From 47ff8a83db35ed55f9a2a12125737a38ce41ae0e Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Tue, 16 Aug 2022 22:21:52 +0000 Subject: [PATCH] update --- verifiers/internal/gcb/keys/README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/verifiers/internal/gcb/keys/README.md b/verifiers/internal/gcb/keys/README.md index 22f4ea290..111f53caf 100644 --- a/verifiers/internal/gcb/keys/README.md +++ b/verifiers/internal/gcb/keys/README.md @@ -1,8 +1,10 @@ # Download the GCB keys -This is a temporary solution. We should pin the CA certificate when downloading, maybe using curl and the googlecloudapi REST endpoint. +This is a temporary solution. We should try to automate key verification on pre-submits. +We should pin the CA certificate when downloading them, maybe using curl and the googlecloudapi REST endpoint. See discussion in [#181](https://github.com/slsa-framework/slsa-verifier/issues/181). +For now, you can verify the keys we downloaded by downloading them yourself. ```shell cd verifiers/internal/gcb/keys