fix and fix examples where we are using the single dash style flags. (#…

…835)

Signed-off-by: Scott Nichols <deoryp@gmail.com>

.github/workflows/cross.yaml

@@ -66,13 +66,13 @@ jobs:
           COSIGN_PASSWORD: ${{secrets[matrix.COSIGN_PASSWORD]}}
         if: github.event_name != 'pull_request'
         run: |
-          ./${{matrix.COSIGN_TARGET}} sign-blob -key ./.github/workflows/cosign.key ./${{matrix.COSIGN_TARGET}} > ${{matrix.COSIGN_TARGET}}.sig
-          ./${{matrix.COSIGN_TARGET}} sign-blob -key ./.github/workflows/cosign.key ./${{matrix.SGET_TARGET}} > ${{matrix.SGET_TARGET}}.sig
+          ./${{matrix.COSIGN_TARGET}} sign-blob --key ./.github/workflows/cosign.key ./${{matrix.COSIGN_TARGET}} > ${{matrix.COSIGN_TARGET}}.sig
+          ./${{matrix.COSIGN_TARGET}} sign-blob --key ./.github/workflows/cosign.key ./${{matrix.SGET_TARGET}} > ${{matrix.SGET_TARGET}}.sig
       - name: verify
         if: github.event_name != 'pull_request'
         run: |
-          ./${{matrix.COSIGN_TARGET}} verify-blob -key ./.github/workflows/cosign.pub -signature ${{matrix.COSIGN_TARGET}}.sig ./${{matrix.COSIGN_TARGET}}
-          ./${{matrix.COSIGN_TARGET}} verify-blob -key ./.github/workflows/cosign.pub -signature ${{matrix.SGET_TARGET}}.sig ./${{matrix.SGET_TARGET}}
+          ./${{matrix.COSIGN_TARGET}} verify-blob --key ./.github/workflows/cosign.pub --signature ${{matrix.COSIGN_TARGET}}.sig ./${{matrix.COSIGN_TARGET}}
+          ./${{matrix.COSIGN_TARGET}} verify-blob --key ./.github/workflows/cosign.pub --signature ${{matrix.SGET_TARGET}}.sig ./${{matrix.SGET_TARGET}}
       - name: Upload artifacts
         if: github.event_name != 'pull_request'
         uses: actions/upload-artifact@v2

.goreleaser.yml

@@ -128,19 +128,19 @@ signs:
   - id: cosign
     signature: "${artifact}.sig"
     cmd: ./dist/cosign-linux-amd64
-    args: ["sign-blob", "-output", "${artifact}.sig", "-key", "gcpkms://projects/{{ .Env.PROJECT_ID }}/locations/{{ .Env.KEY_LOCATION }}/keyRings/{{ .Env.KEY_RING }}/cryptoKeys/{{ .Env.KEY_NAME }}/versions/{{ .Env.KEY_VERSION }}", "${artifact}"]
+    args: ["sign-blob", "--output", "${artifact}.sig", "--key", "gcpkms://projects/{{ .Env.PROJECT_ID }}/locations/{{ .Env.KEY_LOCATION }}/keyRings/{{ .Env.KEY_RING }}/cryptoKeys/{{ .Env.KEY_NAME }}/versions/{{ .Env.KEY_VERSION }}", "${artifact}"]
     artifacts: binary
   - id: cosigned
     signature: "${artifact}.sig"
     cmd: ./dist/cosign-linux-amd64
-    args: ["sign-blob", "-output", "${artifact}.sig", "-key", "gcpkms://projects/{{ .Env.PROJECT_ID }}/locations/{{ .Env.KEY_LOCATION }}/keyRings/{{ .Env.KEY_RING }}/cryptoKeys/{{ .Env.KEY_NAME }}/versions/{{ .Env.KEY_VERSION }}", "${artifact}"]
+    args: ["sign-blob", "--output", "${artifact}.sig", "--key", "gcpkms://projects/{{ .Env.PROJECT_ID }}/locations/{{ .Env.KEY_LOCATION }}/keyRings/{{ .Env.KEY_RING }}/cryptoKeys/{{ .Env.KEY_NAME }}/versions/{{ .Env.KEY_VERSION }}", "${artifact}"]
     artifacts: binary
     ids:
       - linux-cosigned
   - id: sget
     signature: "${artifact}.sig"
     cmd: ./dist/cosign-linux-amd64
-    args: ["sign-blob", "-output", "${artifact}.sig", "-key", "gcpkms://projects/{{ .Env.PROJECT_ID }}/locations/{{ .Env.KEY_LOCATION }}/keyRings/{{ .Env.KEY_RING }}/cryptoKeys/{{ .Env.KEY_NAME }}/versions/{{ .Env.KEY_VERSION }}", "${artifact}"]
+    args: ["sign-blob", "--output", "${artifact}.sig", "--key", "gcpkms://projects/{{ .Env.PROJECT_ID }}/locations/{{ .Env.KEY_LOCATION }}/keyRings/{{ .Env.KEY_RING }}/cryptoKeys/{{ .Env.KEY_NAME }}/versions/{{ .Env.KEY_VERSION }}", "${artifact}"]
     artifacts: binary
     ids:
       - sget
@@ -219,7 +219,7 @@ docker_manifests:
 
