codesigning readme updates

README.md

@@ -127,3 +127,17 @@ Today, to modify the way a service starts, the following files all need editing:
 Versions for all packages are defined in the config.yaml file, and within a function named *generate_url* for each source type. In the case where you need to test a package that has been built to a custom location, set a variable named <module>-url-override in the config file at the top level.  For example, to override the rejson package location create a variable named *rejson-url-override*.  In the case of RedisInsight, all packages would derive from *redisinsight-url-override*.
 
 Do not commit this change to a mainline branch.
+
+---
+
+## Signed Binaries
+
+The following redis-stack builds are currently signed using the Redis GPG key. The public key can be downloaded from [here](https://packages.redis.io/gpg).
+
+1. Debian archives (deb files) - The indivial packages themselves are signed, as is the debian archive respository. Repository signing can be found in the [debian tagging  repository](https://github.com/redis-stack/redis-stack-deb). Adding the apt repository includes [importing, and validating the GPG key](https://redis.io/docs/stack/get-started/install/linux/).
+
+2. RedHat packages (rpm files) - The indivial packages themselves are signed. Adding the rpm repository includes [importing, and validating the GPG key](https://redis.io/docs/stack/get-started/install/linux/).
+
+3. All binaries within OSX zip files are code-signed using Redis' code-signing certificates. Validation is handled by the operating system.
+
+4. Tarballs generated by redis-stack, are [GPG signed](https://github.com/redis-stack/redis-stack/pull/314).