fix: slsa insomnia url and examples (#212)

Kong · Jun 25, 2024 · 09628af · 09628af
1 parent a9cafc4
commit 09628af
Show file tree

Hide file tree

Showing 4 changed files with 21 additions and 16 deletions.
diff --git a/docs/inso-cli/provenance/verify-image-provenance.md b/docs/inso-cli/provenance/verify-image-provenance.md
@@ -43,7 +43,7 @@ For both examples, you need to:
 4. Parse the `<manifest_digest>` for the image using `regctl`.
 
    ```sh
-   regctl manifest digest <image>:<tag>
+   IMAGE_DIGEST=$(regctl manifest digest kong/inso:9.3.0-beta.4)
    ```
 
 5. Set the `COSIGN_REPOSITORY` environment variable:
@@ -63,7 +63,7 @@ Run the `cosign verify-attestation ...` command:
 
 ```sh
 cosign verify-attestation \
-   <image>:<tag>@sha256:<manifest_digest> \
+   <image>:<tag>@${IMAGE_DIGEST} \
    --type='slsaprovenance' \
    --certificate-oidc-issuer='https://token.actions.githubusercontent.com' \
    --certificate-identity-regexp='^https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/tags/v[0-9]+.[0-9]+.[0-9]+$'
@@ -73,7 +73,7 @@ Here's the same example using sample values instead of placeholders:
 
 ```sh
 cosign verify-attestation \
-   'kong/inso:9.3.0-beta.4@sha256:e1fd25efe702d5e2095f5595f8b452f50b65aa8e8e1209863fbef3f241d364c8' \
+   kong/inso:9.3.0-beta.4@${IMAGE_DIGEST} \
    --type='slsaprovenance' \
    --certificate-oidc-issuer='https://token.actions.githubusercontent.com' \
    --certificate-identity-regexp='^https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/tags/v[0-9]+.[0-9]+.[0-9]+$'
@@ -93,7 +93,7 @@ Run the `slsa-verifier verify-image ...` command:
 
 ```sh
 slsa-verifier verify-image \
-   <image>:<tag>@sha256:<manifest_digest> \
+   <image>:<tag>@${IMAGE_DIGEST} \
    --print-provenance \
    --provenance-repository kong/notary \
    --source-uri 'github.com/Kong/<repo>'
@@ -103,7 +103,7 @@ Here's the same example using sample values instead of placeholders:
 
 ```sh
 slsa-verifier verify-image \
-   'kong/inso:9.3.0-beta.4@sha256:e1fd25efe702d5e2095f5595f8b452f50b65aa8e8e1209863fbef3f241d364c8' \
+   kong/inso:9.3.0-beta.4@${IMAGE_DIGEST} \
    --print-provenance \
    --provenance-repository kong/notary \
    --source-uri 'github.com/Kong/insomnia'
@@ -124,7 +124,7 @@ Run the `cosign verify-attestation ...` command:
 
 ```sh
 cosign verify-attestation \
-   <image>:<tag>@sha256:<manifest_digest> \
+   <image>:<tag>@${IMAGE_DIGEST} \
    --type='slsaprovenance' \
    --certificate-oidc-issuer='https://token.actions.githubusercontent.com' \
    --certificate-identity-regexp='^https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/tags/v[0-9]+.[0-9]+.[0-9]+$' \
@@ -137,7 +137,7 @@ Here's the same example using sample values instead of placeholders:
 
 ```sh
 cosign verify-attestation \
-   'kong/inso:9.3.0-beta.4@sha256:e1fd25efe702d5e2095f5595f8b452f50b65aa8e8e1209863fbef3f241d364c8' \
+   kong/inso:9.3.0-beta.4@${IMAGE_DIGEST} \
    --type='slsaprovenance' \
    --certificate-oidc-issuer='https://token.actions.githubusercontent.com' \
    --certificate-identity-regexp='^https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/tags/v[0-9]+.[0-9]+.[0-9]+$' \
@@ -152,7 +152,7 @@ Run the `slsa-verifier verify-image ...` command:
 
 ```sh
 slsa-verifier verify-image \
-   <image>:<tag>@sha256:<manifest_digest> \
+   <image>:<tag>@${IMAGE_DIGEST} \
    --print-provenance \
    --provenance-repository kong/notary \
    --build-workflow-input 'version=9.3.0-beta.4' \
@@ -163,7 +163,7 @@ Here's the same example using sample values instead of placeholders:
 
 ```sh
 slsa-verifier verify-image \
-   'kong/inso:9.3.0-beta.4@sha256:e1fd25efe702d5e2095f5595f8b452f50b65aa8e8e1209863fbef3f241d364c8' \
+   kong/inso:9.3.0-beta.4@${IMAGE_DIGEST} \
    --print-provenance \
    --provenance-repository kong/notary \
    --build-workflow-input 'version=9.3.0-beta.4' \

diff --git a/docs/inso-cli/sbom.md b/docs/inso-cli/sbom.md
@@ -17,4 +17,4 @@ We are generating SBOMs for both inso binaries and docker container images.
 