 docker_signs:
   - artifacts: all
-    args: [ "sign", "-key", "gcpkms://projects/{{ .Env.PROJECT_ID }}/locations/{{ .Env.KEY_LOCATION }}/keyRings/{{ .Env.KEY_RING }}/cryptoKeys/{{ .Env.KEY_NAME }}/versions/{{ .Env.KEY_VERSION }}", "${artifact}" ]
+    args: [ "sign", "--key", "gcpkms://projects/{{ .Env.PROJECT_ID }}/locations/{{ .Env.KEY_LOCATION }}/keyRings/{{ .Env.KEY_RING }}/cryptoKeys/{{ .Env.KEY_NAME }}/versions/{{ .Env.KEY_VERSION }}", "${artifact}" ]
 
 archives:
 - format: binary

EXAMPLES.md

@@ -8,7 +8,7 @@ Use `cosign` to generate the payload, sign it with `gcloud kms`, then use `cosig
 $ cosign generate us-central1-docker.pkg.dev/dlorenc-vmtest2/test/taskrun > payload.json
 $ gcloud kms asymmetric-sign --digest-algorithm=sha256 --input-file=payload.json --signature-file=gcpkms.sig --key=foo --keyring=foo --version=1 --location=us-central
 # We have to base64 encode the signature
-$ cat gcpkms.sig | base64 | cosign attach signature -signature - us-central1-docker.pkg.dev/dlorenc-vmtest2/test/taskrun
+$ cat gcpkms.sig | base64 | cosign attach signature --signature - us-central1-docker.pkg.dev/dlorenc-vmtest2/test/taskrun
 ```
 
 Now (on another machine) download the public key, payload, signatures and verify it!
@@ -36,9 +36,9 @@ $ cosign generate us.gcr.io/dlorenc-vmtest2/demo > payload.json
 $ openssl dgst -sha256 -sign openssl.key -out payload.sig payload.json
 $ cat payload.sig | base64 > payloadbase64.sig
 # Upload the signature
-$ cosign attach signature -payload payload.json -signature payloadbase64.sig  us.gcr.io/dlorenc-vmtest2/demo
+$ cosign attach signature --payload payload.json --signature payloadbase64.sig us.gcr.io/dlorenc-vmtest2/demo
 # Verify!
-$ cosign verify -key openssl.pub us.gcr.io/dlorenc-vmtest2/demo
+$ cosign verify --key openssl.pub us.gcr.io/dlorenc-vmtest2/demo
 Verification for us.gcr.io/dlorenc-vmtest2/demo --
 The following checks were performed on each of these signatures:
   - The cosign claims were validated

FUN.md

@@ -10,13 +10,13 @@ Think again!
 Sign the commits and store the signatures and public keys somewhere else.
 
 ```
-$ ./cosign sign-blob -key cosign.key <(git rev-parse HEAD)
+$ ./cosign sign-blob --key cosign.key <(git rev-parse HEAD)
 Using payload from: /dev/fd/63
 Enter password for private key:
 MEUCIQDLtTbCRCW+o7Gt3WKR4b2UqT947L8JtYzQJk+R8PItxgIgXoYQg1YXw8xDmGWun6wIG2t+/J0HJs9SbscnSLMNWsM=
 $ git rev-parse HEAD
 455d1988360dcfdcf0fa17b0736fbbc33b4924c0
-$ ./cosign verify-blob -key cosign.pub -signature MEUCIQDLtTbCRCW+o7Gt3WKR4b2UqT947L8JtYzQJk+R8PItxgIgXoYQg1YXw8xDmGWun6wIG2t+/J0HJs9SbscnSLMNWsM= <(git rev-parse HEAD)
+$ ./cosign verify-blob --key cosign.pub --signature MEUCIQDLtTbCRCW+o7Gt3WKR4b2UqT947L8JtYzQJk+R8PItxgIgXoYQg1YXw8xDmGWun6wIG2t+/J0HJs9SbscnSLMNWsM= <(git rev-parse HEAD)
 Verified OK
 ```
 
@@ -25,12 +25,12 @@ Verified OK
 Store the signature in the repo as notes, store the public key somewhere else.
 
