diff --git a/README.md b/README.md
index 85f8350..fbebb4b 100644
--- a/README.md
+++ b/README.md
@@ -140,7 +140,7 @@ You don't _have to_ use `bazel` or `kaniko` to build an image (you can just use
 
 In this example using `kaniko`, the code will always produce a hash of  (see [reproducible Builds](#reproducible-builds))
 
-* `tee@sha256:7d670a791b38046fbda01e22b466ecd235d368a3fc5ae5aa6c05169c475d0d76`
+* `tee@sha256:a76fd40d851d895f6eee2b047ceaf84fcb06812ef1707dbc9a22e4e74f4cfd1f`
 
 For more info, see
 
@@ -221,12 +221,55 @@ gsutil iam ch \
   serviceAccount:cosign@$BUILDER_PROJECT_ID.iam.gserviceaccount.com:objectAdmin \
   gs://$BUILDER_PROJECT_ID\_cloudbuild
 
-gcloud beta builds submit --config=cloudbuild_kaniko.yaml
+### for Kaniko
+
+# with local docker
+# see appendix to setup credentials for artifact registry
+# cd /app
+# docker run    -v `pwd`:/workspace   -v $HOME/.docker/config_kaniko.json:/kaniko/.docker/config.json:ro  \
+#              gcr.io/kaniko-project/executor@sha256:034f15e6fe235490e64a4173d02d0a41f61382450c314fffed9b8ca96dff66b2    \
+#               --dockerfile=Dockerfile --reproducible \
+#               --destination "us-central1-docker.pkg.dev/$BUILDER_PROJECT_ID/repo1/tee:server"     --context dir:///workspace/
+
+## for cloud build
+# cd /app
+# gcloud beta builds submit --config=cloudbuild_kaniko.yaml
+
+# to build via commit for kaniko
+gcloud source repos create cosign-repo
+
+gcloud projects add-iam-policy-binding $BUILDER_PROJECT_ID \
+  --member=serviceAccount:cosign@$BUILDER_PROJECT_ID.iam.gserviceaccount.com \
+  --role=roles/source.reader
+
+gcloud source repos clone cosign-repo
+cd cosign-repo
+cp -R ../app/* .
+
+git add -A
+git commit -m "add"
+git push 
+
+# create a manual trigger
+gcloud beta builds triggers create manual --region=global \
+   --name=cosign-trigger --build-config=cloudbuild_kaniko.yaml \
+   --repo=https://source.developers.google.com/p/$BUILDER_PROJECT_ID/r/cosign-repo \
+   --repo-type=CLOUD_SOURCE_REPOSITORIES --branch=main \
+   --service-account=projects/$BUILDER_PROJECT_ID/serviceAccounts/cosign@$BUILDER_PROJECT_ID.iam.gserviceaccount.com 
+
+# now trigger
+gcloud beta builds triggers run cosign-trigger --branch=main
+
+# skopeo inspect --format "{{.Name}}@{{.Digest}}"  docker://us-central1-docker.pkg.dev/$BUILDER_PROJECT_ID/repo1/tee:server
+
+### for Bazel
 # gcloud beta builds submit --config=cloudbuild_bazel.yaml
 
 ## for local Bazel
 ## if you want to modify the code, use bazel to regenerate the dependencies
 # to acquire bazel go dependency references
+# bazel version 5.3.1
+
 # bazel run :gazelle -- update-repos -from_file=go.mod -prune=true -to_macro=repositories.bzl%go_repositories
 
 # to build image locally with bazel
@@ -242,13 +285,12 @@ gcloud beta builds submit --config=cloudbuild_kaniko.yaml
 #     --output_user_root=/tmp/build_output   run  --platforms=@io_bazel_rules_go//go/toolchain:linux_amd64 :server
 #
 # skopeo inspect --format "{{.Name}}@{{.Digest}}"  docker-daemon:us-central1-docker.pkg.dev/builder-project/repo1/tee:server
-####   us-central1-docker.pkg.dev/builder-project/repo1/tee@sha256:f993166b9425a85496b8557d27d39fb1d75309a8f77225a511a20353d6a50d7d
 
 
 # pull the image.  you should see the exact same image hash
 docker pull us-central1-docker.pkg.dev/$BUILDER_PROJECT_ID/repo1/tee:server
 docker inspect us-central1-docker.pkg.dev/$BUILDER_PROJECT_ID/repo1/tee:server | jq -r '.[].RepoDigests[]'
-docker inspect us-central1-docker.pkg.dev/$BUILDER_PROJECT_ID/repo1/tee@sha256:7d670a791b38046fbda01e22b466ecd235d368a3fc5ae5aa6c05169c475d0d76
+docker inspect us-central1-docker.pkg.dev/$BUILDER_PROJECT_ID/repo1/tee@sha256:a76fd40d851d895f6eee2b047ceaf84fcb06812ef1707dbc9a22e4e74f4cfd1f
 
 # docker pull docker.io/salrashid123/tee:server
 # docker inspect docker.io/salrashid123/tee:server
@@ -267,7 +309,7 @@ Using `cosign` is a completely optional step used to add verification signatures
 
 Once the image is built and each collaborator is in agreement that the code contained in image 
 
-- `us-central1-docker.pkg.dev/$BUILDER_PROJECT_ID/repo1/tee@sha256:7d670a791b38046fbda01e22b466ecd235d368a3fc5ae5aa6c05169c475d0d76` 
+- `us-central1-docker.pkg.dev/$BUILDER_PROJECT_ID/repo1/tee@sha256:a76fd40d851d895f6eee2b047ceaf84fcb06812ef1707dbc9a22e4e74f4cfd1f` 
 
 isn't going to do anything malicious like exfiltrate their precious data, they can authorize that container to run in `Confidential Space` managed by an Operator.
 
