diff --git a/docs/docs/workflows/sbom.md b/docs/docs/workflows/sbom.md index 9ef6eb65c..ee8a00426 100644 --- a/docs/docs/workflows/sbom.md +++ b/docs/docs/workflows/sbom.md @@ -11,13 +11,15 @@ SBOMs for Constellation are generated using [Syft](https://github.com/anchore/sy :::note The public key for Edgeless Systems' long-term code-signing key is: + ``` -----BEGIN PUBLIC KEY----- MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEf8F1hpmwE+YCFXzjGtaQcrL6XZVT JmEe5iSLvG1SyQSAew7WdMKF6o9t8e2TFuCkzlOhhlws2OHWbiFZnFWCFw== -----END PUBLIC KEY----- ``` -The public key is also available for download at https://edgeless.systems/es.pub and in the Twitter profile [@EdgelessSystems](https://twitter.com/EdgelessSystems). + +The public key is also available for download at and in the Twitter profile [@EdgelessSystems](https://twitter.com/EdgelessSystems). Make sure the key is available in a file named `cosign.pub` to execute the following examples. ::: @@ -38,7 +40,7 @@ cosign verify-blob --key cosign.pub --signature constellation.spdx.sbom.sig cons ### Container Images -SBOMs for container images are [attached to the image using Cosign](https://docs.sigstore.dev/signing/other_types#sboms-software-bill-of-materials) and uploaded to the same registry. +SBOMs for container images are [attached to the image using Cosign](https://docs.sigstore.dev/docs/signing/other_types#sboms-software-bill-of-materials) and uploaded to the same registry. As a consumer, use cosign to download and verify the SBOM: diff --git a/docs/docs/workflows/verify-cli.md b/docs/docs/workflows/verify-cli.md index 1280c51b0..806e171a0 100644 --- a/docs/docs/workflows/verify-cli.md +++ b/docs/docs/workflows/verify-cli.md @@ -8,7 +8,7 @@ This recording presents the essence of this page. It's recommended to read it in --- -Edgeless Systems uses [sigstore](https://www.sigstore.dev/) and [SLSA](https://slsa.dev) to ensure supply-chain security for the Constellation CLI and node images ("artifacts"). sigstore consists of three components: [Cosign](https://docs.sigstore.dev/signing/quickstart), [Rekor](https://docs.sigstore.dev/logging/overview), and Fulcio. Edgeless Systems uses Cosign to sign artifacts. All signatures are uploaded to the public Rekor transparency log, which resides at . +Edgeless Systems uses [sigstore](https://www.sigstore.dev/) and [SLSA](https://slsa.dev) to ensure supply-chain security for the Constellation CLI and node images ("artifacts"). sigstore consists of three components: [Cosign](https://docs.sigstore.dev/docs/signing/quickstart), [Rekor](https://docs.sigstore.dev/docs/logging/overview), and Fulcio. Edgeless Systems uses Cosign to sign artifacts. All signatures are uploaded to the public Rekor transparency log, which resides at . :::note The public key for Edgeless Systems' long-term code-signing key is: @@ -33,7 +33,7 @@ You don't need to verify the Constellation node images. This is done automatical ## Verify the signature -First, [install the Cosign CLI](https://docs.sigstore.dev/system_config/installation). Next, [download](https://github.com/edgelesssys/constellation/releases) and verify the signature that accompanies your CLI executable, for example: +First, [install the Cosign CLI](https://docs.sigstore.dev/docs/system_config/installation). Next, [download](https://github.com/edgelesssys/constellation/releases) and verify the signature that accompanies your CLI executable, for example: ```shell-session $ cosign verify-blob --key https://edgeless.systems/es.pub --signature constellation-linux-amd64.sig constellation-linux-amd64 @@ -54,7 +54,7 @@ Verified OK ### Optional: Manually inspect the transparency log -To further inspect the public Rekor transparency log, [install the Rekor CLI](https://docs.sigstore.dev/logging/installation). A search for the CLI executable should give a single UUID. (Note that this UUID contains the UUID from the previous `cosign` command.) +To further inspect the public Rekor transparency log, [install the Rekor CLI](https://docs.sigstore.dev/docs/logging/installation). A search for the CLI executable should give a single UUID. (Note that this UUID contains the UUID from the previous `cosign` command.) ```shell-session $ rekor-cli search --artifact constellation-linux-amd64 diff --git