Update README

- Added instructions about go install and other installation methods.

- Pointed to official app page for the agent on tillitis.se.

- Removed some erroneous (the part of about outputting public key) and
  superflous (developing own apps, parts left over from when this was
  the -apps repo).

- Moved around some things which were clearly in the wrong place or
  confusing.

- Changed heading level for "Disabling touch requirement".

README.md

@@ -2,25 +2,89 @@
 
 # TKey SSH Agent
 
-This repository contains the `tkey-ssh-agent`, an OpenSSH-compatible
-agent for use with the [Tillitis](https://tillitis.se/) TKey USB
-security token.
+`tkey-ssh-agent` is an OpenSSH-compatible agent for use with the
+[Tillitis](https://tillitis.se/) TKey USB security token.
 
-Note that development is ongoing. For example, changes might be made
-to [the signer device
-app](https://github.com/tillitis/tkey-device-signer), causing the
-public/private key it provides to change. To avoid unexpected changes
-please use a tagged release.
+**Warning**: Please use tagged releases for any real use. Development
+on main might mean we change which version of the [the signer device
+app](https://github.com/tillitis/tkey-device-signer) we use which
+would cause the SSH key pair to change!
 
 See [Release notes](docs/release_notes.md).
 
-## Developing
+## Installing
 
-See the [TKey Developer Handbook](https://dev.tillitis.se/) for how to
-develop your own TKey apps, how to run and debug them in the emulator
-or on real hardware.
+tkey-ssh-agent might be available in your operating system's package
+system.
 
-[Current list of known projects](https://dev.tillitis.se/projects/).
+If not, see [Tillitis' application page for the
+agent as well as instructions](https://tillitis.se/app/tkey-ssh-agent/).
+
+If there's no official package for your system the easiest way to
+install is probably to:
+
+```
+$ go install github.com/tillitis/tkey-ssh-agent/cmd/tkey-ssh-agent@latest
+```
+
+After this the `tkey-ssh-agent` command should be available in your
+`$GOBIN` directory.
+
+Note that installing with `go install` doesn't set the version like
+building with other methods does. See building below.
+
+You will also have to install these manually:
+
+- Manual page `system/tkey-ssh-agent.1`.
+- udev rules, see `system/60-tkey.rules` (Linux).
+- systemd service unit, see `system/tkey-ssh-agent.service.tmpl` and
+  change `##BINDIR##` to where you installed `tkey-ssh-agent` (some
+  Linux dists).
+
+If you're building from source (see below) there is a `make install`
+target that installs the agent and the udev rules. Please see
+`Makefile` to see that everything ends up where you want to. Typically
+you will have to do:
+
+```
+$ sudo make install
+$ sudo make reload-rules
+```
+
+## Using tkey-ssh-agent
+
+`tkey-ssh-agent` tries to auto-detect the TKey. If more than one is
+found, or if you're running on QEMU, then you'll need to use the
+`--port` flag:
+
+```
+$ ./tkey-ssh-agent -a ./agent.sock --port /dev/pts/1
+```
+
+This will start the SSH agent and tell it to listen on the specified
+socket `./agent.sock`.
+
+**Nota bene**: If the signer app binary, the USS, or the UDS in the
+physical USB stick change your key pair will change.
+
+If you copy-paste the public key into your `~/.ssh/authorized_keys`
+you can try to log onto your local computer (if sshd is running
+there). The socket path set/output above is also needed by SSH in
+`SSH_AUTH_SOCK`:
+
+```
+$ SSH_AUTH_SOCK=/path/to/agent.sock ssh -F /dev/null localhost
+```
+
+`-F /dev/null` is used to ignore your ~/.ssh/config which could
+interfere with this test.
+
+The tkey-ssh-agent also supports the `--uss` and `--uss-file` flags to
+enter a User Supplied Secret.
+
+You can use `--show-pubkey` (short flag: `-p`) to only output the
+pubkey. The pubkey is printed to stdout for easy redirection, but some
+messages are still present on stderr.
 
 ## Building
 
@@ -70,8 +134,9 @@ this is not the expected binary.
 
 ### Building with another signer
 
-For convenience, and to be able to support `go install` the signer
-device app binary is included under `cmd/tkey-ssh-agent`.
+For convenience, and to be able to support `go install` a precompiled
+[signer device app](https://github.com/tkey-device-signer) binary is
+included under `cmd/tkey-ssh-agent`.
 
 If you want to replace the signer used you have to:
 
@@ -88,70 +153,33 @@ If you want to use the `build.sh` script you change the
 `signer_version` variable and the URL used to clone the signer device
 app repo.
 