@@ -384,7 +426,7 @@ gcloud kms keys add-iam-policy-binding key1        --keyring=kr1 --location=glob
 ## we've already performed corse grain authorization on the workload pool and this step
 ## applies fine grain control to a specific image to decrypt data
 gcloud kms keys add-iam-policy-binding key1        --keyring=kr1 --location=global --project $COLLABORATOR_1_PROJECT_ID    \
-     --member="principalSet://iam.googleapis.com/projects/$COLLABORATOR_1_PROJECT_NUMBER/locations/global/workloadIdentityPools/trusted-workload-pool/attribute.image_reference/us-central1-docker.pkg.dev/$BUILDER_PROJECT_ID/repo1/tee@sha256:7d670a791b38046fbda01e22b466ecd235d368a3fc5ae5aa6c05169c475d0d76"  \
+     --member="principalSet://iam.googleapis.com/projects/$COLLABORATOR_1_PROJECT_NUMBER/locations/global/workloadIdentityPools/trusted-workload-pool/attribute.image_reference/us-central1-docker.pkg.dev/$BUILDER_PROJECT_ID/repo1/tee@sha256:a76fd40d851d895f6eee2b047ceaf84fcb06812ef1707dbc9a22e4e74f4cfd1f"  \
      --role=roles/cloudkms.cryptoKeyDecrypter
 ```
 
@@ -397,7 +439,7 @@ In other words, the use of the KMS key is now bound to the operator's project wh
 Access is granted to an identity bound to the image:
 
 ```bash
-principalSet://iam.googleapis.com/projects/$COLLABORATOR_1_PROJECT_NUMBER/locations/global/workloadIdentityPools/trusted-workload-pool/attribute.image_reference/us-central1-docker.pkg.dev/$BUILDER_PROJECT_ID/repo1/tee@sha256:7d670a791b38046fbda01e22b466ecd235d368a3fc5ae5aa6c05169c475d0d76
+principalSet://iam.googleapis.com/projects/$COLLABORATOR_1_PROJECT_NUMBER/locations/global/workloadIdentityPools/trusted-workload-pool/attribute.image_reference/us-central1-docker.pkg.dev/$BUILDER_PROJECT_ID/repo1/tee@sha256:a76fd40d851d895f6eee2b047ceaf84fcb06812ef1707dbc9a22e4e74f4cfd1f
 ```
 
 We could have configured the entire workload provider to mandate that any access to any resource must include that specific image has.  This demo, however, abstracts it to the resource (KMS key) binding.  This was done to allow more operational flexibility: if the image builder creates a new image hash, each collaborator can more easily replace the IAM binding on specific resources instead of redefining the entire providers constraints.
@@ -439,7 +481,7 @@ gcloud kms keys add-iam-policy-binding key1        --keyring=kr1 --location=glob
      --member="user:$COLLABORATOR_2_GCLOUD_USER"   --role=roles/cloudkms.cryptoKeyEncrypter
 
 gcloud kms keys add-iam-policy-binding key1        --keyring=kr1 --location=global --project $COLLABORATOR_2_PROJECT_ID    \
-     --member="principalSet://iam.googleapis.com/projects/$COLLABORATOR_2_PROJECT_NUMBER/locations/global/workloadIdentityPools/trusted-workload-pool/attribute.image_reference/us-central1-docker.pkg.dev/$BUILDER_PROJECT_ID/repo1/tee@sha256:7d670a791b38046fbda01e22b466ecd235d368a3fc5ae5aa6c05169c475d0d76"  \
+     --member="principalSet://iam.googleapis.com/projects/$COLLABORATOR_2_PROJECT_NUMBER/locations/global/workloadIdentityPools/trusted-workload-pool/attribute.image_reference/us-central1-docker.pkg.dev/$BUILDER_PROJECT_ID/repo1/tee@sha256:a76fd40d851d895f6eee2b047ceaf84fcb06812ef1707dbc9a22e4e74f4cfd1f"  \
      --role=roles/cloudkms.cryptoKeyDecrypter
 ```
 
@@ -496,7 +538,7 @@ gcloud compute instances create vm1 --confidential-compute \
   --image-project=confidential-space-images \
   --image-family=confidential-space --network=teenetwork --no-address \
   --service-account=operator-svc-account@$OPERATOR_PROJECT_ID.iam.gserviceaccount.com \
-  --metadata ^~^tee-image-reference=us-central1-docker.pkg.dev/$BUILDER_PROJECT_ID/repo1/tee@sha256:7d670a791b38046fbda01e22b466ecd235d368a3fc5ae5aa6c05169c475d0d76~tee-restart-policy=Never~tee-container-log-redirect=true
+  --metadata ^~^tee-image-reference=us-central1-docker.pkg.dev/$BUILDER_PROJECT_ID/repo1/tee@sha256:a76fd40d851d895f6eee2b047ceaf84fcb06812ef1707dbc9a22e4e74f4cfd1f~tee-restart-policy=Never~tee-container-log-redirect=true
 
 
 ## B) Using mTLS with external IP
@@ -510,7 +552,7 @@ gcloud compute instances create vm1 --confidential-compute \
  --image-project=confidential-space-images \
  --image-family=confidential-space --network=teenetwork \
  --service-account=operator-svc-account@$OPERATOR_PROJECT_ID.iam.gserviceaccount.com \
- --metadata ^~^tee-image-reference=us-central1-docker.pkg.dev/$BUILDER_PROJECT_ID/repo1/tee@sha256:7d670a791b38046fbda01e22b466ecd235d368a3fc5ae5aa6c05169c475d0d76~tee-restart-policy=Never~tee-container-log-redirect=true
+ --metadata ^~^tee-image-reference=us-central1-docker.pkg.dev/$BUILDER_PROJECT_ID/repo1/tee@sha256:a76fd40d851d895f6eee2b047ceaf84fcb06812ef1707dbc9a22e4e74f4cfd1f~tee-restart-policy=Never~tee-container-log-redirect=true
 
 export EXTERNAL_IP=`gcloud compute instances describe vm1 --zone=us-central1-a  --format='get(networkInterfaces[0].accessConfigs.natIP)'`
 echo $EXTERNAL_IP
@@ -673,8 +715,8 @@ There are several ways to do this
 
 Note, i've observed a build using bazel and kaniko produces the different hashes for the same code...not sure what the case is (implementation or have some small variation i didn't account for; likely the override stated below)...eitherway, i did see builds are self-consistent and reproducible using the same tool
 
-* Kaniko produces `tee@sha256:7d670a791b38046fbda01e22b466ecd235d368a3fc5ae5aa6c05169c475d0d76`
-* Bazel produces `tee@sha256:f993166b9425a85496b8557d27d39fb1d75309a8f77225a511a20353d6a50d7d`
+* Kaniko produces `tee@sha256:a76fd40d851d895f6eee2b047ceaf84fcb06812ef1707dbc9a22e4e74f4cfd1f`
+* Bazel produces `tee@sha256:5262ccfa1cd487a709e59985d8be011c6c512e179c6876d9c4ecb5f1f2bd91a9`
 
