docs(readme): document build provenance attestations for release binaries

claude · claude · commit 3c7fc8851414 · 2026-04-07T21:25:39.000Z
Add a note to the GitHub install subsection and a new FAQ entry
explaining that executables published to GitHub Releases starting
from 0.22.1 are signed with Sigstore-backed build provenance
attestations, along with the gh attestation verify command.
diff --git a/README.md b/README.md
@@ -146,6 +146,8 @@ Beware that the structure of the JSON tree differs depending on the number of fi
 
 Go to the [GitHub Release Page](https://github.com/KSXGitHub/parallel-disk-usage/releases) and download a binary.
 
+Starting with version 0.22.1, every executable published to GitHub Releases ships with a build provenance attestation, so you can cryptographically verify that the binary was produced by this repository's deployment workflow rather than uploaded by hand. See [_How do I know the binaries on the GitHub Release page are genuine?_](#how-do-i-know-the-binaries-on-the-github-release-page-are-genuine) for the verification command.
+
 #### From [crates.io](https://crates.io)
 
 **Prerequisites:**
@@ -183,6 +185,21 @@ No. "Vibe coding" means letting AI do everything without human involvement. This
 
 Using AI also does not mean poor quality. On the contrary, AI reviews have helped detect previously undetected bugs.
 
+### How do I know the binaries on the GitHub Release page are genuine?
+
+Starting with version 0.22.1, every executable published to [GitHub Releases](https://github.com/KSXGitHub/parallel-disk-usage/releases) is accompanied by a [build provenance attestation](https://docs.github.com/en/actions/how-tos/secure-your-work/use-artifact-attestations/use-artifact-attestations). The attestation is cryptographically signed by [Sigstore](https://www.sigstore.dev/) — a public-good signing service operated by the Linux Foundation — and records that the binary was built by this repository's GitHub Actions deployment workflow from a specific commit. Because the signing happens inside GitHub's infrastructure via OIDC and the signatures are logged to Sigstore's public transparency log, the guarantee does not depend on trusting the maintainer's personal word: any tampered or manually uploaded binary would fail verification.
+
+To verify a downloaded binary, install the [GitHub CLI](https://cli.github.com/) and run:
+
+```sh
+gh attestation verify pdu-x86_64-unknown-linux-gnu \
+  --repo KSXGitHub/parallel-disk-usage
+```
+
+(Replace `pdu-x86_64-unknown-linux-gnu` with the filename you downloaded.) A successful run prints the signer workflow and confirms that the file's SHA-256 matches the attested digest. All attestations for this repository can also be browsed at the [Attestations page](https://github.com/KSXGitHub/parallel-disk-usage/attestations).
+
+Binaries from releases older than 0.22.1 are not attested.
+
 ## Similar programs
 
 * **CLI:**
