Skip to content

Commit 31b4a6f

Browse files
caarlos0caarlos0
committed
docs: updates
Signed-off-by: Carlos Alexandro Becker <[email protected]>
1 parent 3e22828 commit 31b4a6f

File tree

1 file changed

+10
-10
lines changed

1 file changed

+10
-10
lines changed

README.md

Lines changed: 10 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -118,10 +118,10 @@ Then, we download the `checksums.txt` file, and verify its signature:
118118
```bash
119119
wget https://github.com/goreleaser/example-secure/releases/download/$VERSION/checksums.txt
120120
cosign verify-blob \
121-
--certificate-identity 'https://github.com/goreleaser/example-secure/.github/workflows/release.yml@refs/tags/$VERSION' \
121+
--certificate-identity "https://github.com/goreleaser/example-secure/.github/workflows/release.yml@refs/tags/$VERSION" \
122122
--certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
123-
--cert https://github.com/goreleaser/example-secure/releases/download/$VERSION/checksums.txt.pem \
124-
--signature https://github.com/goreleaser/example-secure/releases/download/$VERSION/checksums.txt.sig \
123+
--cert "https://github.com/goreleaser/example-secure/releases/download/$VERSION/checksums.txt.pem" \
124+
--signature "https://github.com/goreleaser/example-secure/releases/download/$VERSION/checksums.txt.sig" \
125125
./checksums.txt
126126
```
127127

@@ -131,7 +131,7 @@ from the release with this checksum file!
131131
You can then download any file you want from the release, and verify it with, for example:
132132

133133
```bash
134-
wget https://github.com/goreleaser/example-secure/releases/download/$VERSION/example_linux_amd64.tar.gz
134+
wget "https://github.com/goreleaser/example-secure/releases/download/$VERSION/example_linux_amd64.tar.gz"
135135
sha256sum --ignore-missing -c checksums.txt
136136
```
137137

@@ -144,7 +144,7 @@ To get the SBOM of an artifact, you can use the same download URL, adding
144144
`.sbom.json` to the end of the URL, and we can then check it out with `grype`:
145145

146146
```bash
147-
wget https://github.com/goreleaser/example-secure/releases/download/$VERSION/example_linux_amd64.tar.gz.sbom.json
147+
wget "https://github.com/goreleaser/example-secure/releases/download/$VERSION/example_linux_amd64.tar.gz.sbom.json"
148148
sha256sum --ignore-missing -c checksums.txt
149149
grype sbom:example_linux_amd64.tar.gz.sbom.json
150150
```
@@ -164,23 +164,23 @@ Signature:
164164

165165
```bash
166166
cosign verify \
167-
--certificate-identity 'https://github.com/goreleaser/example-secure/.github/workflows/release.yml@refs/tags/$VERSION' \
168-
--certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
169-
ghcr.io/goreleaser/example-secure:$VERSION
167+
--certificate-identity "https://github.com/goreleaser/example-secure/.github/workflows/release.yml@refs/tags/$VERSION" \
168+
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
169+
"ghcr.io/goreleaser/example-secure:$VERSION"
170170
```
171171

172172
Vulnerabilities:
173173

174174
```bash
175-
grype docker:ghcr.io/goreleaser/example-secure:$VERSION
175+
grype "docker:ghcr.io/goreleaser/example-secure:$VERSION"
176176
```
177177

178178
Attestations:
179179

180180
```bash
181181
gh attestation verify \
182182
--owner goreleaser \
183-
oci://ghcr.io/goreleaser/example-secure:$VERSION
183+
"oci://ghcr.io/goreleaser/example-secure:$VERSION"
184184
```
185185

186186
If all these checks are OK, you have a pretty good indication that everything

0 commit comments

Comments
 (0)