posts: Clarify that signatures can also be obtained via cgit

Commit 751da2c (posts: Update posts to reflect usage of cgit's signature
mechanism, 2021-05-06) updated the project pages as well as "Verifying
snapshots with signify" with information regarding the new cgit
signature mechanism, but neglected to mention that signatures can be
obtained directly through git.oriole.systems as well (the project pages
merely deeplink to that).

Furthermore, with commit 28c2473 (posts: Add a new post: "Hosting
signify signatures on cgit", 2021-05-16) we now have an explanatory
piece which we can link if people are interested in the underlying
infrastructure.

1 files changed, 5 insertions, 3 deletions

diff --git a/posts/verify-with-signify.md b/posts/verify-with-signify.md
index d2061e2..85da646 100644
--- a/posts/verify-with-signify.md
+++ b/posts/verify-with-signify.md
@@ -4,7 +4,7 @@ author: Wynn Wolf Arbor
 
 I use the [signify](https://flak.tedunangst.com/post/signify) tool to
 cryptographically sign all software downloads you will find on this
-site.
+site and on [git.oriole.systems](https://git.oriole.systems).
 
 Whilst you technically don't need `signify` to verify the _integrity_ of
 downloaded files, I strongly recommend using it to also verify the
@@ -20,8 +20,8 @@ browser or a tool like `curl` or `wget` to obtain the tarballs.
 ### Obtaining the signature and checksum
 
 Whether or not you decide to use `signify` to verify downloaded files, you need
-to obtain the detached signature linked on the respective project page. It
-contains the signature as well as the checksum.
+to obtain the detached signature linked on the respective project page or git
+repository[^1]. It contains the signature as well as the checksum.
 
 ### Obtaining the public key
 
@@ -55,3 +55,5 @@ the `sha256sum` tool to only verify the integrity of the download:
 
 	$ tail -n1 <snapshot>.asc | sha256sum -c
 	<snapshot>: OK
+
+[^1]: If you are interested in how this is put together, check out [this](signify-cgit) post.