docs: fix install's cosign steps (#3913)

updated to the cosign v2 cc/ @cpanato --------- Signed-off-by: Carlos A Becker <caarlos0@users.noreply.github.com>
goreleaser · Apr 6, 2023 · bf2e163 · bf2e163
1 parent e9e392d
commit bf2e163
Show file tree

Hide file tree

Showing 2 changed files with 53 additions and 47 deletions.
diff --git a/www/docs/install.md b/www/docs/install.md
@@ -12,19 +12,19 @@ Below you can find the steps for each of them.
 ### homebrew tap
 
 === "OSS"
-    ```sh
+    ```bash
     brew install goreleaser/tap/goreleaser
     ```
 
 === "Pro"
-    ```sh
+    ```bash
     brew install goreleaser/tap/goreleaser-pro
     ```
 
 ### homebrew
 
 === "OSS"
-    ```sh
+    ```bash
     brew install goreleaser
     ```
 
@@ -35,35 +35,35 @@ Below you can find the steps for each of them.
 ### snapcraft
 
 === "OSS"
-    ```sh
+    ```bash
     sudo snap install --classic goreleaser
     ```
 
 ### scoop
 
 === "OSS"
-    ```sh
+    ```bash
     scoop bucket add goreleaser https://github.com/goreleaser/scoop-bucket.git
     scoop install goreleaser
     ```
 
 === "Pro"
-    ```sh
+    ```bash
     scoop bucket add goreleaser https://github.com/goreleaser/scoop-bucket.git
     scoop install goreleaser-pro
     ```
 
 ### apt
 
 === "OSS"
-    ```sh
+    ```bash
     echo 'deb [trusted=yes] https://repo.goreleaser.com/apt/ /' | sudo tee /etc/apt/sources.list.d/goreleaser.list
     sudo apt update
     sudo apt install goreleaser
     ```
 
 === "Pro"
-    ```sh
+    ```bash
     echo 'deb [trusted=yes] https://repo.goreleaser.com/apt/ /' | sudo tee /etc/apt/sources.list.d/goreleaser.list
     sudo apt update
     sudo apt install goreleaser-pro
@@ -72,7 +72,7 @@ Below you can find the steps for each of them.
 ### yum
 
 === "OSS"
-    ```sh
+    ```bash
     echo '[goreleaser]
     name=GoReleaser
     baseurl=https://repo.goreleaser.com/yum/
@@ -82,7 +82,7 @@ Below you can find the steps for each of them.
     ```
 
 === "Pro"
-    ```sh
+    ```bash
     echo '[goreleaser]
     name=GoReleaser
     baseurl=https://repo.goreleaser.com/yum/
@@ -94,12 +94,12 @@ Below you can find the steps for each of them.
 ### aur
 
 === "OSS"
-    ```sh
+    ```bash
     yay -S goreleaser-bin
     ```
 
 === "Pro"
-    ```sh
+    ```bash
     yay -S goreleaser-pro-bin
     ```
 
@@ -114,19 +114,19 @@ Below you can find the steps for each of them.
 ### go install
 
 === "OSS"
-    ```sh
+    ```bash
     go install github.com/goreleaser/goreleaser@latest
     ```
 
 ### bash script
 
 === "OSS"
-    ```sh
+    ```bash
     curl -sfL https://goreleaser.com/static/run | bash
     ```
 
 === "Pro"
-    ```sh
+    ```bash
     curl -sfL https://goreleaser.com/static/run | DISTRIBUTION=pro bash
     ```
 
@@ -191,39 +191,39 @@ All artifacts are checksummed, and the checksum file is signed with [cosign][].
 
 === "OSS"
     1. Download the files you want, and the `checksums.txt`, `checksum.txt.pem` and `checksums.txt.sig` files from the [releases][releases] page:
-      ```sh
-      wget https://github.com/goreleaser/goreleaser/releases/download/__VERSION__/checksums.txt
-      wget https://github.com/goreleaser/goreleaser/releases/download/__VERSION__/checksums.txt.sig
-      wget https://github.com/goreleaser/goreleaser/releases/download/__VERSION__/checksums.txt.pem
+      ```bash
+      wget 'https://github.com/goreleaser/goreleaser/releases/download/__VERSION__/checksums.txt'
       ```
     1. Verify the signature:
-      ```sh
+      ```bash
       cosign verify-blob \
-        --cert checksums.txt.pem \
-        --signature checksums.txt.sig \
-        checksums.txt
+        --certificate-identity 'https://github.com/goreleaser/goreleaser/.github/workflows/release.yml@refs/tags/__VERSION__' \
+        --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
+        --cert 'https://github.com/goreleaser/goreleaser/releases/download/__VERSION__/checksums.txt.pem' \
+        --signature 'https://github.com/goreleaser/goreleaser/releases/download/__VERSION__/checksums.txt.sig' \
+        ./checksums.txt
       ```
     1. If the signature is valid, you can then verify the SHA256 sums match with the downloaded binary:
-      ```sh
+      ```bash
       sha256sum --ignore-missing -c checksums.txt
       ```
 
