- <listitem><para><emphasis>Publish the key fingerprint</emphasis>,
- that way your users will know what key they need to import in
- order to authenticate the files in the
- archive.</para></listitem>
+ <listitem><para>
+ <emphasis>Publish the key fingerprint</emphasis>, so that your users
+ will know what key they need to import in order to authenticate the files
+ in the archive. It is best to ship your key in its own keyring package
+ like &keyring-distro; does with &keyring-package; to be able to
+ distribute updates and key transitions automatically later.
+ </para></listitem>
+
+ <listitem><para>
+ <emphasis>Provide instructions on how to add your archive and key</emphasis>.
+ If your users can't acquire your key securely the chain of trust described above is broken.
+ How you can help users add your key depends on your archive and target audience ranging
+ from having your keyring package included in another archive users already have configured
+ (like the default repositories of their distribution) to leveraging the web of trust.
+ </para></listitem>