trent power — quick verification
edition 2026-05-19

this file is the fast verification path. four commands; each
either prints `Good signature` / `OK` or fails loudly. if any
step fails, do not trust the archive; consult VERIFY.txt for the
full chain and contact details for reporting tampering.

Prerequisites
-------------
  gpg          (GnuPG 2.x)
  sha256sum    (or `shasum -a 256` on macOS — replace below)
  unzip        (already used to extract this archive)
  curl         (only for step 3 if you want to refresh the
                signature against the live origin)

Step 1 — Import the signing key
-------------------------------
  gpg --import ./.well-known/pgp-key.asc
  expected: imported key A729 591B 450D 3F59 …

Step 2 — Verify the release metadata
------------------------------------
  gpg --verify ./release.json.sig ./release.json
  expected: Good signature from Trent POWER

Step 3 — Verify the file-level manifest (live origin)
-----------------------------------------------------
  curl -O https://trentpower.fr/integrity/releases/2026-05-19/integrity-redistributable.json
  curl -O https://trentpower.fr/integrity/releases/2026-05-19/integrity-redistributable.json.sig
  gpg --verify integrity-redistributable.json.sig integrity-redistributable.json
  expected: Good signature from Trent POWER

Step 4 — Verify every file in this archive
------------------------------------------
  bash ./verify.sh
  expected:
    Verification Result:
      ✓ <N> files verified
      ✓ <M> files intentionally excluded
      ✗ 0 unexpected mismatches
    Archive is authentic for edition 2026-05-19.

if step 4 reports any unexpected mismatch, the archive is not
authoritative; trust the bytes signed at
https://trentpower.fr/integrity/releases/2026-05-19/ instead.

see VERIFY.txt for the long-form chain (sha256sums, integrity.json,
per-file hashes and historical edition cross-checks).
