From abb7b4ced54fdb424b27821e65c481bbf9c21cba Mon Sep 17 00:00:00 2001
From: Dhruv Thakur <dhruvt93@gmail.com>
Date: Mon, 19 Aug 2024 18:36:30 +0200
Subject: [PATCH] docs(readme): add steps for verifying binaries

---
 README.md | 46 ++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 46 insertions(+)

diff --git a/README.md b/README.md
index a497e33..4402f2b 100644
--- a/README.md
+++ b/README.md
@@ -26,6 +26,9 @@ brew install dhth/tap/outtasync
 go install github.com/dhth/outtasync@latest
 ```
 
+Or get the binaries directly from a [release][2]. Read more about verifying the
+authenticity of released artifacts [here](#-verifying-release-artifacts).
+
 🛠️ Pre-requisites
 ---
 
@@ -154,6 +157,48 @@ q                                    return to previous page/quit
 
 ![Usage-3](https://tools.dhruvs.space/images/outtasync/outtasync-3.png)
 
+🔐 Verifying release artifacts
+---
+
+In case you get the `outtasync` binary directly from a [release][2], you may
+want to verify its authenticity. Checksums are applied to all released
+artifacts, and the resulting checksum file is signed using
+[cosign](https://docs.sigstore.dev/cosign/installation/).
+
+Steps to verify (replace `x.y.z` in the commands listed below with the version
+you want):
+
+1. Download the following files from the release:
+
+   - outtasync_x.y.z_checksums.txt
+   - outtasync_x.y.z_checksums.txt.pem
+   - outtasync_x.y.z_checksums.txt.sig
+
+2. Verify the signature:
+
+   ```shell
+   cosign verify-blob outtasync_x.y.z_checksums.txt \
+       --certificate outtasync_x.y.z_checksums.txt.pem \
+       --signature outtasync_x.y.z_checksums.txt.sig \
+       --certificate-identity-regexp 'https://github\.com/dhth/outtasync/\.github/workflows/.+' \
+       --certificate-oidc-issuer "https://token.actions.githubusercontent.com"
+   ```
+
+3. Download the compressed archive you want, and validate its checksum:
+
+   ```shell
+   curl -sSLO https://github.com/dhth/outtasync/releases/download/vx.y.z/outtasync_x.y.z_linux_amd64.tar.gz
+   sha256sum --ignore-missing -c outtasync_x.y.z_checksums.txt
+   ```
+
+3. If checksum validation goes through, uncompress the archive:
+
+   ```shell
+   tar -xzf outtasync_x.y.z_linux_amd64.tar.gz
+   ./outtasync
+   # profit!
+   ```
+
 TODO
 ---
 
@@ -166,3 +211,4 @@ Acknowledgements
 `outtasync` is built using the awesome TUI framework [bubbletea][1].
 
 [1]: https://github.com/charmbracelet/bubbletea
+[2]: https://github.com/dhth/outtasync/releases