-### Using tkey-ssh-agent
-
-This client app is a complete, alternative SSH agent with practical
-use. The needed signer device app binary gets built into the
-tkey-ssh-agent, which will load it onto USB stick when started.
-
-`tkey-ssh-agent` tries to auto-detect the TKey. If more than one is
-found, or if you're running on QEMU, then you'll need to use the
-`--port` flag:
-
-```
-$ ./tkey-ssh-agent -a ./agent.sock --port /dev/pts/1
-```
-
-This will start the SSH agent and tell it to listen on the specified
-socket `./agent.sock`.
-
-It will also output the SSH ed25519 public key for this instance of
-the app on this specific TKey USB stick. 
-
-**Nota bene**: If the signer app binary, the USS, or the UDS in the
-physical USB stick change your key pair will change.
-
-If you copy-paste the public key into your `~/.ssh/authorized_keys`
-you can try to log onto your local computer (if sshd is running
-there). The socket path set/output above is also needed by SSH in
-`SSH_AUTH_SOCK`:
-
-```
-$ SSH_AUTH_SOCK=/path/to/agent.sock ssh -F /dev/null localhost
-```
-
-`-F /dev/null` is used to ignore your ~/.ssh/config which could
-interfere with this test.
-
-The tkey-ssh-agent also supports the `--uss` and `--uss-file` flags to
-enter a User Supplied Secret.
-
-You can use `--show-pubkey` (short flag: `-p`) to only output the
-pubkey. The pubkey is printed to stdout for easy redirection, but some
-messages are still present on stderr.
+### Disabling touch requirement
 
-#### Installing tkey-ssh-agent
+The [signer device app](https://github.com/tkey-device-signer)
+normally requires the TKey to be physically touched to make a
+signature. For special purposes it can be compiled without this
+requirement by setting the environment variable
+`TKEY_SIGNER_APP_NO_TOUCH` to some value when building. Example: `make
+TKEY_SIGNER_APP_NO_TOUCH=yesplease`.
 
-The [`Makefile`](Makefile) has an `install` target that installs
-tkey-ssh-agent and the above mentioned `60-tkey.rules`. First `make`
-then `sudo make install`, then `sudo make reload-rules` to apply the
-rules to the running system. This also installs a man page which
-contains some useful information, try `man ./system/tkey-ssh-agent.1`
-to read it before installing.
+*Note well*: You have to do this when building both the signer and the
+client apps. `tkey-ssh-agent` will also stop displaying notifications
+about touch if the variable is set.
 
-There is also a Work In Progress Debian/Ubuntu package which can be
-build using the script `debian/build-pkg.sh`.
+**Warning**: Of course changing the code also changes the signer
+binary and as a consequence the SSH key pair will also change.
 
-#### Windows support
+### Windows support
 
-tkey-ssh-agent can be built for and run on Windows. The Makefile has a
+`tkey-ssh-agent` can be built for Windows. The Makefile has a
 `windows` target that produces `tkey-ssh-agent.exe` and
 `tkey-ssh-agent-tray.exe`. The former is a regular command-line
-program that can be used for example in PowerShell. The latter is a
-small program (built for the `windowsgui` subsystem; no console) that
-sets up a tray icon and launches `tkey-ssh-agent.exe` (which it
-expects to find next to itself) with the same arguments that it was
-itself passed. For automatically starting the SSH agent when logging
+application, suitable for use in environments like PowerShell. The
+latter is a small application built for the `windowsgui`
+subsystem, meaning it operates without a console. Its primary function
+is to create a tray icon and initiate `tkey-ssh-agent.exe` with the
+identical arguments it received. They are assumed to be located in the
+same directory. For automatically starting the SSH agent when logging
 onto the computer, a shortcut to `tkey-ssh-agent-tray.exe`, with the
 required arguments, can be added in your user's `Startup` folder.
 
@@ -180,7 +208,7 @@ the System Control Panel. Or using PowerShell:
 [Environment]::SetEnvironmentVariable('SSH_AUTH_SOCK', '\\.\pipe\tkey-ssh-agent', 'User')
 ```
 
-You can learn more about environment variables on Windows in [this
+You can learn more about environment variables on Windows in [Microsoft's
 article](https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_environment_variables).
 
 The SSH Agent can also be used with the Git-for-Windows client
@@ -200,22 +228,6 @@ The last command should output something like
 For details on how we package and build an MSI installer, see
 [system/windows/README.md](system/windows/README.md).
 
-### Disabling touch requirement
-
-The [signer device app](https://github.com/tkey-device-signer)
-normally requires the USB stick to be physically touched for signing
-to complete. For special purposes it can be compiled with this
-requirement removed, by setting the environment variable
-`TKEY_SIGNER_APP_NO_TOUCH` to some value when building. Example: `make
-TKEY_SIGNER_APP_NO_TOUCH=yesplease`. 
-
-*Note well*: You have to do this when building both the signer and the
-client apps. The client apps will also stop displaying notifications
-about touch if the variable is set.
-
-Of course this changes the signer app binary and as a consequence the
-derived private key and identity will change.
-
 ## Licenses and SPDX tags
 
 Unless otherwise noted, the project sources are licensed under the