Add a new page for the MSYS2 installer

This information up to now lived in the msys2-installer repo.
Move it here and expand it with some information to verify the
checksums and the signature.

With the signature/checksum stuff now being there we can just link it
from the main page. Most users wont know what signatures are, so let's not
confuse them with it.

The installer page now links to the hosted checksum file instead of embedding
it in the website, which in theory would reduce security, but if users want
to be sure they need to use gnupg anyway.

The signature part is a bit of a chicken egg thing since it assumes you have
gnupg available. Not sure how that could be improved.

Author: lazka

mkdocs.yml

@@ -89,6 +89,7 @@ nav:
         - docs/ci.md
         - docs/terminals.md
         - docs/ides-editors.md
+        - docs/installer.md
         - Package Management:
           - docs/package-management.md
           - docs/package-naming.md

web/docs/installer.md

@@ -0,0 +1,93 @@
+# MSYS2 Installer & Archives
+
+The MSYS2 installer can be used to set up an initial MSYS2 environment. For
+further updating pacman is used. See [the updating guide](./updating.md) for
+more information.
+
+![screenshot](installer.png)
+
+The installer is based on the Qt Installer Framework and built using the
+[following scripts](https://github.com/msys2/msys2-installer). In addition to
+the GUI installer we provide a self extracting archive and a XZ compressed
+archive with the same content.
+
+The installer executables and tarballs are hosted on [GitHub](https://github.com/msys2/msys2-installer/releases) as well as on the [repo server](https://repo.msys2.org/distrib). We also provide [nightly builds](https://github.com/msys2/msys2-installer/releases/tag/nightly-x86_64).
+
+## CLI Usage Examples
+
+Installing the GUI installer via the CLI to `C:\msys64`:
+
+```powershell
+.\msys2-x86_64-latest.exe in --confirm-command --accept-messages --root C:/msys64
+```
+
+Uninstalling an existing installation in `C:\msys64` via the CLI:
+
+```powershell
+C:\msys64\uninstall.exe pr --confirm-command
+```
+
+Installing the self extracting archive to `C:\msys64`:
+
+```powershell
+.\msys2-base-x86_64-latest.sfx.exe -y -oC:\
+```
+
+## FAQ
+
+### What's the difference between the installer and the archives?
+
+The installer provides some additional features such as installing shortcuts, registering an uninstaller, a GUI for selecting the installation path and automatically running a login shell at the end to initialize the MSYS2 environment.
+
+If you unpack the archives and run a login shell once, you will get a functionally equivalent MSYS2 installation.
+
+### What is contained in the installer/archives?
+
+It contains the [base](https://packages.msys2.org/package/base) package and all its dependencies. You can list the contained packages using: `pactree base -lu | sort`
+
+### How can I verify the basic integrity of the downloaded files?
+
+You can download the expected checksum by appending `.sha256` to each download URL. You can verify that the downloaded file matches the checksum by computing the checksum either with Powershell:
+
+```powershell
+(Get-FileHash -Algorithm SHA256 -Path .\msys2-x86_64-20230526.exe).Hash.toLower()
+432dcc8b5cc7d5104a85b52df8b1e77cdf91018e102ac7aa998248637d636229
+```
+
+or with 7-Zip, if you have it installed:
+
+* Right clicking on `msys2-x86_64-20230526.exe`
+* Go into the "7-Zip" and then "CRC SHA" sub menu, and finally click on "SHA-256"
+* 7-Zip will pop up a window containing the checksum
+
+Compare the result with the content of "https://github.com/msys2/msys2-installer/releases/download/2023-05-26/msys2-x86_64-20230526.exe.sha256" to verify that your local file matches the checksum.
+
+### How can I verify that the downloaded files were generated by MSYS2 developers?
+
+The installer is signed using the following key:
+
+[`0EBF 782C 5D53 F7E5 FB02  A667 46BD 761F 7A49 B0EC`](http://keyserver.ubuntu.com/pks/lookup?search=0x0ebf782c5d53f7e5fb02a66746bd761f7a49b0ec&fingerprint=on&op=vindex)
+
+You can download the signature by appending a `.sig` to all download URLs.
+
+Verification example:
+
+```console
+$ gpg --keyserver keyserver.ubuntu.com --recv "0EBF 782C 5D53 F7E5 FB02  A667 46BD 761F 7A49 B0EC"
+gpg: key 46BD761F7A49B0EC: public key "Christoph Reiter <[email protected]>" imported
+gpg: Total number processed: 1
+gpg:               imported: 1
+$ ls
+msys2-x86_64-20230526.exe  msys2-x86_64-20230526.exe.sig
+$ gpg --verify msys2-x86_64-20230526.exe.sig
+gpg: assuming signed data in 'msys2-x86_64-20230526.exe'
+gpg: Signature made Fr 26 Mai 2023 11:46:54 CEST
+gpg:                using RSA key E0AA0F031DBD80FFBA57B06D5A62D0CAB6264964
+gpg: Good signature from "Christoph Reiter <[email protected]>" [unknown]
+gpg: WARNING: This key is not certified with a trusted signature!
+gpg:          There is no indication that the signature belongs to the owner.
+Primary key fingerprint: 0EBF 782C 5D53 F7E5 FB02  A667 46BD 761F 7A49 B0EC
+     Subkey fingerprint: E0AA 0F03 1DBD 80FF BA57  B06D 5A62 D0CA B626 4964
+```
+
+For the signature to be valid, gnupg has to print "Good signature" **and** the primary fingerprint shown has to match `0EBF 782C 5D53 F7E5 FB02  A667 46BD 761F 7A49 B0EC`.

web/docs/installer.png

@@ -39,9 +39,7 @@ MSYS2 and what for.
 
 1. Download the installer: <a href="https://github.com/msys2/msys2-installer/releases/download/2023-05-26/msys2-x86_64-20230526.exe" class="button">msys2-x86_64-20230526.exe</a>
 
-    <span style="opacity: 0.6; word-wrap: break-word;">Verify with SHA256 checksum `432dcc8b5cc7d5104a85b52df8b1e77cdf91018e102ac7aa998248637d636229`
-    or [GPG signature](https://github.com/msys2/msys2-installer/releases/download/2023-05-26/msys2-x86_64-20230526.exe.sig)
-    by [0xf7a49b0ec](http://keyserver.ubuntu.com/pks/lookup?search=0x0ebf782c5d53f7e5fb02a66746bd761f7a49b0ec&fingerprint=on&op=vindex).</span>
+    <span style="opacity: 0.6; word-wrap: break-word;">For more information on the installer, like command line options, or how to verify the checksum and signature of the installer, see the [installer guide](./docs/installer.md).</span>
 
 2. Run the installer. MSYS2 requires 64 bit Windows 8.1 or newer.