diff --git a/verifiers/internal/gcb/keys/README.md b/verifiers/internal/gcb/keys/README.md
index 22f4ea290..111f53caf 100644
--- a/verifiers/internal/gcb/keys/README.md
+++ b/verifiers/internal/gcb/keys/README.md
@@ -1,8 +1,10 @@
 # Download the GCB keys
 
-This is a temporary solution. We should pin the CA certificate when downloading, maybe using curl and the googlecloudapi REST endpoint.
+This is a temporary solution. We should try to automate key verification on pre-submits.
+We should pin the CA certificate when downloading them, maybe using curl and the googlecloudapi REST endpoint.
 See discussion in [#181](https://github.com/slsa-framework/slsa-verifier/issues/181).
 
+For now, you can verify the keys we downloaded by downloading them yourself.
 
 ```shell
 cd verifiers/internal/gcb/keys