From 4a0e0af4bf958c0bfb17bdfac71c38204b930623 Mon Sep 17 00:00:00 2001 From: Ian Lewis Date: Fri, 17 Feb 2023 13:37:38 +0900 Subject: [PATCH] docs: Update crane installation and verification instructions (#1567) --- cmd/crane/README.md | 57 ++++++++++++++++++++++++++------------------- 1 file changed, 33 insertions(+), 24 deletions(-) diff --git a/cmd/crane/README.md b/cmd/crane/README.md index 76a7fb09c..a05dbeb3c 100644 --- a/cmd/crane/README.md +++ b/cmd/crane/README.md @@ -10,38 +10,47 @@ A collection of useful things you can do with `crane` is [here](recipes.md). ## Installation ### Install from Releases -1. Download [latest release](https://github.com/google/go-containerregistry/releases/latest): -```sh -$ OS=Linux # or Darwin, Windows -$ ARCH=x86_64 # or arm64, x86_64, armv6, i386, s390x -$ curl -sL "https://github.com/google/go-containerregistry/releases/latest/download/go-containerregistry_${OS}_${ARCH}.tar.gz" > go-containerregistry.tar.gz -``` +1. Get the [latest release](https://github.com/google/go-containerregistry/releases/latest) version. -Download a specific version: -``` -$ VERSION=TODO # Version number without leading v -$ OS=Linux # or Darwin, Windows -$ ARCH=x86_64 # or arm64, x86_64, armv6, i386, s390x -$ curl -sL "https://github.com/google/go-containerregistry/releases/download/v${VERSION}/go-containerregistry_${OS}_${ARCH}.tar.gz" > go-containerregistry.tar.gz -``` + ```sh + $ VERSION=$(curl -s "https://api.github.com/repos/google/go-containerregistry/releases/latest" | jq -r '.tag_name') + ``` -2. Verify the signature -We generate [SLSA 3 provenance](https://slsa.dev) using the OpenSSF's [slsa-framework/slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator). To verify our release, install the verification tool from [slsa-framework/slsa-verifier#installation](https://github.com/slsa-framework/slsa-verifier#installation) and verify as follows: + or set a specific version: -```sh -$ curl -sL https://github.com/google/go-containerregistry/releases/download/v${VERSION}/attestation.intoto.jsonl > provenance.intoto.jsonl -$ slsa-verifier -artifact-path go-containerregistry.tar.gz -provenance provenance.intoto.jsonl -source github.com/google/go-containerregistry -tag "v${VERSION}" - PASSED: Verified SLSA provenance -``` + ```sh + $ VERSION=vX.Y.Z # Version number with a leading v + ``` -3. Unpack it in the PATH. +1. Download the release. -```sh -$ tar -zxvf go-containerregistry.tar.gz -C /usr/local/bin/ crane -``` + ```sh + $ OS=Linux # or Darwin, Windows + $ ARCH=x86_64 # or arm64, x86_64, armv6, i386, s390x + $ curl -sL "https://github.com/google/go-containerregistry/releases/download/${VERSION}/go-containerregistry_${OS}_${ARCH}.tar.gz" > go-containerregistry.tar.gz + ``` + +1. Verify the signature. We generate [SLSA 3 provenance](https://slsa.dev) using + the OpenSSF's [slsa-framework/slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator). + To verify our release, install the verification tool from [slsa-framework/slsa-verifier#installation](https://github.com/slsa-framework/slsa-verifier#installation) + and verify as follows: + + ```sh + $ curl -sL https://github.com/google/go-containerregistry/releases/download/${VERSION}/multiple.intoto.jsonl > provenance.intoto.jsonl + $ # NOTE: You may be using a different architecture. + $ slsa-verifier-linux-amd64 verify-artifact go-containerregistry.tar.gz --provenance-path provenance.intoto.jsonl --source-uri github.com/google/go-containerregistry --source-tag "${VERSION}" + PASSED: Verified SLSA provenance + ``` + +1. Unpack it in the PATH. + + ```sh + $ tar -zxvf go-containerregistry.tar.gz -C /usr/local/bin/ crane + ``` ### Install manually + Install manually: ```sh