--- a/doc/makefile-variables.txt	Tue Dec 09 18:47:43 2014 +0100
+++ b/doc/makefile-variables.txt	Tue Dec 09 11:43:38 2014 -0800
@@ -14,6 +14,16 @@
   field of `sha256sum $(COMPONENT_ARCHIVE)`.
 * COMPONENT_ARCHIVE_URL is where the archive can be downloaded from.  This is
   typically constructed from $(COMPONENT_PROJECT_URL) and $(COMPONENT_ARCHIVE).
+* COMPONENT_SIG_URL is the URL where the PGP signature for $(COMPONENT_ARCHIVE)
+  can be found.  This can be used in addition to the hash in
+  $(COMPONENT_ARCHIVE_HASH) to verify the correctness of the archive.  If
+  COMPONENT_SIG_URL is present, then COMPONENT_ARCHIVE_HASH needn't be, but its
+  presence is strongly encouraged to ensure that the archive contents don't
+  change silently.  If the signature results in a new key being added to
+  tools/.gnupg/pubring.pgp, then as part of your code review, please show the
+  diffs of the text version of the file by running
+      gpg2 --homedir $WS/tools/.gnupg --fingerprint
+  both before and after the change.
 * COMPONENT_BUGDB is the lower-case rendering of the BugDB cat/subcat.
 
 These two are both initialized in make-rules/shared-macros.mk rather than any