user.texinfo: Add instructions for verifying downloads.

diff --git a/doc/user-manual/user.texinfo b/doc/user-manual/user.texinfo
index 43c1c0b62fcab33fed20aeed5ebda10fef34e420..eef1a00710d2c3a96aac256f4f62d9a5a28aea76 100644 (file)
--- a/doc/user-manual/user.texinfo
+++ b/doc/user-manual/user.texinfo
@@ -3888,12 +3888,12 @@ should be apparent to the casual user.
 
 If your code does not hack Edwin and you previously said
 @example
-    $ mit-scheme --load my-code
+mit-scheme --load my-code
 @end example
 @noindent
 you should be able to say
 @example
-    $ mit-scheme-pucked --load my-code
+mit-scheme-pucked --load my-code
 @end example
 @noindent
 and be no worse off.
@@ -4023,12 +4023,13 @@ sudo apt-key add ~/Downloads/mhb-key.gpg
 Next add the repository to your list of package sources.
 On Ubuntu 16.10 (Yakkety Yak) you would use this command:
 @example
-sudo add-apt-repository -s "deb http://birchwood-abbey.net/ubuntu/ yakkety main"
+sudo add-apt-repository \
+        -s "deb http://birchwood-abbey.net/ubuntu/ yakkety main"
 @end example
 or by editing files in @file{/etc/apt/}.
 
 Finally, use your package manager to update its list of available
-packages and then choose the Scheme plugins you would like to install.
+packages and choose the Scheme plugins you would like to install.
 Scheme itself will be automatically selected because all of the
 plugins depend on it.  You might choose the
 @code{mit-scheme-pucked-x11-screen} plugin because it depends on
@@ -4057,17 +4058,24 @@ want to install the @code{x11-screen} plugin, which requires the
 project home page lists the package files available for a plugin
 @emph{and} all of its required plugins.
 
-After you have downloaded all required files, you might want to verify
-that each is authentic.  If you saved the GPG key in
-@file{~/Downloads/mhb-key.gpg}, you can add it to your keyring like
-this:
+If you would like to verify that the downloaded files are authentic
+you will need the corresponding @file{.changes} files.  Each contains
+checksums for the package files and is signed.  If you saved the GPG
+key in @file{~/Downloads/mhb-key.gpg}, you can add it to your keyring
+like this:
 @example
 gpg --import ~/Downloads/mhb-key.gpg
 @end example
-Then verify the signature on e.g. the @code{mit-scheme-pucked} package
-file like this:
+Then verify the signature on the @file{.changes} file like this:
 @example
-gpg --verify ~/Downloads/mit-scheme-pucked_9.2.7-1_amd64.deb ???
+gpg --verify ~/Downloads/mit-scheme-pucked_9.2.7-1_amd64.changes
+@end example
+Finally compare the checksum in the @file{.changes} file with one
+computed from your downloaded file.
+@example
+grep mit-scheme-pucked_9.2.7-1_amd64.deb \
+     mit-scheme-pucked_9.2.7-1_amd64.changes
+sha256sum mit-scheme-pucked_9.2.7-1_amd64.deb
 @end example
 
 After you have downloaded and verified all of the required files, you