Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: slsa insomnia url and examples #212

Merged
merged 1 commit into from
Jun 25, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 9 additions & 9 deletions docs/inso-cli/provenance/verify-image-provenance.md
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,7 @@ For both examples, you need to:
4. Parse the `<manifest_digest>` for the image using `regctl`.

```sh
regctl manifest digest <image>:<tag>
IMAGE_DIGEST=$(regctl manifest digest kong/inso:9.3.0-beta.4)
```

5. Set the `COSIGN_REPOSITORY` environment variable:
Expand All @@ -63,7 +63,7 @@ Run the `cosign verify-attestation ...` command:

```sh
cosign verify-attestation \
<image>:<tag>@sha256:<manifest_digest> \
<image>:<tag>@${IMAGE_DIGEST} \
--type='slsaprovenance' \
--certificate-oidc-issuer='https://token.actions.githubusercontent.com' \
--certificate-identity-regexp='^https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/tags/v[0-9]+.[0-9]+.[0-9]+$'
Expand All @@ -73,7 +73,7 @@ Here's the same example using sample values instead of placeholders:

```sh
cosign verify-attestation \
'kong/inso:9.3.0-beta.4@sha256:e1fd25efe702d5e2095f5595f8b452f50b65aa8e8e1209863fbef3f241d364c8' \
kong/inso:9.3.0-beta.4@${IMAGE_DIGEST} \
--type='slsaprovenance' \
--certificate-oidc-issuer='https://token.actions.githubusercontent.com' \
--certificate-identity-regexp='^https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/tags/v[0-9]+.[0-9]+.[0-9]+$'
Expand All @@ -93,7 +93,7 @@ Run the `slsa-verifier verify-image ...` command:

```sh
slsa-verifier verify-image \
<image>:<tag>@sha256:<manifest_digest> \
<image>:<tag>@${IMAGE_DIGEST} \
--print-provenance \
--provenance-repository kong/notary \
--source-uri 'github.com/Kong/<repo>'
Expand All @@ -103,7 +103,7 @@ Here's the same example using sample values instead of placeholders:

```sh
slsa-verifier verify-image \
'kong/inso:9.3.0-beta.4@sha256:e1fd25efe702d5e2095f5595f8b452f50b65aa8e8e1209863fbef3f241d364c8' \
kong/inso:9.3.0-beta.4@${IMAGE_DIGEST} \
--print-provenance \
--provenance-repository kong/notary \
--source-uri 'github.com/Kong/insomnia'
Expand All @@ -124,7 +124,7 @@ Run the `cosign verify-attestation ...` command:

```sh
cosign verify-attestation \
<image>:<tag>@sha256:<manifest_digest> \
<image>:<tag>@${IMAGE_DIGEST} \
--type='slsaprovenance' \
--certificate-oidc-issuer='https://token.actions.githubusercontent.com' \
--certificate-identity-regexp='^https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/tags/v[0-9]+.[0-9]+.[0-9]+$' \
Expand All @@ -137,7 +137,7 @@ Here's the same example using sample values instead of placeholders:

```sh
cosign verify-attestation \
'kong/inso:9.3.0-beta.4@sha256:e1fd25efe702d5e2095f5595f8b452f50b65aa8e8e1209863fbef3f241d364c8' \
kong/inso:9.3.0-beta.4@${IMAGE_DIGEST} \
--type='slsaprovenance' \
--certificate-oidc-issuer='https://token.actions.githubusercontent.com' \
--certificate-identity-regexp='^https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/tags/v[0-9]+.[0-9]+.[0-9]+$' \
Expand All @@ -152,7 +152,7 @@ Run the `slsa-verifier verify-image ...` command:

```sh
slsa-verifier verify-image \
<image>:<tag>@sha256:<manifest_digest> \
<image>:<tag>@${IMAGE_DIGEST} \
--print-provenance \
--provenance-repository kong/notary \
--build-workflow-input 'version=9.3.0-beta.4' \
Expand All @@ -163,7 +163,7 @@ Here's the same example using sample values instead of placeholders:

```sh
slsa-verifier verify-image \
'kong/inso:9.3.0-beta.4@sha256:e1fd25efe702d5e2095f5595f8b452f50b65aa8e8e1209863fbef3f241d364c8' \
kong/inso:9.3.0-beta.4@${IMAGE_DIGEST} \
--print-provenance \
--provenance-repository kong/notary \
--build-workflow-input 'version=9.3.0-beta.4' \
Expand Down
2 changes: 1 addition & 1 deletion docs/inso-cli/sbom.md
Original file line number Diff line number Diff line change
Expand Up @@ -17,4 +17,4 @@ We are generating SBOMs for both inso binaries and docker container images.