 #### Bazel Overrides
 
@@ -772,7 +814,7 @@ title: collaborator_1_perimeter
 Note, VPC-SC "ingressPolicy->ingressFrom->identity" does not support `principal://` or `principalSet://` get so we have to enable `ANY_IDENTITY`.  Ideally, we could tune the identity to:
 
 ```bash
-principalSet://iam.googleapis.com/projects/$COLLABORATOR1_PROJECT_NUMBER/locations/global/workloadIdentityPools/trusted-workload-pool/attribute.image_reference/us-central1-docker.pkg.dev/$BUILDER_PROJECT_ID/repo1/tee@sha256:7d670a791b38046fbda01e22b466ecd235d368a3fc5ae5aa6c05169c475d0d76
+principalSet://iam.googleapis.com/projects/$COLLABORATOR1_PROJECT_NUMBER/locations/global/workloadIdentityPools/trusted-workload-pool/attribute.image_reference/us-central1-docker.pkg.dev/$BUILDER_PROJECT_ID/repo1/tee@sha256:a76fd40d851d895f6eee2b047ceaf84fcb06812ef1707dbc9a22e4e74f4cfd1f
 ```
 
 If the TEE attempts to access the STS or KMS endpoint for any collaborator who _has not_ authorized the project for ingress, they would see a VPC-SC error at the level where the API is invoked.  In the following, the even the token grant fails
@@ -910,54 +952,72 @@ Instead, you can generate a JWT token using another KMS key you have access to t
 ```json
 {
   "aud": "https://sts.googleapis.com",
+  "exp": 1683607320,
+  "iat": 1683603720,
+  "iss": "https://confidentialcomputing.googleapis.com",
+  "nbf": 1683603720,
+  "sub": "https://www.googleapis.com/compute/v1/projects/vegas-codelab-5/zones/us-central1-a/instances/vm1",
+  "tee": {
+    "version": {
+      "major": 0,
+      "minor": 0
+    },
+    "platform": {},
+    "container": {
+      "image_reference": "",
+      "image_digest": "",
+      "restart_policy": "",
+      "image_id": "",
+      "env_override": null,
+      "cmd_override": null,
+      "env": null,
+      "args": null
+    },
+    "gce": {}
+  },
+  "secboot": true,
+  "oemid": 11129,
+  "hwmodel": "GCP_AMD_SEV",
+  "swname": "CONFIDENTIAL_SPACE",
+  "swversion": [
+    "1"
+  ],
   "dbgstat": "disabled-since-boot",
-  "exp": 1682310820,
   "google_service_accounts": [
     "operator-svc-account@vegas-codelab-5.iam.gserviceaccount.com"
   ],
-  "hwmodel": "GCP_AMD_SEV",
-  "iat": 1682307220,
-  "iss": "https://confidentialcomputing.googleapis.com",
-  "nbf": 1682307220,
-  "oemid": 11129,
-  "secboot": true,
-  "sub": "https://www.googleapis.com/compute/v1/projects/vegas-codelab-5/zones/us-central1-a/instances/vm1",
   "submods": {
-    "confidential_space": {
-      "support_attributes": [
-        "LATEST",
-        "STABLE",
-        "USABLE"
-      ]
-    },
     "container": {
-      "args": [
-        "/server"
-      ],
+      "image_reference": "us-central1-docker.pkg.dev/mineral-minutia-820/repo1/tee@sha256:a76fd40d851d895f6eee2b047ceaf84fcb06812ef1707dbc9a22e4e74f4cfd1f",
+      "image_digest": "sha256:a76fd40d851d895f6eee2b047ceaf84fcb06812ef1707dbc9a22e4e74f4cfd1f",
+      "restart_policy": "Never",
+      "image_id": "sha256:ea901e29de82397b78616fb98cb7d5d09afeb11b804ac98dabcd77208e79ea41",
+      "env_override": null,
       "cmd_override": null,
       "env": {
         "HOSTNAME": "vm1",
         "PATH": "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
         "SSL_CERT_FILE": "/etc/ssl/certs/ca-certificates.crt"
       },
-      "env_override": null,
-      "image_digest": "sha256:7d670a791b38046fbda01e22b466ecd235d368a3fc5ae5aa6c05169c475d0d76",
-      "image_id": "sha256:aa02ff324c8a0d8c512d8babddb679b9972d336ac5477e4f745e81213bce37c7",
-      "image_reference": "us-central1-docker.pkg.dev/mineral-minutia-820/repo1/tee@sha256:7d670a791b38046fbda01e22b466ecd235d368a3fc5ae5aa6c05169c475d0d76",
-      "restart_policy": "Never"
+      "args": [
+        "./server"
+      ]
     },
     "gce": {
-      "instance_id": "1165979995028866800",
-      "instance_name": "vm1",
+      "zone": "us-central1-a",
       "project_id": "vegas-codelab-5",
       "project_number": "75457521745",
-      "zone": "us-central1-a"
+      "instance_name": "vm1",
+      "instance_id": "6920867375712861823"
+    },
+    "confidential_space": {
+      "support_attributes": [
+        "LATEST",
+        "STABLE",
+        "USABLE"
+      ]
     }
-  },
-  "swname": "CONFIDENTIAL_SPACE",
-  "swversion": [
-    "1"
-  ]
+  }
 }
 ```
 
@@ -1232,7 +1292,7 @@ vault write auth/jwt/role/my-jwt-role -<<EOF
     "hwmodel": "GCP_AMD_SEV",
     "swname": "CONFIDENTIAL_SPACE",
     "/submods/confidential_space/support_attributes": ["STABLE"],
-    "/submods/container/image_digest": ["sha256:7d670a791b38046fbda01e22b466ecd235d368a3fc5ae5aa6c05169c475d0d76"],
+    "/submods/container/image_digest": ["sha256:a76fd40d851d895f6eee2b047ceaf84fcb06812ef1707dbc9a22e4e74f4cfd1f"],
     "/submods/gce/project_id": ["$OPERATOR_PROJECT_ID"],
     "google_service_accounts":["operator-svc-account@$OPERATOR_PROJECT_ID.iam.gserviceaccount.com"]
   }  
@@ -1306,7 +1366,7 @@ There are several alternatives where the signature checks happen during runtime
   