 ```
-$ ./cosign sign-blob -key cosign.key <(git rev-parse HEAD)
+$ ./cosign sign-blob --key cosign.key <(git rev-parse HEAD)
 Using payload from: /dev/fd/63
 Enter password for private key:
 MEQCIHXN31pDrZBxs+m/HrcFruavv++oMc+pBZKgl7Hps9jjAiA9QE5uzpFNC5SGpdr4TJuCwh47C24Hwt4yHICae0J1bw==
 $ git notes add -m "MEQCIHXN31pDrZBxs+m/HrcFruavv++oMc+pBZKgl7Hps9jjAiA9QE5uzpFNC5SGpdr4TJuCwh47C24Hwt4yHICae0J1bw==" HEAD
-$ ./cosign verify-blob -key cosign.pub -signature <(git notes show HEAD) <(git rev-parse HEAD)
+$ ./cosign verify-blob --key cosign.pub --signature <(git notes show HEAD) <(git rev-parse HEAD)
 Verified OK
 ```
 
@@ -40,7 +40,7 @@ Verified OK
 Store the signature in the Transparency Log, and store the public key somewhere else.
 
 ```
-$ COSIGN_EXPERIMENTAL=1 ./cosign sign-blob -key cosign.key <(git rev-parse HEAD)
+$ COSIGN_EXPERIMENTAL=1 ./cosign sign-blob --key cosign.key <(git rev-parse HEAD)
 Using payload from: /dev/fd/63
 Enter password for private key:
 MEYCIQDWX6RjU0Z2ynd1CdiAwo/JaC2Z5+vdx8H5spuDNu/r5wIhAPnP+87+knFEwbE8FgeXCrgkjWal3aBsNR3IVaBDT2XU
@@ -52,7 +52,7 @@ Now find it from the log:
 ```
 $ uuid=$(rekor-cli search --artifact <(git rev-parse HEAD) | tail -n 1)
 $ sig=$(rekor-cli get --uuid=$uuid --format=json | jq -r .Body.RekordObj.signature.content)
-$ cosign verify-blob -key cosign.pub -signature <(echo $sig) <(git rev-parse HEAD)
+$ cosign verify-blob --key cosign.pub --signature <(echo $sig) <(git rev-parse HEAD)
 Verified OK
 ```
 

KMS.md

@@ -14,17 +14,17 @@ The URI path syntax is provider specific and explained in the section for each p
 
 ### Key Generation and Management
 
-To generate keys using a KMS provider, you can use the `cosign generate-key-pair` command with the `-kms` flag.
+To generate keys using a KMS provider, you can use the `cosign generate-key-pair` command with the `--kms` flag.
 For example:
 
 ```shell
-$ cosign generate-key-pair -kms <some provider>://<some key>
+$ cosign generate-key-pair --kms <some provider>://<some key>
 ```
 
 The public key can be retrieved with:
 
 ```shell
-$ cosign public-key -key <some provider>://<some key>
+$ cosign public-key --key <some provider>://<some key>
 -----BEGIN PUBLIC KEY-----
 MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEXc+DQU8Pb7Xo2RWCjFG/f6qbdABN
 jnVtSyKZxNzBfNMLLtVxdu8q+AigrGCS2KPmejda9bICTcHQCRUrD5OLGQ==
@@ -33,13 +33,13 @@ jnVtSyKZxNzBfNMLLtVxdu8q+AigrGCS2KPmejda9bICTcHQCRUrD5OLGQ==
 
 ### Signing and Verification
 
-To sign and verify using a key managed by a KMS provider, you can pass a provider-specific URI to the `-key` command:
+To sign and verify using a key managed by a KMS provider, you can pass a provider-specific URI to the `--key` command:
 
