From 7fd0077c58649bc016882415760aed11ba5f6f62 Mon Sep 17 00:00:00 2001
From: Andrey Kislyuk <kislyuk@gmail.com>
Date: Fri, 15 Apr 2022 00:01:39 -0700
Subject: [PATCH] Expand verify example

---
 README.rst | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/README.rst b/README.rst
index cbe6c42..c8d0835 100644
--- a/README.rst
+++ b/README.rst
@@ -48,9 +48,10 @@ The class method ``HTTPSignatureAuth.verify()`` can be used to verify responses
           return 'monorail_cat'
 
   response = requests.get(url, auth=auth)
-  HTTPSignatureAuth.verify(response,
-                           signature_algorithm=algorithms.HMAC_SHA256,
-                           key_resolver=MyKeyResolver())
+  verify_result = HTTPSignatureAuth.verify(response,
+                                           signature_algorithm=algorithms.HMAC_SHA256,
+                                           key_resolver=MyKeyResolver())
+  # To avoid substitution attacks, only trust response data referenced by verify_result
 
 More generally, you can reconstruct an arbitrary request using the
 `Requests API <https://docs.python-requests.org/en/latest/api/#requests.Request>`_ and pass it to ``verify()``: