From 59ab96aa2cf4634252ad9b74ab10836d9c967cd9 Mon Sep 17 00:00:00 2001
From: Sohamdg081992 <31517098+Sohamdg081992@users.noreply.github.com>
Date: Thu, 5 Oct 2023 21:45:03 -0700
Subject: [PATCH] Bug fix- update cert thumbprint to latest ame prod cert
 (#615)

* Removing duplicate alerts from ci recommended alerts

* Remove test branch

* Remove preview keyword from policy readme

* Bug fix- update cert thumbprint for image signing  to latest ame prod cert
---
 .pipelines/azure-pipeline-build.yml | 4 ++--
 internal/docs/ESRPCodeSign.md       | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/.pipelines/azure-pipeline-build.yml b/.pipelines/azure-pipeline-build.yml
index 627a35113..4bf1da9d4 100644
--- a/.pipelines/azure-pipeline-build.yml
+++ b/.pipelines/azure-pipeline-build.yml
@@ -337,7 +337,7 @@ jobs:
         oras attach $(LINUX_FULL_IMAGE_NAME) \
           --artifact-type 'application/vnd.cncf.notary.signature' \
           ./payload.json:application/cose \
-          -a "io.cncf.notary.x509chain.thumbprint#S256=[\"659AAA9C0E822B4B20A964AA0178BD9419A50530\"]"
+          -a "io.cncf.notary.x509chain.thumbprint#S256=[\"79E6A702361E1F60DAA84AEEC4CBF6F6420DE6BA\"]"
       workingDirectory: $(Build.ArtifactStagingDirectory)/linux/
       displayName: "ORAS Push Artifacts in $(Build.ArtifactStagingDirectory)/linux/"
       condition: eq(variables.IS_MAIN_BRANCH, true)
@@ -581,7 +581,7 @@ jobs:
         New-Item -ItemType Directory -Force -Path $env:USERPROFILE\bin
         Copy-Item -Path $currentDirectory\oras.exe -Destination "$env:USERPROFILE\bin\"
         $env:PATH = "$env:USERPROFILE\bin;$env:PATH"
-        oras attach $(WINDOWS_FULL_IMAGE_NAME) --artifact-type application/vnd.cncf.notary.signature ./payload.json:application/cose -a io.cncf.notary.x509chain.thumbprint#S256=[\""659AAA9C0E822B4B20A964AA0178BD9419A50530\""]
+        oras attach $(WINDOWS_FULL_IMAGE_NAME) --artifact-type application/vnd.cncf.notary.signature ./payload.json:application/cose -a io.cncf.notary.x509chain.thumbprint#S256=[\""79E6A702361E1F60DAA84AEEC4CBF6F6420DE6BA\""]
       workingDirectory: $(Build.ArtifactStagingDirectory)/windows
       displayName: "Download, install Oras and run oras attach"
       condition: eq(variables.IS_MAIN_BRANCH, true)
diff --git a/internal/docs/ESRPCodeSign.md b/internal/docs/ESRPCodeSign.md
index 51ca09e33..162344327 100644
--- a/internal/docs/ESRPCodeSign.md
+++ b/internal/docs/ESRPCodeSign.md
@@ -10,4 +10,4 @@ I have followed this [doc](https://eng.ms/docs/more/containers-secure-supply-cha
 For verification of signing we can do through 2 ways.
 
 1. Locally through the doc https://eng.ms/docs/more/containers-secure-supply-chain/signing under validation section using notation. We have to use our own [certificate](https://ms.portal.azure.com/#view/Microsoft_Azure_KeyVault/ListObjectVersionsRBACBlade/~/overview/objectType/certificates/objectId/https%3A%2F%2Fesrpprometheuskv.vault.azure.net%2Fcertificates%2FESRPReqPrometheusCert/vaultResourceUri/%2Fsubscriptions%2F9b96ebbd-c57a-42d1-bbe9-b69296e4c7fb%2FresourceGroups%2FESRPPrometheus%2Fproviders%2FMicrosoft.KeyVault%2Fvaults%2FESRPPrometheusKV/vaultId/%2Fsubscriptions%2F9b96ebbd-c57a-42d1-bbe9-b69296e4c7fb%2FresourceGroups%2FESRPPrometheus%2Fproviders%2FMicrosoft.KeyVault%2Fvaults%2FESRPPrometheusKV) instead of the one in the example.
-2. We can do a docker pull on the signed images and it will not have the following error message - "manifest verification failed for digest sha256..."
+2. We can do a "docker manifest inspect -v <image>" on the signed images and it will not have the following error message - "manifest verification failed for digest sha256..."