update readme to reflect current operation

README.md

@@ -21,30 +21,20 @@ The simple GPG signature toolchain for directories or git repos.
       git clone git@gitlab.com/pchq/sig.git sig
       ```
 
-  2. Manually generate manifest
+  2. Review source code and signatures manually
 
+      Using sig to verify the signatures of sig itself is not recommended.
+
+      Consider using the following one liner which is much faster to review:
       ```
-      git ls-files \
+      while read -r line; do \
-      | grep -v .sig \
+        gpg --verify \
-      | xargs openssl sha256 -r \
+          <(printf $line | sed 's/.*pgp://g'| openssl base64 -d -A) \
-      | sed -e 's/ \*/ /g' -e 's/ \.\// /g'
+          <(printf $line | sed 's/pgp:.*/pgp/g'); \
+      done < <(git notes --ref=signatures show)
       ```
 
-  3. Manually verify manifest
+  3. Copy to $PATH
-
-      ```
-      for file in .sig/*.asc; do gpg --verify $file .sig/manifest.txt; done
-      git log --show-signature
-      less sig
-      ```
-
-  4. Self verify
-
-      ```
-      ./sig verify --threshold 3
-      ```
-
-  5. Copy to $PATH
 
       ```
       cp sig ~/.local/bin/
@@ -52,12 +42,10 @@ The simple GPG signature toolchain for directories or git repos.
 
 ## Usage
 
-* sig verify [-g,--group=<group>] [-t,--threshold=<N>] [-m,--method=<git|detached> ] [-d,--diff=<branch>]
+* sig verify [-g,--group=<group>] [-t,--threshold=<N>] [-r,--ref=<ref> ] [-d,--diff=<branch>]
-  * Verify m-of-n signatures by given group are present for directory
+  * Verify m-of-n signatures by given group are present for a git repo or ref
 * sig add
-  * Add signature to manifest for this directory
+  * Add signature to this git ref
-* sig manifest
-  * Generate hash manifest for this directory
 * sig fetch [-g,--group=<group>]
   * Fetch key by fingerprint. Optionally add to group.
 * sig help
@@ -75,53 +63,33 @@ keys.
 This counts the commit signature, and any number of signed tags pointing at
 this ref.
 
-### Detached
-
-This method verifies the state of this folder was signed exactly as-is by one
-or more authors.
-
-## Behavior
-
-If 'threshold' is specified, then that number of signatures must be present.
-
-If 'group' is specified, all signatures must be by keys that belong to a
-defined gpg alias group.
-
 ### Assumptions
-  - Single sig mode: Folder contents controlled by signer
+  - Single sig mode: Repo contents controlled by signer
-  - Multi-sig mode: Folder contents verified by multiple signers
+  - Multi-sig mode: Repo contents verified by multiple signers
-  - Multi-sig group mode: Folder contents approved by specified individuals
+  - Multi-sig group mode: Repo contents approved by specified individuals
-  - Hashing scheme for respective backend is not broken
+  - Hashing scheme for respective backend is not broken: (sha256)
-    - Git: sha1
-    - Detached: sha256
 
 ## Examples
 
-#### Verify 1 signature via Detached and Git methods
+#### Verify at least one signature is present with a known key
 
 ```
 sig verify
 ```
 
-#### Verify 2 unique signatures via Detached and Git methods
+#### Verify 2 unique signatures from known keys
 
 ```
 sig verify --threshold 2
 ```
 
-#### Verify 3 unique signatures from specified signing group via Git method
+#### Verify 3 unique signatures from specified signing group
 
 ```
-sig verify --threshold 3 --group myteam --method git
+sig verify --threshold 3 --group myteam
 ```
 
-#### Verify 2 unique signatures via detached method and diff on failure
+#### Add signature
-
-```
-sig verify --threshold 2 --diff master --method detached
-```
-
-#### Add Detached Signature
 
 ```
 sig add