From 567cb99df9d0595adf53e086f0018f03c0691a4d Mon Sep 17 00:00:00 2001 From: saisatishkarra Date: Tue, 25 Jun 2024 10:15:42 -0500 Subject: [PATCH] fix: slsa insomnia url and examples --- .../provenance/verify-image-provenance.md | 18 +++++++++--------- docs/inso-cli/sbom.md | 2 +- docs/inso-cli/verify-signed-images.md | 13 +++++++++---- docs/insomnia/verify-binary-provenance.md | 4 ++-- 4 files changed, 21 insertions(+), 16 deletions(-) diff --git a/docs/inso-cli/provenance/verify-image-provenance.md b/docs/inso-cli/provenance/verify-image-provenance.md index d3ba034..03a18a8 100644 --- a/docs/inso-cli/provenance/verify-image-provenance.md +++ b/docs/inso-cli/provenance/verify-image-provenance.md @@ -43,7 +43,7 @@ For both examples, you need to: 4. Parse the `` for the image using `regctl`. ```sh - regctl manifest digest : + IMAGE_DIGEST=$(regctl manifest digest kong/inso:9.3.0-beta.4) ``` 5. Set the `COSIGN_REPOSITORY` environment variable: @@ -63,7 +63,7 @@ Run the `cosign verify-attestation ...` command: ```sh cosign verify-attestation \ - :@sha256: \ + :@${IMAGE_DIGEST} \ --type='slsaprovenance' \ --certificate-oidc-issuer='https://token.actions.githubusercontent.com' \ --certificate-identity-regexp='^https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/tags/v[0-9]+.[0-9]+.[0-9]+$' @@ -73,7 +73,7 @@ Here's the same example using sample values instead of placeholders: ```sh cosign verify-attestation \ - 'kong/inso:9.3.0-beta.4@sha256:e1fd25efe702d5e2095f5595f8b452f50b65aa8e8e1209863fbef3f241d364c8' \ + kong/inso:9.3.0-beta.4@${IMAGE_DIGEST} \ --type='slsaprovenance' \ --certificate-oidc-issuer='https://token.actions.githubusercontent.com' \ --certificate-identity-regexp='^https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/tags/v[0-9]+.[0-9]+.[0-9]+$' @@ -93,7 +93,7 @@ Run the `slsa-verifier verify-image ...` command: ```sh slsa-verifier verify-image \ - :@sha256: \ + :@${IMAGE_DIGEST} \ --print-provenance \ --provenance-repository kong/notary \ --source-uri 'github.com/Kong/' @@ -103,7 +103,7 @@ Here's the same example using sample values instead of placeholders: ```sh slsa-verifier verify-image \ - 'kong/inso:9.3.0-beta.4@sha256:e1fd25efe702d5e2095f5595f8b452f50b65aa8e8e1209863fbef3f241d364c8' \ + kong/inso:9.3.0-beta.4@${IMAGE_DIGEST} \ --print-provenance \ --provenance-repository kong/notary \ --source-uri 'github.com/Kong/insomnia' @@ -124,7 +124,7 @@ Run the `cosign verify-attestation ...` command: ```sh cosign verify-attestation \ - :@sha256: \ + :@${IMAGE_DIGEST} \ --type='slsaprovenance' \ --certificate-oidc-issuer='https://token.actions.githubusercontent.com' \ --certificate-identity-regexp='^https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/tags/v[0-9]+.[0-9]+.[0-9]+$' \ @@ -137,7 +137,7 @@ Here's the same example using sample values instead of placeholders: ```sh cosign verify-attestation \ - 'kong/inso:9.3.0-beta.4@sha256:e1fd25efe702d5e2095f5595f8b452f50b65aa8e8e1209863fbef3f241d364c8' \ + kong/inso:9.3.0-beta.4@${IMAGE_DIGEST} \ --type='slsaprovenance' \ --certificate-oidc-issuer='https://token.actions.githubusercontent.com' \ --certificate-identity-regexp='^https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/tags/v[0-9]+.[0-9]+.[0-9]+$' \ @@ -152,7 +152,7 @@ Run the `slsa-verifier verify-image ...