From 4c1a1a0b0c1ad77bb75a36ab383a471c333185b6 Mon Sep 17 00:00:00 2001 From: Claude Date: Sun, 3 May 2026 01:41:13 +0000 Subject: [PATCH] docs(readme): restructure FAQ binary trust paragraph Replace em-dash interruptions with stand-alone sentences so each clause stands on its own, per CONTRIBUTING.md style guidance. --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 3e29565b..bc67ff7f 100644 --- a/README.md +++ b/README.md @@ -188,7 +188,7 @@ Using AI also does not mean poor quality. On the contrary, AI reviews have helpe ### How can I trust the release binaries? -Starting with version 0.23.0, every executable published to [GitHub Releases](https://github.com/KSXGitHub/parallel-disk-usage/releases) is accompanied by a [build provenance attestation](https://docs.github.com/en/actions/how-tos/secure-your-work/use-artifact-attestations/use-artifact-attestations). The attestation is cryptographically signed by [Sigstore](https://www.sigstore.dev/) — a public-good signing service operated by the Linux Foundation — and records that the binary was built by this repository's GitHub Actions deployment workflow from a specific commit. Because the signing happens inside GitHub's infrastructure via OIDC and the signatures are logged to Sigstore's public transparency log, the guarantee does not depend on trusting the maintainer's personal word: any tampered or manually uploaded binary would fail verification. +Starting with version 0.23.0, every executable published to [GitHub Releases](https://github.com/KSXGitHub/parallel-disk-usage/releases) is accompanied by a [build provenance attestation](https://docs.github.com/en/actions/how-tos/secure-your-work/use-artifact-attestations/use-artifact-attestations). The attestation is cryptographically signed by [Sigstore](https://www.sigstore.dev/) and records that the binary was built by this repository's GitHub Actions deployment workflow from a specific commit. Sigstore is a public-good signing service operated by the Linux Foundation. The signing happens inside GitHub's infrastructure via OIDC, and the signatures are logged to Sigstore's public transparency log. The guarantee therefore does not depend on trusting the maintainer's personal word. Any tampered or manually uploaded binary would fail verification. To verify a downloaded binary, install the [GitHub CLI](https://cli.github.com/) and run: