Bug 14304: Document stripping of MAR files

We add a section explaining how to verify that the signed MAR files we
ship are essentially the ones our Gitian setup produced.

docs/en/verifying-signatures.wml

@@ -237,6 +237,28 @@
 
     <hr>
 
+    <a id="MARVerification"></a>
+    <h3><a class="anchor" href="#MARVerification">
+    Verifying MAR files we ship (advanced)</a></h3>
+    <hr>
+    <p>Starting with Tor Browser 4.5a4 we sign our MAR files which helps
+    securing our update process. The downside of this is the need for additional
+    instructions to verify that the MAR files we ship are indeed the ones we
+    produced with our Gitian setup.</p>
+
+    <p>Assuming the verification happens on a Linux computer one first needs the
+    <tt>mar-tools-linux*.zip</tt> out of the <tt>gitian-builder/inputs</tt>
+    directory to remove the embedded signature(s). The steps to get the unsigned
+    MAR file on a 64 bit Linux are</p>
+    <pre>
+    cd /path/to/MAR/file
+    unzip /path/to/gitian-builder/inputs/mar-tools-linux64.zip
+    mar-tools/signmar -r your-signed-mar-file.mar your-unsigned-mar-file.mar</pre>
+    <p>Now you can compare the SHA256 sum of <tt>your-unsigned-mar-file.mar</tt>
+    with the one provided in the <tt>sha265sums.txt</tt> or
+    <tt>sha256sums.incremental.txt</tt> as outlined in <a href="#BuildVerification">Verifying
+    sha256sums (advancded)</a> above.</p>
+
   </div>
   <!-- END MAINCOL -->
   <div id = "sidecol">