   ```bash
   gcloud kms keys add-iam-policy-binding key1        --keyring=kr1 --location=global --project $COLLABORATOR_1_PROJECT_ID    \
-     --member="principalSet://iam.googleapis.com/projects/$COLLABORATOR_1_PROJECT_NUMBER/locations/global/workloadIdentityPools/trusted-workload-pool/attribute.image_reference/us-central1-docker.pkg.dev/$BUILDER_PROJECT_ID/repo1/tee@sha256:7d670a791b38046fbda01e22b466ecd235d368a3fc5ae5aa6c05169c475d0d76"  \
+     --member="principalSet://iam.googleapis.com/projects/$COLLABORATOR_1_PROJECT_NUMBER/locations/global/workloadIdentityPools/trusted-workload-pool/attribute.image_reference/us-central1-docker.pkg.dev/$BUILDER_PROJECT_ID/repo1/tee@sha256:a76fd40d851d895f6eee2b047ceaf84fcb06812ef1707dbc9a22e4e74f4cfd1f"  \
      --role=roles/cloudkms.cryptoKeyDecrypter
   ```
 
@@ -1338,16 +1398,16 @@ To check the cosign signatures and attestations, install cosign and then:
 ## export BUILDER_PROJECT_ID=`gcloud config get-value core/project`
 ## export BUILDER_PROJECT_NUMBER=`gcloud projects describe $BUILDER_PROJECT_ID --format='value(projectNumber)'`
 ## gcloud auth application-default login
-$ cosign tree      us-central1-docker.pkg.dev/$BUILDER_PROJECT_ID/repo1/tee@sha256:7d670a791b38046fbda01e22b466ecd235d368a3fc5ae5aa6c05169c475d0d76
-
-📦 Supply Chain Security Related artifacts for an image: us-central1-docker.pkg.dev/mineral-minutia-820/repo1/tee@sha256:7d670a791b38046fbda01e22b466ecd235d368a3fc5ae5aa6c05169c475d0d76
-└── 💾 Attestations for an image tag: us-central1-docker.pkg.dev/mineral-minutia-820/repo1/tee:sha256-7d670a791b38046fbda01e22b466ecd235d368a3fc5ae5aa6c05169c475d0d76.att
-   ├── 🍒 sha256:e7605917444a8da52c763129a67140e1bb009b6f90eb02c12b60d25055680b55
-   └── 🍒 sha256:fb911e29d41e1b8e560814a989463cce1e9667770fd0f4c759e730ebb0c88c80
-└── 🔐 Signatures for an image tag: us-central1-docker.pkg.dev/mineral-minutia-820/repo1/tee:sha256-7d670a791b38046fbda01e22b466ecd235d368a3fc5ae5aa6c05169c475d0d76.sig
-   └── 🍒 sha256:93e1f8142a982550ae0c2f1203bee48e4baa56cd1bdfe53afef75de7d6b4322b
-└── 📦 SBOMs for an image tag: us-central1-docker.pkg.dev/mineral-minutia-820/repo1/tee:sha256-7d670a791b38046fbda01e22b466ecd235d368a3fc5ae5aa6c05169c475d0d76.sbom
-   └── 🍒 sha256:93c867397e03c3b74097243a16e9512ccce82d3c5f542defb1a3a07c95ece72c
+$ cosign tree      us-central1-docker.pkg.dev/$BUILDER_PROJECT_ID/repo1/tee@sha256:a76fd40d851d895f6eee2b047ceaf84fcb06812ef1707dbc9a22e4e74f4cfd1f
+
+📦 Supply Chain Security Related artifacts for an image: us-central1-docker.pkg.dev/mineral-minutia-820/repo1/tee@sha256:a76fd40d851d895f6eee2b047ceaf84fcb06812ef1707dbc9a22e4e74f4cfd1f
+└── 💾 Attestations for an image tag: us-central1-docker.pkg.dev/mineral-minutia-820/repo1/tee:sha256-a76fd40d851d895f6eee2b047ceaf84fcb06812ef1707dbc9a22e4e74f4cfd1f.att
+   ├── 🍒 sha256:cf47d0e4b5497f43ca9fc1010aeff66ad090539c9c209c421f8880693b8ad20f
+   └── 🍒 sha256:ffe6fd0cf1d33f675e0d15449a155b67824f52bcb00b9b895d2d8dac0ca4f436
+└── 🔐 Signatures for an image tag: us-central1-docker.pkg.dev/mineral-minutia-820/repo1/tee:sha256-a76fd40d851d895f6eee2b047ceaf84fcb06812ef1707dbc9a22e4e74f4cfd1f.sig
+   └── 🍒 sha256:28d0920083646f1f4d7e945f1c9dc2eda7881df81ef36c4b5df9dac925138e0c
+└── 📦 SBOMs for an image tag: us-central1-docker.pkg.dev/mineral-minutia-820/repo1/tee:sha256-a76fd40d851d895f6eee2b047ceaf84fcb06812ef1707dbc9a22e4e74f4cfd1f.sbom
+   └── 🍒 sha256:2c011edec264809e797e4d37068792dafaadb87f772a72ae0eb5bf3db90299c3
 ```
 
 which will exist as additional artifacts in the registry
@@ -1365,11 +1425,11 @@ gcloud kms keys versions get-public-key 1  \
 #   for that use --key gcpkms://projects/$BUILDER_PROJECT_ID/locations/global/keyRings/cosignkr/cryptoKeys/key1/cryptoKeyVersions/1 
 
 cosign verify --key /tmp/kms_pub.pem   \
-   us-central1-docker.pkg.dev/$BUILDER_PROJECT_ID/repo1/tee@sha256:7d670a791b38046fbda01e22b466ecd235d368a3fc5ae5aa6c05169c475d0d76  | jq '.'
+   us-central1-docker.pkg.dev/$BUILDER_PROJECT_ID/repo1/tee@sha256:a76fd40d851d895f6eee2b047ceaf84fcb06812ef1707dbc9a22e4e74f4cfd1f  | jq '.'
 
 # the output for the verify will look like:
 
-Verification for us-central1-docker.pkg.dev/mineral-minutia-820/repo1/tee@sha256:7d670a791b38046fbda01e22b466ecd235d368a3fc5ae5aa6c05169c475d0d76 --
+Verification for us-central1-docker.pkg.dev/mineral-minutia-820/repo1/tee@sha256:a76fd40d851d895f6eee2b047ceaf84fcb06812ef1707dbc9a22e4e74f4cfd1f --
 The following checks were performed on each of these signatures:
   - The cosign claims were validated
   - The signatures were verified against the specified public key
@@ -1380,7 +1440,7 @@ The following checks were performed on each of these signatures:
         "docker-reference": "us-central1-docker.pkg.dev/mineral-minutia-820/repo1/tee"
       },
       "image": {
-        "docker-manifest-digest": "sha256:7d670a791b38046fbda01e22b466ecd235d368a3fc5ae5aa6c05169c475d0d76"
+        "docker-manifest-digest": "sha256:a76fd40d851d895f6eee2b047ceaf84fcb06812ef1707dbc9a22e4e74f4cfd1f"
       },
       "type": "cosign container image signature"
     },
@@ -1393,22 +1453,23 @@ The following checks were performed on each of these signatures:
 # now verify the attestation that is cross checked with the rego in `policy.rego` (cosign_verify/policy.rego)
 #  (all that this rego validates is if foo=bar is present in the predicate (which we did during the cloud build steps))
 cosign verify-attestation --key /tmp/kms_pub.pem --policy cosign_verify/policy.rego    \
-      us-central1-docker.pkg.dev/$BUILDER_PROJECT_ID/repo1/tee@sha256:7d670a791b38046fbda01e22b466ecd235d368a3fc5ae5aa6c05169c475d0d76  | jq '.'
+      us-central1-docker.pkg.dev/$BUILDER_PROJECT_ID/repo1/tee@sha256:a76fd40d851d895f6eee2b047ceaf84fcb06812ef1707dbc9a22e4e74f4cfd1f  | jq '.'
 
 