* SBOMs for Inso Binaries: `sbom.spdx.json` and `sbom.cyclonedx.json`
* SBOMs for Inso Docker Images:
* Linux: `image_<image_name>-*.spdx.json` and `image_<image_name>-*.cyclonedx.json`
* Linux: `image-inso-*-sbom.spdx.json` and `image-inso-*-sbom.cyclonedx.json`
13 changes: 9 additions & 4 deletions docs/inso-cli/verify-signed-images.md
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,11 @@ For both examples, you need to:
export COSIGN_REPOSITORY=kong/notary
```

4. Parse the image manifest digest
```sh
IMAGE_DIGEST=$(regctl manifest digest kong/inso:9.3.0-beta.4)
```

{:.important .no-icon}
> Github owner is case-sensitive (`Kong/insomnia` vs `kong/insomnia`).

Expand All @@ -49,7 +54,7 @@ Run the `cosign verify ...` command:

```sh
cosign verify \
kong/<image>:<tag>@sha256:<digest> \
kong/<image>:<tag>@${IMAGE_DIGEST} \
--certificate-oidc-issuer='https://token.actions.githubusercontent.com' \
--certificate-identity-regexp='https://github.com/Kong/<repo>/.github/workflows/<workflow filename>'
```
Expand All @@ -58,7 +63,7 @@ Here's the same example using sample values instead of placeholders:

```sh
cosign verify \
'kong/inso:9.3.0-beta.4@sha256:e1fd25efe702d5e2095f5595f8b452f50b65aa8e8e1209863fbef3f241d364c8' \
kong/inso:9.3.0-beta.4@${IMAGE_DIGEST} \
--certificate-oidc-issuer='https://token.actions.githubusercontent.com' \
--certificate-identity-regexp='https://github.com/Kong/insomnia/.github/workflows/release-publish.yml'
```
Expand All @@ -67,7 +72,7 @@ cosign verify \

```sh
cosign verify \
<image>:<tag>@sha256:<digest> \
<image>:<tag>@${IMAGE_DIGEST} \
--certificate-oidc-issuer='https://token.actions.githubusercontent.com' \
--certificate-identity-regexp='https://github.com/Kong/<repo>/.github/workflows/<workflow filename>' \
-a repo='Kong/<repo>' \
Expand All @@ -78,7 +83,7 @@ Here's the same example using sample values instead of placeholders:

```sh
cosign verify \
'kong/inso:9.3.0-beta.4@sha256:e1fd25efe702d5e2095f5595f8b452f50b65aa8e8e1209863fbef3f241d364c8' \
kong/inso:9.3.0-beta.4@${IMAGE_DIGEST} \
--certificate-oidc-issuer='https://token.actions.githubusercontent.com' \
--certificate-identity-regexp='https://github.com/Kong/insomnia/.github/workflows/release-publish.yml' \
-a repo='Kong/insomnia' \
Expand Down
4 changes: 2 additions & 2 deletions docs/insomnia/verify-binary-provenance.md
Original file line number Diff line number Diff line change
Expand Up @@ -33,9 +33,9 @@ For both examples, you need to:

1. Ensure `slsa-verifier` is installed.

2. [Download Insomnia Core Application Binaries](https://updates.insomnia.rest/downloads/release/latest?app=com.insomnia.core&channel=beta) with file pattern `Insomnia.Core-<version>.{snap,tar.gz,zip,rpm,dmg,deb,exe,AppImage}`
2. [Download Insomnia Core Application Binaries](https://updates.insomnia.rest/downloads/release/latest?app=com.insomnia.app&channel=beta) with file pattern `Insomnia.Core-<version>.{snap,tar.gz,zip,rpm,dmg,deb,exe,AppImage}`

3. [Download Insomnia Binary Provenance Attestation](https://updates.insomnia.rest/downloads/release/latest?app=com.insomnia.core&channel=beta) with pattern `insomnia-provenance.intoto.jsonl`
3. [Download Insomnia Binary Provenance Attestation](https://updates.insomnia.rest/downloads/release/latest?app=com.insomnia.app&channel=beta) with pattern `insomnia-provenance.intoto.jsonl`

{:.important .no-icon}
> The GitHub owner is case-sensitive (`Kong/insomnia` vs `kong/insomnia`).
Expand Down
Loading