 ```shell
-$ cosign sign -key <some provider>://<some key> gcr.io/dlorenc-vmtest2/demo
+$ cosign sign --key <some provider>://<some key> gcr.io/dlorenc-vmtest2/demo
 Pushing signature to: gcr.io/dlorenc-vmtest2/demo:sha256-410a07f17151ffffb513f942a01748dfdb921de915ea6427d61d60b0357c1dcd.cosign
 
-$ cosign verify -key <some provider>://<some key> gcr.io/dlorenc-vmtest2/demo
+$ cosign verify --key <some provider>://<some key> gcr.io/dlorenc-vmtest2/demo
 
 Verification for gcr.io/dlorenc-vmtest2/demo --
 The following checks were performed on each of these signatures:
@@ -53,8 +53,8 @@ The following checks were performed on each of these signatures:
 You can also export the public key and verify against that file:
 
 ```shell
-$ cosign public-key -key <some provider>://<some key> > kms.pub
-$ cosign verify -key kms.pub gcr.io/dlorenc-vmtest2/demo
+$ cosign public-key --key <some provider>://<some key> > kms.pub
+$ cosign verify --key kms.pub gcr.io/dlorenc-vmtest2/demo
 ```
 
 ### Providers
@@ -173,5 +173,5 @@ $ vault secrets enable transit
 If you enabled `transit` secret engine at different path with the use of `-path` flag (i.e., `$ vault secrets enable -path="someotherpath" transit`), you can use `TRANSIT_SECRET_ENGINE_PATH` environment variable to specify this path while generating a key pair like the following:
 
 ```shell
-$ TRANSIT_SECRET_ENGINE_PATH="someotherpath" cosign generate-key-pair -kms hashivault://testkey
+$ TRANSIT_SECRET_ENGINE_PATH="someotherpath" cosign generate-key-pair --kms hashivault://testkey
 ```

Makefile

@@ -108,11 +108,11 @@ ko-local:
 
 .PHONY: sign-container
 sign-container: ko
-	cosign sign -key .github/workflows/cosign.key -a GIT_HASH=$(GIT_HASH) ${KO_PREFIX}/cosign:$(GIT_HASH)
+	cosign sign --key .github/workflows/cosign.key -a GIT_HASH=$(GIT_HASH) ${KO_PREFIX}/cosign:$(GIT_HASH)
 
 .PHONY: sign-cosigned
 sign-cosigned:
-	cosign sign -key .github/workflows/cosign.key -a GIT_HASH=$(GIT_HASH) ${KO_PREFIX}/cosigned:$(GIT_HASH)
+	cosign sign --key .github/workflows/cosign.key -a GIT_HASH=$(GIT_HASH) ${KO_PREFIX}/cosigned:$(GIT_HASH)
 
 # used when releasing together with GCP CloudBuild
 .PHONY: release

README.md

@@ -116,7 +116,7 @@ Public key written to cosign.pub
 ### Sign a container and store the signature in the registry
 
 ```shell
-$ cosign sign -key cosign.key dlorenc/demo
+$ cosign sign --key cosign.key dlorenc/demo
 Enter password for private key:
 Pushing signature to: index.docker.io/dlorenc/demo:sha256-87ef60f558bad79beea6425a3b28989f01dd417164150ab3baab98dcbf04def8.sig
 ```
@@ -136,7 +136,7 @@ Note that these signed payloads include the digest of the container image, which
 sure these "detached" signatures cover the correct image.
 
 ```shell
-$ cosign verify -key cosign.pub dlorenc/demo
+$ cosign verify --key cosign.pub dlorenc/demo
 The following checks were performed on these signatures:
   - The cosign claims were validated
   - The signatures were verified against the specified public key
@@ -221,7 +221,7 @@ curl -L gcr.io/v2/dlorenc-vmtest2/artifact/blobs/sha256:97f16c28f6478f3c02d7fff4
 You can sign it with the normal `cosign sign` command and flags:
 
