[site] Add a 'verifying integrity' section do download page

commit: d0dc054de0bf2c65d68e1f2369ca234b0709cf55 [log] [tgz]
author: Claude Brisson <claude@renegat.net> Tue Mar 09 10:27:14 2021 +0100
committer: Claude Brisson <claude@renegat.net> Tue Mar 09 10:27:14 2021 +0100
tree: 57cd790f35a24c2ea3de19f6b795a394ecdd5749
parent: 01f88e1c3709648fdcc479acc59a008cb3f1fcf2 [diff]
diff --git a/src/content/download.mdtext b/src/content/download.mdtext
index 22f580e..fc7c597 100644
--- a/src/content/download.mdtext
+++ b/src/content/download.mdtext

@@ -37,11 +37,15 @@
 
 You may also consult the [complete list of mirrors](https://www.apache.org/mirrors/).
 
-The <tt>KEYS</tt> link links to the code signing keys used to sign the product.
-The <tt>PGP</tt> links download the OpenPGP compatible signature from our main site. 
-The <tt>SHA</tt> links download the checksum from the main site. None of these should be downloaded from the mirrors.
+### Verifying integrity of downloaded files
 
-[KEYS](https://www.apache.org/dist/velocity/KEYS)
+It is essential that you [verify the integrity](https://www.apache.org/info/verification.html) of all downloaded files using the PGP and/or SHA signatures.
+
+The <tt>PGP</tt> links download the OpenPGP compatible signature from our main site.
+The <tt>SHA</tt> links download the checksum from the main site.
+None of these should be downloaded from the mirrors.
+
+Here are the Apache Velocity PGP [KEYS](https://www.apache.org/dist/velocity/KEYS) used to sign the files.
 
 ## Production releases
commit	d0dc054de0bf2c65d68e1f2369ca234b0709cf55	[log] [tgz]
author	Claude Brisson <claude@renegat.net>	Tue Mar 09 10:27:14 2021 +0100
committer	Claude Brisson <claude@renegat.net>	Tue Mar 09 10:27:14 2021 +0100
tree	57cd790f35a24c2ea3de19f6b795a394ecdd5749
parent	01f88e1c3709648fdcc479acc59a008cb3f1fcf2 [diff]