From 47ff8a83db35ed55f9a2a12125737a38ce41ae0e Mon Sep 17 00:00:00 2001
From: laurentsimon <laurentsimon@google.com>
Date: Tue, 16 Aug 2022 22:21:52 +0000
Subject: [PATCH] update

---
 verifiers/internal/gcb/keys/README.md | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/verifiers/internal/gcb/keys/README.md b/verifiers/internal/gcb/keys/README.md
index 22f4ea290..111f53caf 100644
--- a/verifiers/internal/gcb/keys/README.md
+++ b/verifiers/internal/gcb/keys/README.md
@@ -1,8 +1,10 @@
 # Download the GCB keys
 
-This is a temporary solution. We should pin the CA certificate when downloading, maybe using curl and the googlecloudapi REST endpoint.
+This is a temporary solution. We should try to automate key verification on pre-submits.
+We should pin the CA certificate when downloading them, maybe using curl and the googlecloudapi REST endpoint.
 See discussion in [#181](https://github.com/slsa-framework/slsa-verifier/issues/181).
 
+For now, you can verify the keys we downloaded by downloading them yourself.
 
 ```shell
 cd verifiers/internal/gcb/keys