From c3534cede2c26d44cb3b541d4633a0821e47f4b3 Mon Sep 17 00:00:00 2001
From: Daniel Micay <danielmicay@gmail.com>
Date: Tue, 7 May 2019 08:57:40 -0400
Subject: [PATCH] explain that updates are signed internally

---
 static/releases.html | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/static/releases.html b/static/releases.html
index bd1740f9..3ae52ef8 100644
--- a/static/releases.html
+++ b/static/releases.html
@@ -42,6 +42,12 @@
             but may be in the future once they're being used more consistently. Update packages
             are not for performing the initial installation and you should ignore incorrect guides
             trying to use them to install the OS.</p>
+            <p>The update packages have a internal signature verified by the update client (or
+            recovery image when sideloading). Downgrade attacks are also prevented, and downgrades
+            cannot be done unless a special downgrade update package has been signed with the
+            release key. The internal payload for `update_engine` is also signed, providing
+            another layer of signature verification and downgrade protection. Verified boot and
+            the hardware-backed keystore also act as a final layer of protection.</p>
             <p>Releases are tested by the developers and are then pushed out via the Beta channel.
             The release is then pushed out via the Stable channel after being tested by some users
             using the Beta channel. In some cases, problems are caught during Beta channel testing