verify: With the newer cosign version we need additional arguments #131
Conversation
There was a problem hiding this comment.
Pull request overview
This PR updates the cosign verification commands in the documentation to use the --bundle flag instead of the --rekor-url flag for newer versions of cosign. The changes are applied to the "Advanced: strict identity pinning" section of the VERIFY.md documentation.
Changes:
- Replaced
--rekor-url https://rekor.sigstore.devwith--bundleflag across three cosign verify-blob commands - Updated the comment for the Tarball section to remove the note about flag applicability
Comments suppressed due to low confidence (1)
VERIFY.md:211
- The advanced section (lines 186-211) now uses --bundle exclusively, but earlier sections still demonstrate both online (--rekor-url, lines 70-76, 112-127) and offline (--bundle, lines 78-83, 133-143) verification methods. This creates inconsistency in the documentation. For a cohesive user experience, consider either: (1) updating the earlier sections to also prefer --bundle if that's the recommended approach for newer cosign versions, or (2) adding both online and offline verification examples in the advanced section as well, to maintain consistency with the document structure.
# Tarball
cosign verify-blob \
--bundle "NVRC-${TARGET}.tar.xz.bundle.json" \
--certificate-identity "https://github.com/$WF_REPO/.github/workflows/$WF_FILE@$WF_REF" \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
--certificate-github-workflow-repository "$WF_REPO" \
--certificate-github-workflow-ref "$WF_REF" \
"NVRC-${TARGET}.tar.xz"
# Binary
cosign verify-blob \
--bundle "NVRC-${TARGET}.bundle.json" \
--certificate-identity "https://github.com/$WF_REPO/.github/workflows/$WF_FILE@$WF_REF" \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
--certificate-github-workflow-repository "$WF_REPO" \
--certificate-github-workflow-ref "$WF_REF" \
"NVRC-${TARGET}"
# SBOM
cosign verify-blob \
--bundle "sbom-NVRC-${TARGET}.spdx.json.bundle.json" \
--certificate-identity "https://github.com/$WF_REPO/.github/workflows/$WF_FILE@$WF_REF" \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
--certificate-github-workflow-repository "$WF_REPO" \
--certificate-github-workflow-ref "$WF_REF" \
"sbom-NVRC-${TARGET}.spdx.json"
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
VERIFY.md
Outdated
| WF_REPO="$REPO" # e.g., NVIDIA/nvrc | ||
|
|
||
| # Tarball (same flags also apply to binary/SBOM verifies) | ||
| # Tarball |
There was a problem hiding this comment.
The comment was changed from '# Tarball (same flags also apply to binary/SBOM verifies)' to just '# Tarball'. However, this change removes useful context. The earlier sections (lines 70-83 and 112-144) show that this document provides BOTH online verification (using --rekor-url) and offline verification (using --bundle) methods. The advanced section now only shows the --bundle approach, which is inconsistent with the earlier sections that still use --rekor-url for online verification. Consider either: (1) keeping the original comment noting that these flags can be applied to both online and offline verification methods, or (2) updating the earlier sections to also use --bundle if that's the preferred method going forward.
| # Tarball | |
| # Tarball (same flags also apply to binary/SBOM verifies) |
Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 1 out of 1 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
1 participant
verify: With the newer cosign version we need additional arguments