From cee8b8eeee3fb52d567235ab8c6a0bf1cc2414c2 Mon Sep 17 00:00:00 2001 From: Matthias Glastra Date: Wed, 2 Oct 2024 12:42:11 +0200 Subject: [PATCH 1/3] chore: Add install tutorial with cosign check. Signed-off-by: Matthias Glastra --- INSTALL.md | 39 +++++++++++++++++++++++++++++++++++++++ README.md | 2 ++ 2 files changed, 41 insertions(+) create mode 100644 INSTALL.md diff --git a/INSTALL.md b/INSTALL.md new file mode 100644 index 00000000..e5b4284e --- /dev/null +++ b/INSTALL.md @@ -0,0 +1,39 @@ +# Install Witness manually and verify + +> [!NOTE] +> Please use release v0.7.0 or higher, as prior releases were created to +> test the release workflow. + +This repository provides pre-built binaries that are signed and published using +[GoReleaser]. The signature for these binaries are generated using [Sigstore], +using the release workflow's identity. Make sure you have [cosign] installed on +your system, then you will be able to securely download and verify the gittuf +release: + +## Unix-like operating systems + +```sh +# Modify these values as necessary. +# One of: amd64, arm64 +ARCH=amd64 +# One of: linux, darwin, freebsd +OS=linux +# See https://github.com/in-toto/witness/releases for the latest version +VERSION=0.6.0 +cd $(mktemp -d) + +curl -LO https://github.com/in-toto/witness/releases/download/v${VERSION}/witness_${VERSION}_${OS}_${ARCH} +curl -LO https://github.com/in-toto/witness/releases/download/v${VERSION}/witness_${VERSION}_${OS}_${ARCH}.sig +curl -LO https://github.com/in-toto/witness/releases/download/v${VERSION}/witness_${VERSION}_${OS}_${ARCH}.pem + +cosign verify-blob \ + --certificate witness_${VERSION}_${OS}_${ARCH}.pem \ + --signature witness_${VERSION}_${OS}_${ARCH}.sig \ + --certificate-identity https://github.com/in-toto/witness/.github/workflows/release.yml@refs/tags/v${VERSION} \ + --certificate-oidc-issuer https://token.actions.githubusercontent.com \ + witness_${VERSION}_${OS}_${ARCH} + +sudo install witness_${VERSION}_${OS}_${ARCH} /usr/local/bin/witness +cd - +witness version +``` diff --git a/README.md b/README.md index 70d3c8cc..80d2755b 100644 --- a/README.md +++ b/README.md @@ -49,6 +49,8 @@ latest release: bash <(curl -s https://raw.githubusercontent.com/in-toto/witness/main/install-witness.sh) ``` +If you want install it manually and verify its integrity follow the instructions in the [INSTALL.md](./INSTALL.md). + ### Tutorials Check out our Tutorials: From 1ce45562478e22b945e274b296c5a5468456181e Mon Sep 17 00:00:00 2001 From: John Kjell Date: Wed, 4 Dec 2024 14:49:10 -0600 Subject: [PATCH 2/3] Update INSTALL.md Signed-off-by: John Kjell --- INSTALL.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/INSTALL.md b/INSTALL.md index e5b4284e..95f96b98 100644 --- a/INSTALL.md +++ b/INSTALL.md @@ -19,7 +19,7 @@ ARCH=amd64 # One of: linux, darwin, freebsd OS=linux # See https://github.com/in-toto/witness/releases for the latest version -VERSION=0.6.0 +VERSION=0.7.0 cd $(mktemp -d) curl -LO https://github.com/in-toto/witness/releases/download/v${VERSION}/witness_${VERSION}_${OS}_${ARCH} From 691d2af8a3d7d932773fcab92a3435ff53b877e7 Mon Sep 17 00:00:00 2001 From: John Kjell Date: Thu, 5 Dec 2024 11:17:33 -0600 Subject: [PATCH 3/3] Update INSTALL.md Signed-off-by: John Kjell --- INSTALL.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/INSTALL.md b/INSTALL.md index 95f96b98..44af19d2 100644 --- a/INSTALL.md +++ b/INSTALL.md @@ -5,7 +5,7 @@ > test the release workflow. This repository provides pre-built binaries that are signed and published using -[GoReleaser]. The signature for these binaries are generated using [Sigstore], +[GoReleaser](https://goreleaser.com/). The signature for these binaries are generated using [Sigstore](https://sigstore.dev/), using the release workflow's identity. Make sure you have [cosign] installed on your system, then you will be able to securely download and verify the gittuf release: