From 50e5db2c4e494eaf8e301093d6158becb8d871af Mon Sep 17 00:00:00 2001
From: Yuval Shavit <dev@yuvalshavit.com>
Date: Wed, 17 Jul 2024 01:25:36 -0400
Subject: [PATCH] add note on attestations

---
 README.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/README.md b/README.md
index f8746b3..40e0dbb 100644
--- a/README.md
+++ b/README.md
@@ -39,10 +39,14 @@ Any of these will work:
 2. You can download binaries from [the latest release] (or any other release, of course).
 3. You can also grab the binaries from the latest [build-release] workflow run. You must be logged into GitHub to do that (their limitation, not mine!)
 
+These binaries are all built on GitHub's servers, so if you trust my code (and dependencies), and you trust GitHub, you can trust the binaries.
+See [the wiki page on release binaries] for information on how to verify them.
+
 The Windows release hasn't been tested.
 
 [the latest release]: https://github.com/yshavit/mdq/releases/latest
 [build-release]: https://github.com/yshavit/mdq/actions/workflows/build-release.yml
+[the wiki page on release binaries]: https://github.com/yshavit/mdq/wiki/Release-binaries
 
 # Basic Usage