a/docs/versioned_docs/version-2.0/workflows/verify-cli.md b/docs/versioned_docs/version-2.0/workflows/verify-cli.md index 0a52fedd4..75f487c86 100644 --- a/docs/versioned_docs/version-2.0/workflows/verify-cli.md +++ b/docs/versioned_docs/version-2.0/workflows/verify-cli.md @@ -1,6 +1,6 @@ # Verify the CLI -Edgeless Systems uses [sigstore](https://www.sigstore.dev/) to ensure supply-chain security for the Constellation CLI and node images ("artifacts"). sigstore consists of three components: [Cosign](https://docs.sigstore.dev/signing/quickstart), [Rekor](https://docs.sigstore.dev/logging/overview), and Fulcio. Edgeless Systems uses Cosign to sign artifacts. All signatures are uploaded to the public Rekor transparency log, which resides at . +Edgeless Systems uses [sigstore](https://www.sigstore.dev/) to ensure supply-chain security for the Constellation CLI and node images ("artifacts"). sigstore consists of three components: [Cosign](https://docs.sigstore.dev/docs/signing/quickstart), [Rekor](https://docs.sigstore.dev/docs/logging/overview), and Fulcio. Edgeless Systems uses Cosign to sign artifacts. All signatures are uploaded to the public Rekor transparency log, which resides at . :::note The public key for Edgeless Systems' long-term code-signing key is: @@ -25,7 +25,7 @@ You don't need to verify the Constellation node images. This is done automatical ## Verify the signature -First, [install the Cosign CLI](https://docs.sigstore.dev/system_config/installation). Next, [download](https://github.com/edgelesssys/constellation/releases) and verify the signature that accompanies your CLI executable, for example: +First, [install the Cosign CLI](https://docs.sigstore.dev/docs/system_config/installation). Next, [download](https://github.com/edgelesssys/constellation/releases) and verify the signature that accompanies your CLI executable, for example: ```shell-session $ cosign verify-blob --key https://edgeless.systems/es.pub --signature constellation-linux-amd64.sig constellation-linux-amd64 @@ -46,7 +46,7 @@ Verified OK ## Optional: Manually inspect the transparency log -To further inspect the public Rekor transparency log, [install the Rekor CLI](https://docs.sigstore.dev/logging/installation). A search for the CLI executable should give a single UUID. (Note that this UUID contains the UUID from the previous `cosign` command.) +To further inspect the public Rekor transparency log, [install the Rekor CLI](https://docs.sigstore.dev/docs/logging/installation). A search for the CLI executable should give a single UUID. (Note that this UUID contains the UUID from the previous `cosign` command.) ```shell-session $ rekor-cli search --artifact constellation-linux-amd64 diff --git a/docs/versioned_docs/version-2.1/workflows/verify-cli.md b/docs/versioned_docs/version-2.1/workflows/verify-cli.md index 0a52fedd4..75f487c86 100644 --- a/docs/versioned_docs/version-2.1/workflows/verify-cli.md +++ b/docs/versioned_docs/version-2.1/workflows/verify-cli.md @@ -1,6 +1,6 @@ # Verify the CLI -Edgeless Systems uses [sigstore](https://www.sigstore.dev/) to ensure supply-chain security for the Constellation CLI and node images ("artifacts"). sigstore consists of three components: [Cosign](https://docs.sigstore.dev/signing/quickstart), [Rekor](https://docs.sigstore.dev/logging/overview), and Fulcio. Edgeless Systems uses Cosign to sign artifacts. All signatures are uploaded to the public Rekor transparency log, which resides at . +Edgeless Systems uses [sigstore](https://www.sigstore.dev/) to ensure supply-chain security for the Constellation CLI and node images ("artifacts"). sigstore consists of three components: [Cosign](https://docs.sigstore.dev/docs/signing/quickstart), [Rekor](https://docs.sigstore.dev/docs/logging/overview), and Fulcio. Edgeless Systems uses Cosign to sign artifacts. All signatures are uploaded to the public Rekor transparency log, which resides at . :::note The public key for Edgeless Systems' long-term code-signing key is: @@ -25,7 +25,7 @@ You don't need to verify the Constellation node images. This is done automatical ## Verify the signature -First, [install the Cosign CLI](https://docs.sigstore.dev/system_config/installation). Next, [download](https://github.com/edgelesssys/constellation/releases) and verify the signature that accompanies your CLI