-Verification for us-central1-docker.pkg.dev/mineral-minutia-820/repo1/tee@sha256:7d670a791b38046fbda01e22b466ecd235d368a3fc5ae5aa6c05169c475d0d76 --
+Verification for us-central1-docker.pkg.dev/mineral-minutia-820/repo1/tee@sha256:a76fd40d851d895f6eee2b047ceaf84fcb06812ef1707dbc9a22e4e74f4cfd1f --
 The following checks were performed on each of these signatures:
   - The cosign claims were validated
   - The signatures were verified against the specified public key
 {
   "payloadType": "application/vnd.in-toto+json",
-  "payload": "eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInByZWRpY2F0ZVR5cGUiOiJjb3NpZ24uc2lnc3RvcmUuZGV2L2F0dGVzdGF0aW9uL3YxIiwic3ViamVjdCI6W3sibmFtZSI6InVzLWNlbnRyYWwxLWRvY2tlci5wa2cuZGV2L21pbmVyYWwtbWludXRpYS04MjAvcmVwbzEvdGVlIiwiZGlnZXN0Ijp7InNoYTI1NiI6IjdkNjcwYTc5MWIzODA0NmZiZGEwMWUyMmI0NjZlY2QyMzVkMzY4YTNmYzVhZTVhYTZjMDUxNjljNDc1ZDBkNzYifX1dLCJwcmVkaWNhdGUiOnsiRGF0YSI6InsgXCJwcm9qZWN0aWRcIjogXCJtaW5lcmFsLW1pbnV0aWEtODIwXCIsIFwiYnVpbGRpZFwiOiBcImM5MTk0NmRjLTdkNjAtNDNkNi05MDhjLTRkOThhNDdhMWY1MlwiLCBcImZvb1wiOlwiYmFyXCIsIFwiY29tbWl0c2hhXCI6IFwiXCJ9IiwiVGltZXN0YW1wIjoiMjAyMy0wNC0yNFQwMzo0Njo1OFoifX0=",
+  "payload": "eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInByZWRpY2F0ZVR5cGUiOiJjb3NpZ24uc2lnc3RvcmUuZGV2L2F0dGVzdGF0aW9uL3YxIiwic3ViamVjdCI6W3sibmFtZSI6InVzLWNlbnRyYWwxLWRvY2tlci5wa2cuZGV2L21pbmVyYWwtbWludXRpYS04MjAvcmVwbzEvdGVlIiwiZGlnZXN0Ijp7InNoYTI1NiI6ImE3NmZkNDBkODUxZDg5NWY2ZWVlMmIwNDdjZWFmODRmY2IwNjgxMmVmMTcwN2RiYzlhMjJlNGU3NGY0Y2ZkMWYifX1dLCJwcmVkaWNhdGUiOnsiRGF0YSI6InsgXCJwcm9qZWN0aWRcIjogXCJtaW5lcmFsLW1pbnV0aWEtODIwXCIsIFwiYnVpbGRpZFwiOiBcImFkMTMyMzBiLTlmYmQtNDA3NC1hYTA5LTQyNDNiYzdjN2Y2NlwiLCBcImZvb1wiOlwiYmFyXCIsIFwiY29tbWl0c2hhXCI6IFwiYzc0Yjk1ZDU3NzU1NTQ4MjA3MmE3OTMzZGY4MTEzZTU4M2E0ZDM2OVwifSIsIlRpbWVzdGFtcCI6IjIwMjMtMDUtMDlUMDM6Mzc6MDNaIn19",
   "signatures": [
     {
       "keyid": "",
-      "sig": "MEYCIQCnKcVkjdrvVhwEZ4Qyfw7RzF3RBhfpuujUfgrAQLfILQIhAJuNCbmLkwdpcSrrthq3OdIogPIIIU9DsuihSgz3HfE4"
+      "sig": "MEUCIQDGCzFvlbbVM3msykva+PijsdrbwGBJ5EKBEHGp6J8TmwIgdt2rqQbqFR5Hye0L82pBYFrQ85ldAw9T0V5j1Pt/Hjg="
     }
   ]
+}
 
 
 ## if you decode the payload, you'll see the predicate and image attestations (build number, commit hash, timestamp and the prediecate KV pair we sent during build (foo=bar in consign_verify/policy.rego))
@@ -1420,13 +1481,13 @@ The following checks were performed on each of these signatures:
     {
       "name": "us-central1-docker.pkg.dev/mineral-minutia-820/repo1/tee",
       "digest": {
-        "sha256": "7d670a791b38046fbda01e22b466ecd235d368a3fc5ae5aa6c05169c475d0d76"
+        "sha256": "a76fd40d851d895f6eee2b047ceaf84fcb06812ef1707dbc9a22e4e74f4cfd1f"
       }
     }
   ],
   "predicate": {
-    "Data": "{ \"projectid\": \"mineral-minutia-820\", \"buildid\": \"c91946dc-7d60-43d6-908c-4d98a47a1f52\", \"foo\":\"bar\", \"commitsha\": \"\"}",
-    "Timestamp": "2023-04-24T03:46:58Z"
+    "Data": "{ \"projectid\": \"mineral-minutia-820\", \"buildid\": \"ad13230b-9fbd-4074-aa09-4243bc7c7f66\", \"foo\":\"bar\", \"commitsha\": \"c74b95d577555482072a7933df8113e583a4d369\"}",
+    "Timestamp": "2023-05-09T03:37:03Z"
   }
 }
 ```
@@ -1498,14 +1559,14 @@ The container `sbom` is generated at build time and saved in the container regis
 `kaniko` based builds, however, shows
 
 ```bash
-$ syft packages    us-central1-docker.pkg.dev/$BUILDER_PROJECT_ID/repo1/tee@sha256:7d670a791b38046fbda01e22b466ecd235d368a3fc5ae5aa6c05169c475d0d76
+$ syft packages    us-central1-docker.pkg.dev/$BUILDER_PROJECT_ID/repo1/tee@sha256:a76fd40d851d895f6eee2b047ceaf84fcb06812ef1707dbc9a22e4e74f4cfd1f
 
  ✔ Loaded image            
  ✔ Parsed image            
  ✔ Cataloged packages      [34 packages]
 
 NAME                                                VERSION                             TYPE      
-base-files                                          10.3+deb10u9                        deb        
+base-files                                          11.1+deb11u7                        deb        
 cloud.google.com/go                                 v0.107.0                            go-module  
 cloud.google.com/go/compute/metadata                v0.2.3                              go-module  
 cloud.google.com/go/iam                             v0.8.0                              go-module  
@@ -1534,11 +1595,11 @@ google.golang.org/api                               v0.110.0
 google.golang.org/genproto                          v0.0.0-20230209215440-0dfe4f8abfcc  go-module  
 google.golang.org/grpc                              v1.53.0                             go-module  
 google.golang.org/protobuf                          v1.28.1                             go-module  
-libc6                                               2.28-10                             deb        
-libssl1.1                                           1.1.1d-0+deb10u6                    deb        
-netbase                                             5.6                                 deb        
-openssl                                             1.1.1d-0+deb10u6                    deb        
-tzdata                                              2021a-0+deb10u1                     deb        
+libc6                                               2.31-13+deb11u6                     deb        
+libssl1.1                                           1.1.1n-0+deb11u4                    deb        
+netbase                                             6.3                                 deb        
+openssl                                             1.1.1n-0+deb11u4                    deb        
+tzdata                                              2021a-1+deb11u10                    deb       
 ```
 
