: C8E1B383FADA392E08F8F9F6B07C2F11861F14BE6D98C008C9AB8A9185527B5F
 EOF
 echo mutt -s \"KEKS $release release announcement\" \
     keks@lists.cypherpunks.su \
diff --git a/spec/Integrity b/spec/Integrity
index c49d86acc79afae46d8001fff44b1f792bbdd971a25864873b3f70f5c3e389d6..a6de51b0359e56dc3124314011aa8ce0f38763d148dc5785a4fa2e9e1a8d6ef5 100644
--- a/spec/Integrity
+++ b/spec/Integrity
@@ -1,11 +1,16 @@
 You *have to* verify downloaded tarballs authenticity to be sure that
-you retrieved trusted and untampered software. Metalink4 file contains
-its OpenSSH signature, that can be verified with
+you retrieved trusted and untampered software.
+
+Metalink4 file contains its OpenSSH signature.
 => PUBKEY-SSH.pub
 => PUBKEY-SSH.pub.asc
-[cm/signed/] .sig file can be verified with
+=> https://www.openssh.com/ OpenSSH
+=> https://gnupg.org/ GnuPG
+=> https://datatracker.ietf.org/doc/html/rfc5854 Metalink4
+
+[cm/signed/] .sig file can be verified with:
 => PUBKEY-CM.pub
 => PUBKEY-CM.pub.asc
 
-=> https://www.openssh.com/ OpenSSH
-=> https://gnupg.org/ GnuPG
+    $ cat keks-$version.tar.zst.sig keks-$version.tar.zst |
+        cmsigtool -v -d 4<PUBKEY-CM.pub
diff --git a/spec/download b/spec/download
index f02f1fb86b7a4ff7706bf39225f50d33a21c8744e11d16a237c511d9febc8bef..f4cde91607190b534dfd9e376db325983a1e904c2198700765c86163289fe8be 100644
--- a/spec/download
+++ b/spec/download
@@ -1,3 +1,7 @@
+$ version=0.1.0
+$ [fetch|wget] http://www.keks.cypherpunks.su/download/keks-$version.tar.zst
+$ [fetch|wget] http://www.keks.cypherpunks.su/download/keks-$version.tar.zst.sig
+
 0.1.0 | XXXX-XX-XX | XXX KiB
     => download/keks-0.1.0.tar.zst.meta4
     => download/keks-0.1.0.tar.zst