 * SBOMs for Inso Binaries:  `sbom.spdx.json` and `sbom.cyclonedx.json`
 * SBOMs for Inso Docker Images:
-  * Linux: `image_<image_name>-*.spdx.json` and `image_<image_name>-*.cyclonedx.json`
+  * Linux: `image-inso-*-sbom.spdx.json` and `image-inso-*-sbom.cyclonedx.json`
diff --git a/docs/inso-cli/verify-signed-images.md b/docs/inso-cli/verify-signed-images.md
@@ -40,6 +40,11 @@ For both examples, you need to:
    export COSIGN_REPOSITORY=kong/notary
    ```
 
+4. Parse the image manifest digest
+    ```sh
+   IMAGE_DIGEST=$(regctl manifest digest kong/inso:9.3.0-beta.4)
+   ```
+
 {:.important .no-icon}
 > Github owner is case-sensitive (`Kong/insomnia` vs `kong/insomnia`).
 
@@ -49,7 +54,7 @@ Run the `cosign verify ...` command:
 
 ```sh
 cosign verify \
-   kong/<image>:<tag>@sha256:<digest> \
+   kong/<image>:<tag>@${IMAGE_DIGEST} \
    --certificate-oidc-issuer='https://token.actions.githubusercontent.com' \
    --certificate-identity-regexp='https://github.com/Kong/<repo>/.github/workflows/<workflow filename>'
 ```
@@ -58,7 +63,7 @@ Here's the same example using sample values instead of placeholders:
 
 ```sh
 cosign verify \
-   'kong/inso:9.3.0-beta.4@sha256:e1fd25efe702d5e2095f5595f8b452f50b65aa8e8e1209863fbef3f241d364c8' \
+   kong/inso:9.3.0-beta.4@${IMAGE_DIGEST} \
    --certificate-oidc-issuer='https://token.actions.githubusercontent.com' \
    --certificate-identity-regexp='https://github.com/Kong/insomnia/.github/workflows/release-publish.yml'
 ```
@@ -67,7 +72,7 @@ cosign verify \
 
 ```sh
 cosign verify \
-   <image>:<tag>@sha256:<digest> \
+   <image>:<tag>@${IMAGE_DIGEST} \
    --certificate-oidc-issuer='https://token.actions.githubusercontent.com' \
    --certificate-identity-regexp='https://github.com/Kong/<repo>/.github/workflows/<workflow filename>' \
    -a repo='Kong/<repo>' \
@@ -78,7 +83,7 @@ Here's the same example using sample values instead of placeholders:
 
 ```sh
 cosign verify \
-   'kong/inso:9.3.0-beta.4@sha256:e1fd25efe702d5e2095f5595f8b452f50b65aa8e8e1209863fbef3f241d364c8' \
+   kong/inso:9.3.0-beta.4@${IMAGE_DIGEST} \
    --certificate-oidc-issuer='https://token.actions.githubusercontent.com' \
    --certificate-identity-regexp='https://github.com/Kong/insomnia/.github/workflows/release-publish.yml' \
    -a repo='Kong/insomnia' \

diff --git a/docs/insomnia/verify-binary-provenance.md b/docs/insomnia/verify-binary-provenance.md
@@ -33,9 +33,9 @@ For both examples, you need to:
 
 1. Ensure `slsa-verifier` is installed.
 
-2. [Download Insomnia Core Application Binaries](https://updates.insomnia.rest/downloads/release/latest?app=com.insomnia.core&channel=beta) with file pattern `Insomnia.Core-<version>.{snap,tar.gz,zip,rpm,dmg,deb,exe,AppImage}`
+2. [Download Insomnia Core Application Binaries](https://updates.insomnia.rest/downloads/release/latest?app=com.insomnia.app&channel=beta) with file pattern `Insomnia.Core-<version>.{snap,tar.gz,zip,rpm,dmg,deb,exe,AppImage}`
 
-3. [Download Insomnia Binary Provenance Attestation](https://updates.insomnia.rest/downloads/release/latest?app=com.insomnia.core&channel=beta) with pattern `insomnia-provenance.intoto.jsonl`
+3. [Download Insomnia Binary Provenance Attestation](https://updates.insomnia.rest/downloads/release/latest?app=com.insomnia.app&channel=beta) with pattern `insomnia-provenance.intoto.jsonl`
 
 {:.important .no-icon}
 > The GitHub owner is case-sensitive (`Kong/insomnia` vs `kong/insomnia`).