executable, for example: +First, [install the Cosign CLI](https://docs.sigstore.dev/docs/system_config/installation). Next, [download](https://github.com/edgelesssys/constellation/releases) and verify the signature that accompanies your CLI executable, for example: ```shell-session $ cosign verify-blob --key https://edgeless.systems/es.pub --signature constellation-linux-amd64.sig constellation-linux-amd64 @@ -46,7 +46,7 @@ Verified OK ## Optional: Manually inspect the transparency log -To further inspect the public Rekor transparency log, [install the Rekor CLI](https://docs.sigstore.dev/logging/installation). A search for the CLI executable should give a single UUID. (Note that this UUID contains the UUID from the previous `cosign` command.) +To further inspect the public Rekor transparency log, [install the Rekor CLI](https://docs.sigstore.dev/docs/logging/installation). A search for the CLI executable should give a single UUID. (Note that this UUID contains the UUID from the previous `cosign` command.) ```shell-session $ rekor-cli search --artifact constellation-linux-amd64 diff --git a/docs/versioned_docs/version-2.10/workflows/sbom.md b/docs/versioned_docs/version-2.10/workflows/sbom.md index 9ef6eb65c..ee8a00426 100644 --- a/docs/versioned_docs/version-2.10/workflows/sbom.md +++ b/docs/versioned_docs/version-2.10/workflows/sbom.md @@ -11,13 +11,15 @@ SBOMs for Constellation are generated using [Syft](https://github.com/anchore/sy :::note The public key for Edgeless Systems' long-term code-signing key is: + ``` -----BEGIN PUBLIC KEY----- MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEf8F1hpmwE+YCFXzjGtaQcrL6XZVT JmEe5iSLvG1SyQSAew7WdMKF6o9t8e2TFuCkzlOhhlws2OHWbiFZnFWCFw== -----END PUBLIC KEY----- ``` -The public key is also available for download at https://edgeless.systems/es.pub and in the Twitter profile [@EdgelessSystems](https://twitter.com/EdgelessSystems). + +The public key is also available for download at and in the Twitter profile [@EdgelessSystems](https://twitter.com/EdgelessSystems). Make sure the key is available in a file named `cosign.pub` to execute the following examples. ::: @@ -38,7 +40,7 @@ cosign verify-blob --key cosign.pub --signature constellation.spdx.sbom.sig cons ### Container Images -SBOMs for container images are [attached to the image using Cosign](https://docs.sigstore.dev/signing/other_types#sboms-software-bill-of-materials) and uploaded to the same registry. +SBOMs for container images are [attached to the image using Cosign](https://docs.sigstore.dev/docs/signing/other_types#sboms-software-bill-of-materials) and uploaded to the same registry. As a consumer, use cosign to download and verify the SBOM: diff --git a/docs/versioned_docs/version-2.10/workflows/verify-cli.md b/docs/versioned_docs/version-2.10/workflows/verify-cli.md index 1280c51b0..806e171a0 100644 --- a/docs/versioned_docs/version-2.10/workflows/verify-cli.md +++ b/docs/versioned_docs/version-2.10/workflows/verify-cli.md @@ -8,7 +8,7 @@ This recording presents the essence of this page. It's recommended to read it in --- -Edgeless Systems uses [sigstore](https://www.sigstore.dev/) and [SLSA](https://slsa.dev) to ensure supply-chain security for the Constellation CLI and node images ("artifacts"). sigstore consists of three components: [Cosign](https://docs.sigstore.dev/signing/quickstart), [Rekor](https://docs.sigstore.dev/logging/overview), and Fulcio. Edgeless Systems uses Cosign to sign artifacts. All signatures are uploaded to the public Rekor transparency log, which resides at . +Edgeless Systems uses [sigstore](https://www.sigstore.dev/) and [SLSA](https://slsa.dev) to ensure supply-chain security for the Constellation CLI and node images ("artifacts"). sigstore consists of three components: [Cosign](https://docs.sigstore.dev/docs/signing/quickstart), [Rekor](https://docs.sigstore.dev/docs/logging/overview), and Fulcio. Edgeless Systems uses Cosign to sign artifacts. All signatures are uploaded to the public Rekor transparency log, which resides at . :::note The public key for Edgeless Systems' long-term code-signing key is: @@ -33,7 +33,7 @@ You don't need to verify the Constellation node images. This is done automatical ## Verify the signature -First, [install the Cosign