 The sboms also include signatures verfiying its authenticity.  
@@ -1550,12 +1611,12 @@ The container image is signed by the same kms based cosing key
 ```bash
 # download the imagebom 
 $ cosign download sbom --output-file  latest.spdx.download \
-      us-central1-docker.pkg.dev/$BUILDER_PROJECT_ID/repo1/tee@sha256:7d670a791b38046fbda01e22b466ecd235d368a3fc5ae5aa6c05169c475d0d76 
+      us-central1-docker.pkg.dev/$BUILDER_PROJECT_ID/repo1/tee@sha256:a76fd40d851d895f6eee2b047ceaf84fcb06812ef1707dbc9a22e4e74f4cfd1f 
 
 $ cosign verify --key /tmp/kms_pub.pem --attachment=sbom   \
-        us-central1-docker.pkg.dev/$BUILDER_PROJECT_ID/repo1/tee@sha256:7d670a791b38046fbda01e22b466ecd235d368a3fc5ae5aa6c05169c475d0d76  | jq '.'
+        us-central1-docker.pkg.dev/$BUILDER_PROJECT_ID/repo1/tee@sha256:a76fd40d851d895f6eee2b047ceaf84fcb06812ef1707dbc9a22e4e74f4cfd1f  | jq '.'
 
-Verification for us-central1-docker.pkg.dev/mineral-minutia-820/repo1/tee:sha256-7d670a791b38046fbda01e22b466ecd235d368a3fc5ae5aa6c05169c475d0d76.sbom --
+Verification for us-central1-docker.pkg.dev/mineral-minutia-820/repo1/tee:sha256-a76fd40d851d895f6eee2b047ceaf84fcb06812ef1707dbc9a22e4e74f4cfd1f.sbom --
 The following checks were performed on each of these signatures:
   - The cosign claims were validated
   - The signatures were verified against the specified public key
@@ -1566,12 +1627,12 @@ The following checks were performed on each of these signatures:
         "docker-reference": "us-central1-docker.pkg.dev/mineral-minutia-820/repo1/tee"
       },
       "image": {
-        "docker-manifest-digest": "sha256:298e7ad5c81959449118066fe124a9d533fc35f1dd33e3b7c999fb12947ef260"
+        "docker-manifest-digest": "sha256:d2f9fe2b82a3dcdb550f609af52606aa0a95d9e91feec8e196cbbed729300fa8"
       },
       "type": "cosign container image signature"
     },
     "optional": {
-      "commit_sha": ""
+      "commit_sha": "c74b95d577555482072a7933df8113e583a4d369"
     }
   }
 ]
@@ -1583,21 +1644,21 @@ For the application, note we're asking for the `type=` field below
 
 ```bash
 cosign verify-attestation --key /tmp/kms_pub.pem   --type="https://cyclonedx.org/bom/v1.4" \
-      us-central1-docker.pkg.dev/$BUILDER_PROJECT_ID/repo1/tee@sha256:7d670a791b38046fbda01e22b466ecd235d368a3fc5ae5aa6c05169c475d0d76  | jq '.'
+      us-central1-docker.pkg.dev/$BUILDER_PROJECT_ID/repo1/tee@sha256:a76fd40d851d895f6eee2b047ceaf84fcb06812ef1707dbc9a22e4e74f4cfd1f  | jq '.'
 
