From 361dbf762deb9921333655d0cb3da2e6b1caf9f2 Mon Sep 17 00:00:00 2001 From: Kazuma Watanabe Date: Sat, 29 Jun 2024 19:05:03 +0900 Subject: [PATCH] Recommend verification with GitHub CLI (#2074) --- README.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 4f683a5e0..afd00c219 100644 --- a/README.md +++ b/README.md @@ -40,21 +40,21 @@ NOTE: The Chocolatey package is NOT directly maintained by the TFLint maintainer ### Verification -#### Cosign +#### GitHub CLI (Recommended) -[Cosign](https://github.com/sigstore/cosign) `verify-blob` command ensures that the release was built with GitHub Actions in this repository. +[Artifact Attestations](https://docs.github.com/en/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds) are available that can be verified using the GitHub CLI. ```console -cosign verify-blob --certificate=checksums.txt.pem --signature=checksums.txt.keyless.sig --certificate-identity-regexp="^https://github.com/terraform-linters/tflint" --certificate-oidc-issuer=https://token.actions.githubusercontent.com checksums.txt +gh attestation verify checksums.txt -R terraform-linters/tflint sha256sum --ignore-missing -c checksums.txt ``` -#### GitHub CLI (Beta) +#### Cosign -[Artifact Attestations](https://docs.github.com/en/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds) are available that can be verified using the GitHub CLI. +[Cosign](https://github.com/sigstore/cosign) `verify-blob` command ensures that the release was built with GitHub Actions in this repository. ```console -gh attestation verify checksums.txt -R terraform-linters/tflint +cosign verify-blob --certificate=checksums.txt.pem --signature=checksums.txt.keyless.sig --certificate-identity-regexp="^https://github.com/terraform-linters/tflint" --certificate-oidc-issuer=https://token.actions.githubusercontent.com checksums.txt sha256sum --ignore-missing -c checksums.txt ```