` command: ```sh slsa-verifier verify-image \ - :@sha256: \ + :@${IMAGE_DIGEST} \ --print-provenance \ --provenance-repository kong/notary \ --build-workflow-input 'version=9.3.0-beta.4' \ @@ -163,7 +163,7 @@ Here's the same example using sample values instead of placeholders: ```sh slsa-verifier verify-image \ - 'kong/inso:9.3.0-beta.4@sha256:e1fd25efe702d5e2095f5595f8b452f50b65aa8e8e1209863fbef3f241d364c8' \ + kong/inso:9.3.0-beta.4@${IMAGE_DIGEST} \ --print-provenance \ --provenance-repository kong/notary \ --build-workflow-input 'version=9.3.0-beta.4' \ diff --git a/docs/inso-cli/sbom.md b/docs/inso-cli/sbom.md index d0b977f..4c8fead 100644 --- a/docs/inso-cli/sbom.md +++ b/docs/inso-cli/sbom.md @@ -17,4 +17,4 @@ We are generating SBOMs for both inso binaries and docker container images. * SBOMs for Inso Binaries: `sbom.spdx.json` and `sbom.cyclonedx.json` * SBOMs for Inso Docker Images: - * Linux: `image_-*.spdx.json` and `image_-*.cyclonedx.json` + * Linux: `image-inso-*-sbom.spdx.json` and `image-inso-*-sbom.cyclonedx.json` diff --git a/docs/inso-cli/verify-signed-images.md b/docs/inso-cli/verify-signed-images.md index 5063c4c..9e57102 100644 --- a/docs/inso-cli/verify-signed-images.md +++ b/docs/inso-cli/verify-signed-images.md @@ -40,6 +40,11 @@ For both examples, you need to: export COSIGN_REPOSITORY=kong/notary ``` +4. Parse the image manifest digest + ```sh + IMAGE_DIGEST=$(regctl manifest digest kong/inso:9.3.0-beta.4) + ``` + {:.important .no-icon} > Github owner is case-sensitive (`Kong/insomnia` vs `kong/insomnia`). @@ -49,7 +54,7 @@ Run the `cosign verify ...` command: ```sh cosign verify \ - kong/:@sha256: \ + kong/:@${IMAGE_DIGEST} \ --certificate-oidc-issuer='https://token.actions.githubusercontent.com' \ --certificate-identity-regexp='https://github.com/Kong//.github/workflows/' ``` @@ -58,7 +63,7 @@ Here's the same example using sample values instead of placeholders: ```sh cosign verify \ - 'kong/inso:9.3.0-beta.4@sha256:e1fd25efe702d5e2095f5595f8b452f50b65aa8e8e1209863fbef3f241d364c8' \ + kong/inso:9.3.0-beta.4@${IMAGE_DIGEST} \ --certificate-oidc-issuer='https://token.actions.githubusercontent.com' \ --certificate-identity-regexp='https://github.com/Kong/insomnia/.github/workflows/release-publish.yml' ``` @@ -67,7 +72,7 @@ cosign verify \ ```sh cosign verify \ - :@sha256: \ + :@${IMAGE_DIGEST} \ --certificate-oidc-issuer='https://token.actions.githubusercontent.com' \ --certificate-identity-regexp='https://github.com/Kong//.github/workflows/' \ -a repo='Kong/' \ @@ -78,7 +83,7 @@ Here's the same example using sample values instead of placeholders: ```sh cosign verify \ - 'kong/inso:9.3.0-beta.4@sha256:e1fd25efe702d5e2095f5595f8b452f50b65aa8e8e1209863fbef3f241d364c8' \ + kong/inso:9.3.0-beta.4@${IMAGE_DIGEST} \ --certificate-oidc-issuer='https://token.actions.githubusercontent.com' \ --certificate-identity-regexp='https://github.com/Kong/insomnia/.github/workflows/release-publish.yml' \ -a repo='Kong/insomnia' \ diff --git a/docs/insomnia/verify-binary-provenance.md b/docs/insomnia/verify-binary-provenance.md index 7892a71..d080c7a 100644 --- a/docs/insomnia/verify-binary-provenance.md +++ b/docs/insomnia/verify-binary-provenance.md @@ -33,9 +33,9 @@ For both examples, you need to: 1. Ensure `slsa-verifier` is installed. -2. [Download Insomnia Core Application Binaries](https://updates.insomnia.rest/downloads/release/latest?app=com.insomnia.core&channel=beta) with file pattern `Insomnia.Core-.{snap,tar.gz,zip,rpm,dmg,deb,exe,AppImage}` +2. [Download Insomnia Core Application Binaries](https://updates.insomnia.rest/downloads/release/latest?app=com.insomnia.app&channel=beta) with file pattern `Insomnia.Core-.{snap,tar.gz,zip,rpm,dmg,deb,exe,AppImage}` -3. [Download Insomnia Binary Provenance Attestation](https://updates.insomnia.rest/downloads/release/latest?app=com.insomnia.core&channel=beta) with pattern `insomnia-provenance.intoto.jsonl` +3. [Download Insomnia Binary Provenance Attestation](https://updates.insomnia.rest/downloads/release/latest?app=com.insomnia.app&channel=beta) with pattern `insomnia-provenance.intoto.jsonl` {:.important .no-icon} > The GitHub owner is case-sensitive (`Kong/insomnia` vs `kong/insomnia`).