 ## note the payload:  thats the full signed software sbom generated as part of cloud build
 
-Verification for us-central1-docker.pkg.dev/mineral-minutia-820/repo1/tee@sha256:7d670a791b38046fbda01e22b466ecd235d368a3fc5ae5aa6c05169c475d0d76 --
+Verification for us-central1-docker.pkg.dev/mineral-minutia-820/repo1/tee@sha256:a76fd40d851d895f6eee2b047ceaf84fcb06812ef1707dbc9a22e4e74f4cfd1f --
 The following checks were performed on each of these signatures:
   - The cosign claims were validated
   - The signatures were verified against the specified public key
 {
   "payloadType": "application/vnd.in-toto+json",
-  "payload": "eyJfdHlwZSI....really_long",
+  "payload": "eyJfdHlwZSI6Imh0dHBzOi......really long decode as jwt",
   "signatures": [
     {
       "keyid": "",
-      "sig": "MEQCIGiwR6fS9UzMPXh6q9Ncj7xT9g76s/iNETYLwsT2PY+TAiAWm8kf7Rzd+V6q96zEbfglk1EABJGzQfva79L+iNYnbQ=="
+      "sig": "MEUCID8m9LtTYV7Ag/e2QrYXrxb8AZeN6pCjspkZove+ZyHOAiEAvPViQRThkT2gz6geVIJZ2NU8YZefMmz3ZnF/CY1THAs="
     }
   ]
 }
@@ -1624,3 +1685,32 @@ gpg: Signature made Sun 09 Apr 2023 10:42:42 AM EDT
 gpg:                using RSA key CCAA9841EB015FA2FE711C912B8BE9E5D93A1D94
 gpg: Good signature from "Salmaan Rashid <salrashid123@gmail.com>" [ultimate]
 ```
+
+#### Local Kaniko build artifiact registry authentication
+
+
+The following config allows you to use local docker kaniko to push to container registry
+
+```bash
+token=$(gcloud auth print-access-token)
+docker_token=$(echo -n "gclouddockertoken:$token" | base64 | tr -d "\n")
+
+cat > ~/.docker/config_kaniko.json <<- EOM
+{
+  "auths": {
+    "gcr.io": {
+      "auth": "$docker_token",
+      "email": "not@val.id"
+    },
+    "us.gcr.io": {
+      "auth": "$docker_token",
+      "email": "not@val.id"
+    },
+    "us-central1-docker.pkg.dev": {
+      "auth": "$docker_token",
+      "email": "not@val.id"
+    }
+  }
+}
+EOM
+```
\ No newline at end of file
diff --git a/app/BUILD.bazel b/app/BUILD.bazel
index 8dca3fa..77f9f4a 100644
--- a/app/BUILD.bazel
+++ b/app/BUILD.bazel
@@ -2,6 +2,7 @@ load("@io_bazel_rules_go//go:def.bzl", "go_binary", "go_library")
 load("@io_bazel_rules_docker//go:image.bzl", "go_image")
 load("@io_bazel_rules_docker//container:container.bzl", "container_image")
 load("@bazel_gazelle//:def.bzl", "gazelle")
+load("@bazel_tools//tools/build_defs/pkg:pkg.bzl", "pkg_tar")
 
 gazelle(name = "gazelle")
 
@@ -16,6 +17,22 @@ go_binary(
     goarch = "amd64",     
 )
 
+pkg_tar(
+    name = "certs_bundle",
+    srcs = [
+        "//certs:root-ca-operator.crt",
+        "//certs:tee-operator.crt",
+        "//certs:tee-operator.key",
+        "//certs:root-ca-collaborator1.crt",
+        "//certs:tee-collaborator1.crt",
+        "//certs:tee-collaborator1.key",
+        "//certs:root-ca-collaborator2.crt",
+        "//certs:tee-collaborator2.crt",
+        "//certs:tee-collaborator2.key",
+    ],
+    package_dir = "/certs",
+)
+
 container_image(
     name = "server",
     base = "@distroless_base//image",
@@ -28,16 +45,8 @@ container_image(
     files = [
         ":main",
         ":config.json",
-        "//certs:root-ca-operator.crt",
-        "//certs:tee-operator.crt",
-        "//certs:tee-operator.key",
-        "//certs:root-ca-collaborator1.crt",
-        "//certs:tee-collaborator1.crt",
-        "//certs:tee-collaborator1.key",
-        "//certs:root-ca-collaborator2.crt",
-        "//certs:tee-collaborator2.crt",
-        "//certs:tee-collaborator2.key",
     ],
+    tars = [":certs_bundle"],
     ports = ["8081"],
     repository = "us-central1-docker.pkg.dev/builder-project/repo1/tee",
 )
diff --git a/app/Dockerfile b/app/Dockerfile
index 697a987..f00225e 100644
--- a/app/Dockerfile
+++ b/app/Dockerfile
@@ -1,36 +1,24 @@
+# go1.19.8 linux/amd64
 FROM docker.io/golang@sha256:9f2dd04486e84eec72d945b077d568976981d9afed8b4e2aeb08f7ab739292b3 as build
 
 WORKDIR /go/src/app
 COPY . .
-
 RUN go mod download
-RUN go vet -v
-RUN go test -v
+RUN GOOS=linux GOARCH=amd64 go build -buildvcs=false  -o /go/bin/server
 
-RUN GOOS=linux GOARCH=amd64 go build -o /go/bin/server
+RUN chown root:root /go/bin/server && \
+  chown -R root:root /go/src/app
 
-FROM gcr.io/distroless/base@sha256:75f63d4edd703030d4312dc7528a349ca34d48bec7bd754652b2d47e5a0b7873
+# base-debian11-root
+FROM gcr.io/distroless/base-debian11@sha256:df13a91fd415eb192a75e2ef7eacf3bb5877bb05ce93064b91b83feef5431f37
 
 LABEL "tee.launch_policy.allow_cmd_override"="false"
 LABEL "tee.launch_policy.log_redirect"="always"
 
-COPY --from=build /go/bin/server /
+COPY --from=build /go/bin/server  /server
 COPY --from=build /go/src/app/config.json /config.json
-
-COPY --from=build /go/src/app/certs/root-ca-operator.crt /root-ca-operator.crt
-COPY --from=build /go/src/app/certs/tee-operator.crt /tee-operator.crt
-COPY --from=build /go/src/app/certs/tee-operator.key /tee-operator.key
-
-COPY --from=build /go/src/app/certs/root-ca-collaborator1.crt /root-ca-collaborator1.crt
-COPY --from=build /go/src/app/certs/tee-collaborator1.crt /tee-collaborator1.crt
-COPY --from=build /go/src/app/certs/tee-collaborator1.key /tee-collaborator1.key
-
-COPY --from=build /go/src/app/certs/root-ca-collaborator2.crt /root-ca-collaborator2.crt
-COPY --from=build /go/src/app/certs/tee-collaborator2.crt /tee-collaborator2.crt
