docs: Update crane installation and verification instructions (#1567)

google · Feb 17, 2023 · 4a0e0af · 4a0e0af
1 parent 3624968
commit 4a0e0af
Showing 1 changed file with 33 additions and 24 deletions.
diff --git a/cmd/crane/README.md b/cmd/crane/README.md
@@ -10,38 +10,47 @@ A collection of useful things you can do with `crane` is [here](recipes.md).
 ## Installation
 
 ### Install from Releases
-1. Download [latest release](https://github.com/google/go-containerregistry/releases/latest):
 
-```sh
-$ OS=Linux # or Darwin, Windows
-$ ARCH=x86_64 # or arm64, x86_64, armv6, i386, s390x
-$ curl -sL "https://github.com/google/go-containerregistry/releases/latest/download/go-containerregistry_${OS}_${ARCH}.tar.gz" > go-containerregistry.tar.gz
-```
+1. Get the [latest release](https://github.com/google/go-containerregistry/releases/latest) version.
 
-Download a specific version:
-```
-$ VERSION=TODO # Version number without leading v
-$ OS=Linux # or Darwin, Windows
-$ ARCH=x86_64 # or arm64, x86_64, armv6, i386, s390x
-$ curl -sL "https://github.com/google/go-containerregistry/releases/download/v${VERSION}/go-containerregistry_${OS}_${ARCH}.tar.gz" > go-containerregistry.tar.gz
-```
+ ```sh
+ $ VERSION=$(curl -s "https://api.github.com/repos/google/go-containerregistry/releases/latest" | jq -r '.tag_name')
+ ```
 
-2. Verify the signature
-We generate [SLSA 3 provenance](https://slsa.dev) using the OpenSSF's [slsa-framework/slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator). To verify our release, install the verification tool from [slsa-framework/slsa-verifier#installation](https://github.com/slsa-framework/slsa-verifier#installation) and verify as follows:
+ or set a specific version:
 
-```sh
-$ curl -sL https://github.com/google/go-containerregistry/releases/download/v${VERSION}/attestation.intoto.jsonl > provenance.intoto.jsonl
-$ slsa-verifier -artifact-path go-containerregistry.tar.gz -provenance provenance.intoto.jsonl -source github.com/google/go-containerregistry -tag "v${VERSION}"
- PASSED: Verified SLSA provenance
-```
+ ```sh
+ $ VERSION=vX.Y.Z # Version number with a leading v
+ ```
 
-3. Unpack it in the PATH.
+1. Download the release.
 
-```sh
-$ tar -zxvf go-containerregistry.tar.gz -C /usr/local/bin/ crane
-```
+ ```sh
+ $ OS=Linux # or Darwin, Windows
+ $ ARCH=x86_64 # or arm64, x86_64, armv6, i386, s390x
+ $ curl -sL "https://github.com/google/go-containerregistry/releases/download/${VERSION}/go-containerregistry_${OS}_${ARCH}.tar.gz" > go-containerregistry.tar.gz
+ ```
+
+1. Verify the signature. We generate [SLSA 3 provenance](https://slsa.dev) using
+ the OpenSSF's [slsa-framework/slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator).
+ To verify our release, install the verification tool from [slsa-framework/slsa-verifier#installation](https://github.com/slsa-framework/slsa-verifier#installation)
+ and verify as follows:
+
+ ```sh
+ $ curl -sL https://github.com/google/go-containerregistry/releases/download/${VERSION}/multiple.intoto.jsonl > provenance.intoto.jsonl
+ $ # NOTE: You may be using a different architecture.
+ $ slsa-verifier-linux-amd64 verify-artifact go-containerregistry.tar.gz --provenance-path provenance.intoto.jsonl --source-uri github.com/google/go-containerregistry --source-tag "${VERSION}"
+ PASSED: Verified SLSA provenance
+ ```
+
+1. Unpack it in the PATH.
+
+ ```sh
+ $ tar -zxvf go-containerregistry.tar.gz -C /usr/local/bin/ crane
+ ```
 
 ### Install manually
+
 Install manually:
 
 ```sh