 ```shell
-cosign sign -key cosign.key gcr.io/dlorenc-vmtest2/artifact
+cosign sign --key cosign.key gcr.io/dlorenc-vmtest2/artifact
 Enter password for private key:
 Pushing signature to: gcr.io/dlorenc-vmtest2/artifact:sha256-3f612a4520b2c245d620d0cca029f1173f6bea76819dde8543f5b799ea3c696c.sig
 ```
@@ -271,7 +271,7 @@ Creating Tekton Bundle:
         - Added TaskRun:  to image
 
 Pushed Tekton Bundle to us.gcr.io/dlorenc-vmtest2/pipeline@sha256:124e1fdee94fe5c5f902bc94da2d6e2fea243934c74e76c2368acdc8d3ac7155
-$ cosign sign -key cosign.key us.gcr.io/dlorenc-vmtest2/pipeline:latest
+$ cosign sign --key cosign.key us.gcr.io/dlorenc-vmtest2/pipeline:latest
 Enter password for private key:
 tlog entry created with index: 5086
 Pushing signature to: us.gcr.io/dlorenc-vmtest2/demo:sha256-124e1fdee94fe5c5f902bc94da2d6e2fea243934c74e76c2368acdc8d3ac7155.sig
@@ -285,7 +285,7 @@ Cosign can upload these using the `cosign wasm upload` command:
 
 ```shell
 $ cosign upload wasm -f hello.wasm us.gcr.io/dlorenc-vmtest2/wasm
-$ cosign sign -key cosign.key us.gcr.io/dlorenc-vmtest2/wasm
+$ cosign sign --key cosign.key us.gcr.io/dlorenc-vmtest2/wasm
 Enter password for private key:
 tlog entry created with index: 5198
 Pushing signature to: us.gcr.io/dlorenc-vmtest2/wasm:sha256-9e7a511fb3130ee4641baf1adc0400bed674d4afc3f1b81bb581c3c8f613f812.sig
@@ -299,7 +299,7 @@ The specification for these is defined [here](https://github.com/in-toto/attesta
 You can create and sign one from a local predicate file using the following commands:
 
 ```shell
-$ cosign attest -predicate <file> -key cosign.pub <image>
+$ cosign attest --predicate <file> --key cosign.pub <image>
 ```
 
 All of the standard key management systems are supported.
@@ -308,7 +308,7 @@ Payloads are signed using the DSSE signing spec, defined [here](https://github.c
 To verify:
 
 ```shell
-$ cosign verify-attestation -key cosign.pub <image>
+$ cosign verify-attestation --key cosign.pub <image>
 ```
 
 ## Detailed Usage
@@ -345,7 +345,7 @@ Today, `cosign` has been tested and works against the following registries:
 
 We aim for wide registry support. To `sign` images in registries which do not yet fully support [OCI media types](https://github.com/sigstore/cosign/blob/main/SPEC.md#object-types), one may need to use `COSIGN_DOCKER_MEDIA_TYPES` to fall back to legacy equivalents. For example:
 ```shell
-COSIGN_DOCKER_MEDIA_TYPES=1 cosign sign -key cosign.key legacy-registry.example.com/my/image
+COSIGN_DOCKER_MEDIA_TYPES=1 cosign sign --key cosign.key legacy-registry.example.com/my/image
 ```
 
 Please help test and file bugs if you see issues!
@@ -358,8 +358,8 @@ To publish signed artifacts to a Rekor transparency log and verify their existen
 set the `COSIGN_EXPERIMENTAL=1` environment variable.
 
 ```shell
-COSIGN_EXPERIMENTAL=1 cosign sign -key cosign.key dlorenc/demo
-COSIGN_EXPERIMENTAL=1 cosign verify -key cosign.pub dlorenc/demo
+COSIGN_EXPERIMENTAL=1 cosign sign --key cosign.key dlorenc/demo
+COSIGN_EXPERIMENTAL=1 cosign verify --key cosign.pub dlorenc/demo
 ```
 
 `cosign` defaults to using the public instance of rekor at [rekor.sigstore.dev](https://rekor.sigstore.dev).
@@ -508,15 +508,15 @@ Digest: sha256:551e6cce7ed2e5c914998f931b277bc879e675b74843e6f29bc17f3b5f692bef
 Now sign it! Using `cosign` of course:
 
 ```shell
-$ cosign sign -key cosign.key us-central1-docker.pkg.dev/dlorenc-vmtest2/test/artifact@sha256:551e6cce7ed2e5c914998f931b277bc879e675b74843e6f29bc17f3b5f692bef
+$ cosign sign --key cosign.key us-central1-docker.pkg.dev/dlorenc-vmtest2/test/artifact@sha256:551e6cce7ed2e5c914998f931b277bc879e675b74843e6f29bc17f3b5f692bef
 Enter password for private key:
 Pushing signature to: us-central1-docker.pkg.dev/dlorenc-vmtest2/test/artifact:sha256-551e6cce7ed2e5c914998f931b277bc879e675b74843e6f29bc17f3b5f692bef.sig
 ```
 