CLI](https://docs.sigstore.dev/system_config/installation). Next, [download](https://github.com/edgelesssys/constellation/releases) and verify the signature that accompanies your CLI executable, for example: +First, [install the Cosign CLI](https://docs.sigstore.dev/docs/system_config/installation). Next, [download](https://github.com/edgelesssys/constellation/releases) and verify the signature that accompanies your CLI executable, for example: ```shell-session $ cosign verify-blob --key https://edgeless.systems/es.pub --signature constellation-linux-amd64.sig constellation-linux-amd64 @@ -54,7 +54,7 @@ Verified OK ### Optional: Manually inspect the transparency log -To further inspect the public Rekor transparency log, [install the Rekor CLI](https://docs.sigstore.dev/logging/installation). A search for the CLI executable should give a single UUID. (Note that this UUID contains the UUID from the previous `cosign` command.) +To further inspect the public Rekor transparency log, [install the Rekor CLI](https://docs.sigstore.dev/docs/logging/installation). A search for the CLI executable should give a single UUID. (Note that this UUID contains the UUID from the previous `cosign` command.) ```shell-session $ rekor-cli search --artifact constellation-linux-amd64 diff --git a/docs/versioned_docs/version-2.2/workflows/sbom.md b/docs/versioned_docs/version-2.2/workflows/sbom.md index ec9834b4f..817f34fdd 100644 --- a/docs/versioned_docs/version-2.2/workflows/sbom.md +++ b/docs/versioned_docs/version-2.2/workflows/sbom.md @@ -36,7 +36,7 @@ cosign verify-blob --key cosign.pub --signature constellation.spdx.sbom.sig cons ### Container Images -SBOMs for container images are [attached to the image using Cosign](https://docs.sigstore.dev/signing/other_types#sboms-software-bill-of-materials) and uploaded to the same registry. +SBOMs for container images are [attached to the image using Cosign](https://docs.sigstore.dev/docs/signing/other_types#sboms-software-bill-of-materials) and uploaded to the same registry. As a consumer, use cosign to download and verify the SBOM: diff --git a/docs/versioned_docs/version-2.2/workflows/verify-cli.md b/docs/versioned_docs/version-2.2/workflows/verify-cli.md index 0a52fedd4..75f487c86 100644 --- a/docs/versioned_docs/version-2.2/workflows/verify-cli.md +++ b/docs/versioned_docs/version-2.2/workflows/verify-cli.md @@ -1,6 +1,6 @@ # Verify the CLI -Edgeless Systems uses [sigstore](https://www.sigstore.dev/) to ensure supply-chain security for the Constellation CLI and node images ("artifacts"). sigstore consists of three components: [Cosign](https://docs.sigstore.dev/signing/quickstart), [Rekor](https://docs.sigstore.dev/logging/overview), and Fulcio. Edgeless Systems uses Cosign to sign artifacts. All signatures are uploaded to the public Rekor transparency log, which resides at . +Edgeless Systems uses [sigstore](https://www.sigstore.dev/) to ensure supply-chain security for the Constellation CLI and node images ("artifacts"). sigstore consists of three components: [Cosign](https://docs.sigstore.dev/docs/signing/quickstart), [Rekor](https://docs.sigstore.dev/docs/logging/overview), and Fulcio. Edgeless Systems uses Cosign to sign artifacts. All signatures are uploaded to the public Rekor transparency log, which resides at . :::note The public key for Edgeless Systems' long-term code-signing key is: @@ -25,7 +25,7 @@ You don't need to verify the Constellation node images. This is done automatical ## Verify the signature -First, [install the Cosign CLI](https://docs.sigstore.dev/system_config/installation). Next, [download](https://github.com/edgelesssys/constellation/releases) and verify the signature that accompanies your CLI executable, for example: +First, [install the Cosign CLI](https://docs.sigstore.dev/docs/system_config/installation). Next, [download](https://github.com/edgelesssys/constellation/releases) and verify the signature that accompanies your CLI executable, for example: ```shell-session $ cosign verify-blob --key https://edgeless.systems/es.pub --signature constellation-linux-amd64.sig constellation-linux-amd64 @@ -46,7 +46,7 @@ Verified OK ## Optional: Manually inspect the transparency log -To further inspect the public Rekor transparency log, [install the Rekor CLI](https://docs.sigstore.dev/logging/installation). A search for the