From f5426c121b2c4502a9205ed6dd608f52aacb8ecf Mon Sep 17 00:00:00 2001 From: Scott Leggett Date: Mon, 22 Jul 2024 16:15:56 +0800 Subject: [PATCH] chore: update README around signing --- README.md | 17 +---------------- 1 file changed, 1 insertion(+), 16 deletions(-) diff --git a/README.md b/README.md index a91bb47..0237036 100644 --- a/README.md +++ b/README.md @@ -25,7 +25,7 @@ It also automatically builds and tests your code using [GitHub Actions](https:// * Static code analysis using [CodeQL](https://codeql.github.com/) and [Go Report Card](https://goreportcard.com/). * Coverage analysis using the [go-test-coverage action](https://github.com/vladopajic/go-test-coverage). * Security analysis using [OpenSSF](https://securityscorecards.dev). -* Signed binary artifacts using [Sigstore](https://www.sigstore.dev/)'s [cosign](https://github.com/sigstore/cosign). +* Signed binary artifacts using [artifact attestations](https://docs.github.com/en/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds). ## How to use @@ -115,18 +115,3 @@ Issues are welcome. PRs are also welcome, but keep in mind that this is a very opinionated template, so not all changes will be accepted. PRs also need to ensure that test coverage remains high, and best practices are followed. - -## How to verify binary signatures - -1. Download the three `checksums` files. They should end in `_checksums.txt`, `_checksums.txt.pem`, and `_checksums.txt.sig`. -2. Verify using [cosign](https://github.com/sigstore/cosign). For example: - - ```bash - cosign verify-blob \ - --certificate-oidc-issuer https://token.actions.githubusercontent.com \ - --certificate-identity=https://github.com/smlx/go-cli-github/.github/workflows/release.yaml@refs/heads/main \ - --signature ./go-cli-github_0.13.0_checksums.txt.sig \ - --cert ./go-cli-github_0.13.0_checksums.txt.pem \ - ./go-cli-github_0.13.0_checksums.txt - Verified OK - ```