 Finally, verify `cosign` with `cosign` again:
 
 ```shell
-$ cosign verify -key cosign.pub  us-central1-docker.pkg.dev/dlorenc-vmtest2/test/artifact@sha256:551e6cce7ed2e5c914998f931b277bc879e675b74843e6f29bc17f3b5f692bef
+$ cosign verify --key cosign.pub  us-central1-docker.pkg.dev/dlorenc-vmtest2/test/artifact@sha256:551e6cce7ed2e5c914998f931b277bc879e675b74843e6f29bc17f3b5f692bef
 The following checks were performed on each of these signatures:
   - The cosign claims were validated
   - The claims were present in the transparency log
@@ -599,17 +599,17 @@ run something like:
 ```shell
 $ TAG=sign-me
 $ DGST=$(crane digest dlorenc/demo:$TAG)
-$ cosign sign -key cosign.key -a tag=$TAG dlorenc/demo@$DGST
+$ cosign sign --key cosign.key -a tag=$TAG dlorenc/demo@$DGST
 Enter password for private key:
 Pushing signature to: dlorenc/demo:sha256-97fc222cee7991b5b061d4d4afdb5f3428fcb0c9054e1690313786befa1e4e36.sig
 ```
 
 Then you can verify that the tag->digest mapping is also covered in the signature, using the `-a` flag to `cosign verify`.
-This example verifes that the digest `$TAG` points to (`sha256:97fc222cee7991b5b061d4d4afdb5f3428fcb0c9054e1690313786befa1e4e36`)
+This example verifies that the digest `$TAG` points to (`sha256:97fc222cee7991b5b061d4d4afdb5f3428fcb0c9054e1690313786befa1e4e36`)
 has been signed, **and also** that the `$TAG`:
 
 ```shell
-$ cosign verify -key cosign.pub -a tag=$TAG dlorenc/demo:$TAG | jq .
+$ cosign verify --key cosign.pub -a tag=$TAG dlorenc/demo:$TAG | jq .
 {
   "Critical": {
     "Identity": {
@@ -693,10 +693,10 @@ it to act as an attestation to the **signature(s) themselves**.
 Before we sign the signature artifact, we first give it a memorable name so we can find it later.
 
 ```shell
-$ cosign sign -key cosign.key -a sig=original dlorenc/demo
+$ cosign sign --key cosign.key -a sig=original dlorenc/demo
 Enter password for private key:
 Pushing signature to: dlorenc/demo:sha256-97fc222cee7991b5b061d4d4afdb5f3428fcb0c9054e1690313786befa1e4e36.sig
-$ cosign verify -key cosign.pub dlorenc/demo | jq .
+$ cosign verify --key cosign.pub dlorenc/demo | jq .
 {
   "Critical": {
     "Identity": {
@@ -718,10 +718,10 @@ Now give that signature a memorable name, then sign that:
 ```shell
 $ crane tag $(cosign triangulate dlorenc/demo) mysignature
 2021/02/15 20:22:55 dlorenc/demo:mysignature: digest: sha256:71f70e5d29bde87f988740665257c35b1c6f52dafa20fab4ba16b3b1f4c6ba0e size: 556
-$ cosign sign -key cosign.key -a sig=counter dlorenc/demo:mysignature
+$ cosign sign --key cosign.key -a sig=counter dlorenc/demo:mysignature
 Enter password for private key:
 Pushing signature to: dlorenc/demo:sha256-71f70e5d29bde87f988740665257c35b1c6f52dafa20fab4ba16b3b1f4c6ba0e.sig
-$ cosign verify -key cosign.pub dlorenc/demo:mysignature
+$ cosign verify --key cosign.pub dlorenc/demo:mysignature
 {"Critical":{"Identity":{"docker-reference":""},"Image":{"Docker-manifest-digest":"71f70e5d29bde87f988740665257c35b1c6f52dafa20fab4ba16b3b1f4c6ba0e"},"Type":"cosign container image signature"},"Optional":{"sig":"counter"}}
 ```
 
@@ -751,5 +751,5 @@ $ crane manifest dlorenc/demo@sha256:71f70e5d29bde87f988740665257c35b1c6f52dafa2
 
 ## Security
 
-Should you discover any security issues, please refer to sigstores [security
+Should you discover any security issues, please refer to sigstore's [security
 process](https://github.com/sigstore/community/blob/main/SECURITY.md)