More rephrasing in the README
Getty Ritter
10 years ago
| 6 | 6 | The `verify` script is a small script that intends to make the |
| 7 | 7 | unfortunately common pattern of installing software using |
| 8 | 8 | `curl | sh` more secure. The `verify` script is a very small |
| 9 |
interface on top of OpenBSD's |
|
| 9 | interface on top of OpenBSD's | |
| 10 | [signify](http://www.tedunangst.com/flak/post/signify) | |
| 11 | code-signing tool | |
| 10 | 12 | that fits in the middle of pipelines, letting you transform |
| 11 | 13 | the insecure pipeline |
| 12 | 14 | |
| 19 | 21 | ~~~.sh |
| 20 | 22 | $ curl some-package.verified | verify | sh |
| 21 | 23 | ~~~ |
| 24 | ||
| 25 | which will not execute the downloaded program if the package | |
| 26 | has not been signed by a trusted key. The keys used by | |
| 27 | [signify](http://www.tedunangst.com/flak/post/signify) | |
| 28 | are | |
| 29 | [Ed25519](http://ed25519.cr.yp.to/index.html) keys, and | |
| 30 | therefore are very small and can be easily stored and | |
| 31 | distributed in numerous ways. | |
| 22 | 32 | |
| 23 | 33 | Additionally, if you don't have the public key that signed a |
| 24 | 34 | package, and want to trust a package _just this one time_, |