 === "Pro"
     1. Download the files you want, and the `checksums.txt`, `checksum.txt.pem` and `checksums.txt.sig` files from the [releases][pro-releases] page:
-      ```sh
-      wget https://github.com/goreleaser/goreleaser-pro/releases/download/__VERSION__-pro/checksums.txt
-      wget https://github.com/goreleaser/goreleaser-pro/releases/download/__VERSION__-pro/checksums.txt.sig
-      wget https://github.com/goreleaser/goreleaser-pro/releases/download/__VERSION__-pro/checksums.txt.pem
+      ```bash
+      wget 'https://github.com/goreleaser/goreleaser-pro/releases/download/__VERSION__-pro/checksums.txt'
       ```
     1. Verify the signature:
-      ```sh
+      ```bash
       cosign verify-blob \
-        --cert checksums.txt.pem \
-        --signature checksums.txt.sig \
-        checksums.txt
+        --certificate-identity 'https://github.com/goreleaser/goreleaser-pro-internal/.github/workflows/release-pro.yml@refs/tags/__VERSION__-pro' \
+        --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
+        --cert 'https://github.com/goreleaser/goreleaser-pro/releases/download/__VERSION__-pro/checksums.txt.pem' \
+        --signature 'https://github.com/goreleaser/goreleaser-pro/releases/download/__VERSION__-pro/checksums.txt.sig' \
+        ./checksums.txt
       ```
     1. If the signature is valid, you can then verify the SHA256 sums match with the downloaded binary:
-      ```sh
+      ```bash
       sha256sum --ignore-missing -c checksums.txt
       ```
 
@@ -234,13 +234,19 @@ Our Docker images are signed with [cosign][].
 Verify the signatures:
 
 === "OSS"
-    ```sh
-    cosign verify goreleaser/goreleaser
+    ```bash
+    cosign verify \
+      --certificate-identity 'https://github.com/goreleaser/goreleaser/.github/workflows/release.yml@refs/tags/__VERSION__' \
+        --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
+      goreleaser/goreleaser
     ```
 
 === "Pro"
-    ```sh
-    cosign verify goreleaser/goreleaser-pro
+    ```bash
+    cosign verify \
+      --certificate-identity 'https://github.com/goreleaser/goreleaser-pro-internal/.github/workflows/release-pro.yml@refs/tags/__VERSION__-pro' \
+      --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
+      goreleaser/goreleaser-pro
     ```
 
 !!! info
@@ -259,7 +265,7 @@ To do that, you'll need to execute something more-or-less like the examples belo
 
     Example usage:
 
-    ```sh
+    ```bash
     docker run --rm --privileged \
       -v $PWD:/go/src/github.com/user/repo \
       -v /var/run/docker.sock:/var/run/docker.sock \
@@ -279,7 +285,7 @@ To do that, you'll need to execute something more-or-less like the examples belo
 
     Example usage:
 
-    ```sh
+    ```bash
     docker run --rm --privileged \
       -v $PWD:/go/src/github.com/user/repo \
       -v /var/run/docker.sock:/var/run/docker.sock \
@@ -327,25 +333,25 @@ If you just want to build from source for whatever reason, follow these steps:
 
 **clone:**
 
-```sh
+```bash
 git clone https://github.com/goreleaser/goreleaser
 cd goreleaser
 ```
 
 **get the dependencies:**
 
-```sh
+```bash
 go mod tidy
 ```
 
 **build:**
 
-```sh
+```bash
 go build -o goreleaser .
 ```
 
 **verify it works:**
 
-```sh
+```bash
 ./goreleaser --version
 ```
diff --git a/www/docs/static/run b/www/docs/static/run
@@ -29,15 +29,15 @@ export TAR_FILE="$TMPDIR/${FILE_BASENAME}_$(uname -s)_$(uname -m).tar.gz"
 	curl -sfLo "$TAR_FILE" \
 		"$RELEASES_URL/download/$VERSION/${FILE_BASENAME}_$(uname -s)_$(uname -m).tar.gz"
 	curl -sfLo "checksums.txt" "$RELEASES_URL/download/$VERSION/checksums.txt"
-	curl -sfLo "checksums.txt.sig" "$RELEASES_URL/download/$VERSION/checksums.txt.sig"
-	curl -sfLo "checksums.txt.pem" "$RELEASES_URL/download/$VERSION/checksums.txt.pem"
 	echo "Verifying checksums..."
 	sha256sum --ignore-missing --quiet --check checksums.txt
 	if command -v cosign >/dev/null 2>&1; then
 		echo "Verifying signatures..."
 		cosign verify-blob \
-			--cert checksums.txt.pem \
-			--signature checksums.txt.sig \
+			--certificate-identity-regexp "https://github.com/goreleaser/goreleaser.*/.github/workflows/.*.yml@refs/tags/$VERSION" \
+			--certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
+			--cert "$RELEASES_URL/download/$VERSION/checksums.txt.pem" \
+			--signature "$RELEASES_URL/download/$VERSION/checksums.txt.sig" \
 			checksums.txt
 	else
 		echo "Could not verify signatures, cosign is not installed."