Skip to content

Commit

Permalink
docs: Update crane installation and verification instructions (#1567)
Browse files Browse the repository at this point in the history
  • Loading branch information
ianlewis authored Feb 17, 2023
1 parent 3624968 commit 4a0e0af
Showing 1 changed file with 33 additions and 24 deletions.
57 changes: 33 additions & 24 deletions cmd/crane/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -10,38 +10,47 @@ A collection of useful things you can do with `crane` is [here](recipes.md).
## Installation

### Install from Releases
1. Download [latest release](https://github.com/google/go-containerregistry/releases/latest):

```sh
$ OS=Linux # or Darwin, Windows
$ ARCH=x86_64 # or arm64, x86_64, armv6, i386, s390x
$ curl -sL "https://github.com/google/go-containerregistry/releases/latest/download/go-containerregistry_${OS}_${ARCH}.tar.gz" > go-containerregistry.tar.gz
```
1. Get the [latest release](https://github.com/google/go-containerregistry/releases/latest) version.

Download a specific version:
```
$ VERSION=TODO # Version number without leading v
$ OS=Linux # or Darwin, Windows
$ ARCH=x86_64 # or arm64, x86_64, armv6, i386, s390x
$ curl -sL "https://github.com/google/go-containerregistry/releases/download/v${VERSION}/go-containerregistry_${OS}_${ARCH}.tar.gz" > go-containerregistry.tar.gz
```
```sh
$ VERSION=$(curl -s "https://api.github.com/repos/google/go-containerregistry/releases/latest" | jq -r '.tag_name')
```

2. Verify the signature
We generate [SLSA 3 provenance](https://slsa.dev) using the OpenSSF's [slsa-framework/slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator). To verify our release, install the verification tool from [slsa-framework/slsa-verifier#installation](https://github.com/slsa-framework/slsa-verifier#installation) and verify as follows:
or set a specific version:

```sh
$ curl -sL https://github.com/google/go-containerregistry/releases/download/v${VERSION}/attestation.intoto.jsonl > provenance.intoto.jsonl
$ slsa-verifier -artifact-path go-containerregistry.tar.gz -provenance provenance.intoto.jsonl -source github.com/google/go-containerregistry -tag "v${VERSION}"
PASSED: Verified SLSA provenance
```
```sh
$ VERSION=vX.Y.Z # Version number with a leading v
```

3. Unpack it in the PATH.
1. Download the release.

```sh
$ tar -zxvf go-containerregistry.tar.gz -C /usr/local/bin/ crane
```
```sh
$ OS=Linux # or Darwin, Windows
$ ARCH=x86_64 # or arm64, x86_64, armv6, i386, s390x
$ curl -sL "https://github.com/google/go-containerregistry/releases/download/${VERSION}/go-containerregistry_${OS}_${ARCH}.tar.gz" > go-containerregistry.tar.gz
```

1. Verify the signature. We generate [SLSA 3 provenance](https://slsa.dev) using
the OpenSSF's [slsa-framework/slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator).
To verify our release, install the verification tool from [slsa-framework/slsa-verifier#installation](https://github.com/slsa-framework/slsa-verifier#installation)
and verify as follows:
```sh
$ curl -sL https://github.com/google/go-containerregistry/releases/download/${VERSION}/multiple.intoto.jsonl > provenance.intoto.jsonl
$ # NOTE: You may be using a different architecture.
$ slsa-verifier-linux-amd64 verify-artifact go-containerregistry.tar.gz --provenance-path provenance.intoto.jsonl --source-uri github.com/google/go-containerregistry --source-tag "${VERSION}"
PASSED: Verified SLSA provenance
```
1. Unpack it in the PATH.
```sh
$ tar -zxvf go-containerregistry.tar.gz -C /usr/local/bin/ crane
```
### Install manually
Install manually:
```sh
Expand Down

0 comments on commit 4a0e0af

Please sign in to comment.