Added some more explanation to README
Getty Ritter
10 years ago
| 1 | 1 | # Verify |
| 2 | 2 | |
| 3 | [ describe more here ] | |
| 3 | **WARNING**: `verify` is still in the experimental phase. **Do not | |
| 4 | use this yet!** | |
| 5 | ||
| 6 | The `verify` script is a small script that intends to make the | |
| 7 | common and commonly-derided pattern of installing software with | |
| 8 | `curl | sh` more secure. The `verify` script is a very small | |
| 9 | interface on top of OpenBSD's [signify] tool for code-signing | |
| 10 | that fits in the middle of pipelines, letting you transform | |
| 11 | the insecure pipeline | |
| 12 | ||
| 13 | ~~~.sh | |
| 14 | $ curl some-package | sh | |
| 15 | ~~~ | |
| 16 | ||
| 17 | to the more secure | |
| 18 | ||
| 19 | ~~~.sh | |
| 20 | $ curl some-package.verified | verify | sh | |
| 21 | ~~~ | |
| 22 | ||
| 23 | ## Running the Example | |
| 24 | ||
| 25 | Make sure that OpenBSD's `signify` is somewhere in your `$PATH`. | |
| 26 | Create a directory `$HOME/.trusted` and copy the public key | |
| 27 | `example/sample-key.pub` to that directory. Afterwards, you'll | |
| 28 | be able to download the sample script and execute its (trivial) | |
| 29 | command: | |
| 30 | ||
| 31 | ~~~.sh | |
| 32 | $ curl https://github.com/aisamanra/verify/raw/master/example/sample-payload.tar | verify | sh | |
| 33 | If you can read this, then it has been verified. | |
| 34 | ~~~ | |
| 35 | ||
| 36 | If you delete that trusted key, then running the same command | |
| 37 | will result in an error. |