Skip to content

Commit 4c1a1a0

Browse files
claudeclaude
committed
docs(readme): restructure FAQ binary trust paragraph
Replace em-dash interruptions with stand-alone sentences so each clause stands on its own, per CONTRIBUTING.md style guidance.
1 parent 2aa3991 commit 4c1a1a0

1 file changed

Lines changed: 1 addition & 1 deletion

File tree

README.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -188,7 +188,7 @@ Using AI also does not mean poor quality. On the contrary, AI reviews have helpe
188188

189189
### How can I trust the release binaries?
190190

191-
Starting with version 0.23.0, every executable published to [GitHub Releases](https://github.com/KSXGitHub/parallel-disk-usage/releases) is accompanied by a [build provenance attestation](https://docs.github.com/en/actions/how-tos/secure-your-work/use-artifact-attestations/use-artifact-attestations). The attestation is cryptographically signed by [Sigstore](https://www.sigstore.dev/) — a public-good signing service operated by the Linux Foundation — and records that the binary was built by this repository's GitHub Actions deployment workflow from a specific commit. Because the signing happens inside GitHub's infrastructure via OIDC and the signatures are logged to Sigstore's public transparency log, the guarantee does not depend on trusting the maintainer's personal word: any tampered or manually uploaded binary would fail verification.
191+
Starting with version 0.23.0, every executable published to [GitHub Releases](https://github.com/KSXGitHub/parallel-disk-usage/releases) is accompanied by a [build provenance attestation](https://docs.github.com/en/actions/how-tos/secure-your-work/use-artifact-attestations/use-artifact-attestations). The attestation is cryptographically signed by [Sigstore](https://www.sigstore.dev/) and records that the binary was built by this repository's GitHub Actions deployment workflow from a specific commit. Sigstore is a public-good signing service operated by the Linux Foundation. The signing happens inside GitHub's infrastructure via OIDC, and the signatures are logged to Sigstore's public transparency log. The guarantee therefore does not depend on trusting the maintainer's personal word. Any tampered or manually uploaded binary would fail verification.
192192

193193
To verify a downloaded binary, install the [GitHub CLI](https://cli.github.com/) and run:
194194

0 commit comments

Comments
 (0)