diff --git a/README.md b/README.md index eb428a1..ec07ee6 100644 --- a/README.md +++ b/README.md @@ -10,6 +10,16 @@ tooling, CI, evidence exporters, and operator automation. Do not embed Attesto A go get go.attesto.eu/sdk ``` +CLI binaries: `curl -fsSL https://get.attesto.eu | sh` (checksum-verified). +Verify the release signature before you trust its verifier: + +```shell +curl -fsSO https://get.attesto.eu/cosign.pub +curl -fsSO https://get.attesto.eu/0.3.0/SHA256SUMS +curl -fsSO https://get.attesto.eu/0.3.0/SHA256SUMS.sig +cosign verify-blob --key cosign.pub --insecure-ignore-tlog --signature SHA256SUMS.sig SHA256SUMS +``` + The first release is VCS-resolved from the Attesto repository. It intentionally uses only the Go standard library.