-COPY --from=build /go/src/app/certs/tee-collaborator2.key /tee-collaborator2.key
+COPY --from=build /go/src/app/certs /certs
 
 EXPOSE 8081
-
-ENTRYPOINT ["/server"]
-
+ENTRYPOINT ["./server"]
 CMD []
diff --git a/app/cloudbuild_bazel.yaml b/app/cloudbuild_bazel.yaml
index 38a6285..bd0d83a 100644
--- a/app/cloudbuild_bazel.yaml
+++ b/app/cloudbuild_bazel.yaml
@@ -1,5 +1,6 @@
 steps:
 
+  # bazel 5.3.1
   - name: gcr.io/cloud-builders/bazel@sha256:f00a985c3196cc58819b6f7e8e40353273bc20e8f24b54d9c92d5279bb5b3fad
     id: build
     args: ['run', '--platforms=@io_bazel_rules_go//go/toolchain:linux_amd64', ':server']
@@ -12,7 +13,7 @@ steps:
     - |
       gcloud auth print-access-token > /workspace/token
 
-  - name: quay.io/containers/skopeo@sha256:2f90e4c091a45cf0f92916642a97227531c4242ea18979b16359966ca358ec63
+  - name: quay.io/containers/skopeo@sha256:282ec8da6e903232320f5ef8bb3bd88bf26872d569cfa79f5cb8faa5f0368a30
     id: push
     entrypoint: '/bin/bash'
     args:
diff --git a/app/cloudbuild_kaniko.yaml b/app/cloudbuild_kaniko.yaml
index 763f5f4..7700872 100644
--- a/app/cloudbuild_kaniko.yaml
+++ b/app/cloudbuild_kaniko.yaml
@@ -131,4 +131,3 @@ steps:
 serviceAccount: 'projects/$PROJECT_ID/serviceAccounts/cosign@$PROJECT_ID.iam.gserviceaccount.com'
 options:
   logging: CLOUD_LOGGING_ONLY
-  machineType: 'N1_HIGHCPU_32'
diff --git a/app/main.go b/app/main.go
index a29c8b5..79c3a38 100644
--- a/app/main.go
+++ b/app/main.go
@@ -42,18 +42,18 @@ var (
 	project_id             = flag.String("project_id", "", "ProjectID for pubsub subscription and logging")
 
 	// for mtls certificates
-	default_ca      = flag.String("default_ca", "root-ca-operator.crt", "Operator RootCA Chain (PEM)")
-	default_tls_crt = flag.String("default_tls_crt", "tee-operator.crt", "Operator TLS Certificate (PEM)")
-	default_tls_key = flag.String("default_tls_key", "tee-operator.key", "Operator TLS KEY (PEM)")
+	default_ca      = flag.String("default_ca", "certs/root-ca-operator.crt", "Operator RootCA Chain (PEM)")
+	default_tls_crt = flag.String("default_tls_crt", "certs/tee-operator.crt", "Operator TLS Certificate (PEM)")
+	default_tls_key = flag.String("default_tls_key", "certs/tee-operator.key", "Operator TLS KEY (PEM)")
 
 	// collaborator mtls certs and keys materialized within the TEE
-	collaborator1_ca      = flag.String("collaborator1_ca", "root-ca-collaborator1.crt", "Collaborator 1 RootCA Chain (PEM)")
-	collaborator1_tls_crt = flag.String("collaborator1_tls_crt", "tee-collaborator1.crt", "Collaborator 1 TLS Certificate (PEM)")
-	collaborator1_tls_key = flag.String("collaborator1_tls_key", "tee-collaborator1.key", "Collaborator 1 TLS KEY (PEM)")
+	collaborator1_ca      = flag.String("collaborator1_ca", "certs/root-ca-collaborator1.crt", "Collaborator 1 RootCA Chain (PEM)")
+	collaborator1_tls_crt = flag.String("collaborator1_tls_crt", "certs/tee-collaborator1.crt", "Collaborator 1 TLS Certificate (PEM)")
+	collaborator1_tls_key = flag.String("collaborator1_tls_key", "certs/tee-collaborator1.key", "Collaborator 1 TLS KEY (PEM)")
 
-	collaborator2_ca      = flag.String("collaborator2_ca", "root-ca-collaborator2.crt", "Collaborator 2 RootCA Chain (PEM)")
-	collaborator2_tls_crt = flag.String("collaborator2_tls_crt", "tee-collaborator2.crt", "Collaborator 2 TLS Certificate (PEM)")
-	collaborator2_tls_key = flag.String("collaborator2_tls_key", "tee-collaborator2.key", "Collaborator 2 TLS KEY (PEM)")
+	collaborator2_ca      = flag.String("collaborator2_ca", "certs/root-ca-collaborator2.crt", "Collaborator 2 RootCA Chain (PEM)")
+	collaborator2_tls_crt = flag.String("collaborator2_tls_crt", "certs/tee-collaborator2.crt", "Collaborator 2 TLS Certificate (PEM)")
+	collaborator2_tls_key = flag.String("collaborator2_tls_key", "certs/tee-collaborator2.key", "Collaborator 2 TLS KEY (PEM)")
 
 	// map to hold all the users currently found and the number of times
 	// they've been sent
diff --git a/images/artifacts.png b/images/artifacts.png
index c755b65..91f912e 100644
Binary files a/images/artifacts.png and b/images/artifacts.png differ
diff --git a/images/build_hash.png b/images/build_hash.png
index bc01f5b..87a6fb6 100644
Binary files a/images/build_hash.png and b/images/build_hash.png differ
diff --git a/images/cc_logs.png b/images/cc_logs.png
index 58f6dc1..1913b08 100644
Binary files a/images/cc_logs.png and b/images/cc_logs.png differ
diff --git a/images/cc_startup.png b/images/cc_startup.png
index be0a15f..f9e3d7f 100644
Binary files a/images/cc_startup.png and b/images/cc_startup.png differ
diff --git a/images/cloud_logging.png b/images/cloud_logging.png
index b921459..e9d4c8a 100644
Binary files a/images/cloud_logging.png and b/images/cloud_logging.png differ
diff --git a/images/conf_space.png b/images/conf_space.png
index 6dbc4dd..544062b 100644
Binary files a/images/conf_space.png and b/images/conf_space.png differ
diff --git a/images/kms.png b/images/kms.png
index 506bbc1..5287704 100644
Binary files a/images/kms.png and b/images/kms.png differ
diff --git a/images/launch_spec.png b/images/launch_spec.png
index 1e8f358..414dcb1 100644
Binary files a/images/launch_spec.png and b/images/launch_spec.png differ
diff --git a/images/sts.png b/images/sts.png
index 57d7203..12fc623 100644
Binary files a/images/sts.png and b/images/sts.png differ