improve image download verification documentation #583
Description
documents such as https://coreos.com/os/docs/latest/booting-with-qemu.html instruct a user to download CoreOS images over http. the CoreOS mirrors linked from https://coreos.com/releases/ contain gpg signatures, but our page containing signing key information (https://coreos.com/os/docs/latest/notes-for-distributors.html) and the page that contains the signing key (https://coreos.com/security/image-signing-key/) are not linked from there.
in the past i have tried to troubleshoot problems with users, only to find that their download from the release mirrors (*.release.core-os.net) was corrupted.
all documents that contain directions for downloading images or pages containing direct commands for downloading images should also recommend that a user verify the images.