CLI executable should give a single UUID. (Note that this UUID contains the UUID from the previous `cosign` command.) +To further inspect the public Rekor transparency log, [install the Rekor CLI](https://docs.sigstore.dev/docs/logging/installation). A search for the CLI executable should give a single UUID. (Note that this UUID contains the UUID from the previous `cosign` command.) ```shell-session $ rekor-cli search --artifact constellation-linux-amd64 diff --git a/docs/versioned_docs/version-2.3/workflows/sbom.md b/docs/versioned_docs/version-2.3/workflows/sbom.md index ec9834b4f..817f34fdd 100644 --- a/docs/versioned_docs/version-2.3/workflows/sbom.md +++ b/docs/versioned_docs/version-2.3/workflows/sbom.md @@ -36,7 +36,7 @@ cosign verify-blob --key cosign.pub --signature constellation.spdx.sbom.sig cons ### Container Images -SBOMs for container images are [attached to the image using Cosign](https://docs.sigstore.dev/signing/other_types#sboms-software-bill-of-materials) and uploaded to the same registry. +SBOMs for container images are [attached to the image using Cosign](https://docs.sigstore.dev/docs/signing/other_types#sboms-software-bill-of-materials) and uploaded to the same registry. As a consumer, use cosign to download and verify the SBOM: diff --git a/docs/versioned_docs/version-2.3/workflows/verify-cli.md b/docs/versioned_docs/version-2.3/workflows/verify-cli.md index 4f6008cd0..27087578a 100644 --- a/docs/versioned_docs/version-2.3/workflows/verify-cli.md +++ b/docs/versioned_docs/version-2.3/workflows/verify-cli.md @@ -1,6 +1,6 @@ # Verify the CLI -Edgeless Systems uses [sigstore](https://www.sigstore.dev/) and [SLSA](https://slsa.dev) to ensure supply-chain security for the Constellation CLI and node images ("artifacts"). sigstore consists of three components: [Cosign](https://docs.sigstore.dev/signing/quickstart), [Rekor](https://docs.sigstore.dev/logging/overview), and Fulcio. Edgeless Systems uses Cosign to sign artifacts. All signatures are uploaded to the public Rekor transparency log, which resides at . +Edgeless Systems uses [sigstore](https://www.sigstore.dev/) and [SLSA](https://slsa.dev) to ensure supply-chain security for the Constellation CLI and node images ("artifacts"). sigstore consists of three components: [Cosign](https://docs.sigstore.dev/docs/signing/quickstart), [Rekor](https://docs.sigstore.dev/docs/logging/overview), and Fulcio. Edgeless Systems uses Cosign to sign artifacts. All signatures are uploaded to the public Rekor transparency log, which resides at . :::note The public key for Edgeless Systems' long-term code-signing key is: @@ -25,7 +25,7 @@ You don't need to verify the Constellation node images. This is done automatical ## Verify the signature -First, [install the Cosign CLI](https://docs.sigstore.dev/system_config/installation). Next, [download](https://github.com/edgelesssys/constellation/releases) and verify the signature that accompanies your CLI executable, for example: +First, [install the Cosign CLI](https://docs.sigstore.dev/docs/system_config/installation). Next, [download](https://github.com/edgelesssys/constellation/releases) and verify the signature that accompanies your CLI executable, for example: ```shell-session $ cosign verify-blob --key https://edgeless.systems/es.pub --signature constellation-linux-amd64.sig constellation-linux-amd64 @@ -46,7 +46,7 @@ Verified OK ### Optional: Manually inspect the transparency log -To further inspect the public Rekor transparency log, [install the Rekor CLI](https://docs.sigstore.dev/logging/installation). A search for the CLI executable should give a single UUID. (Note that this UUID contains the UUID from the previous `cosign` command.) +To further inspect the public Rekor transparency log, [install the Rekor CLI](https://docs.sigstore.dev/docs/logging/installation). A search for the CLI executable should give a single UUID. (Note that this UUID contains the UUID from the previous `cosign` command.) ```shell-session $ rekor-cli search --artifact constellation-linux-amd64 diff --git a/docs/versioned_docs/version-2.4/workflows/sbom.md b/docs/versioned_docs/version-2.4/workflows/sbom.md index ec9834b4f..817f34fdd 100644 --- a/docs/versioned_docs/version-2.4/workflows/sbom.md +++ b/docs/versioned_docs/version-2.4/workflows/sbom.md @@ -36,7 +36,7 @@ cosign verify-blob --key cosign.pub --signature constellation.spdx.sbom.sig cons ### Container Images -SBOMs for container images are [attached to the image using Cosign](https://docs.sigstore.dev/signing/other_types#sboms-software-bill-of-materials) and uploaded to the same registry. +SBOMs for container images are [attached to the image using Cosign](https://docs.sigstore.dev/docs/signing/other_types#sboms-software-bill-of-materials) and uploaded to the same registry. As a consumer, use cosign to download and verify the SBOM: diff --git a/docs/versioned_docs/version-2.4/workflows/verify-cli.md b/docs/versioned_docs/version-2.4/workflows/verify-cli.md index 4f6008cd0..27087578a 100644 --- a/docs/versioned_docs/version-2.4/workflows/verify-cli.md +++ b/docs/versioned_docs/version-2.4/workflows/verify-cli.md @@ -1,6 +1,6 @@ # Verify the CLI -Edgeless Systems uses [sigstore](https://www.sigstore.dev/) and [SLSA](https://slsa.dev) to ensure supply-chain security for the Constellation CLI and node images ("artifacts"). sigstore consists of three components: [Cosign](https://docs.sigstore.dev/signing/quickstart), [Rekor](https://docs.sigstore.dev/logging/overview), and Fulcio. Edgeless Systems uses Cosign to sign artifacts. All signatures are uploaded to the public Rekor transparency log, which resides at . +Edgeless Systems uses [sigstore](https://www.sigstore.dev/) and [SLSA](https://slsa.dev) to ensure supply-chain security for the Constellation CLI and node images ("artifacts"). sigstore consists of three components: [Cosign](https://docs.sigstore.dev/docs/signing/quickstart), [Rekor](https://docs.sigstore.dev/docs/logging/overview), and Fulcio. Edgeless Systems uses Cosign to sign artifacts. All signatures are uploaded to the public Rekor transparency log, which resides at . :::note The public key for Edgeless Systems' long-term code-signing key is: @@ -25,7 +25,7 @@ You don't need to verify the Constellation node images. This is done automatical ## Verify the signature -First, [install the Cosign CLI](https://docs.sigstore.dev/system_config/installation). Next, [download](https://github.com/edgelesssys/constellation/releases) and verify the signature that accompanies your CLI executable, for example: +First, [install the Cosign CLI](https://docs.sigstore.dev/docs/system_config/installation). Next, [download](https://github.com/edgelesssys/constellation/releases) and verify the signature that accompanies your CLI executable, for example: ```shell-session $ cosign verify-blob --key https://edgeless.systems/es.pub --signature constellation-linux-amd64.sig constellation-linux-amd64 @@ -46,7 +46,7 @@ Verified OK ### Optional: Manually inspect the transparency log -To further inspect the public Rekor transparency log, [install the Rekor CLI](https://docs.sigstore.dev/logging/installation). A search for the CLI executable should give a single UUID. (Note that this UUID contains the UUID from the previous `cosign` command.) +To further inspect the public Rekor transparency log, [install the Rekor CLI](https://docs.sigstore.dev/docs/logging/installation). A search for the CLI executable should give a single UUID. (Note that this UUID contains the UUID from the previous `cosign` command.) ```shell-session $ rekor-cli search --artifact constellation-linux-amd64 diff --git a/docs/versioned_docs/version-2.5/workflows/sbom.md b/docs/versioned_docs/version-2.5/workflows/sbom.md index ec9834b4f..817f34fdd 100644 --- a/docs/versioned_docs/version-2.5/workflows/sbom.md +++ b/docs/versioned_docs/version-2.5/workflows/sbom.md @@ -36,7 +36,7 @@ cosign verify-blob --key cosign.pub --signature constellation.spdx.sbom.sig cons ### Container Images -SBOMs for container images are [attached to the image using Cosign](https://docs.sigstore.dev/signing/other_types#sboms-software-bill-of-materials) and uploaded to the same registry. +SBOMs for container images are [attached to the image using Cosign](https://docs.sigstore.dev/docs/signing/other_types#sboms-software-bill-of-materials) and uploaded to the same registry. As a consumer, use cosign to download and verify the SBOM: diff --git a/docs/versioned_docs/version-2.5/workflows/verify-cli.md b/docs/versioned_docs/version-2.5/workflows/verify-cli.md index 4f6008cd0..27087578a 100644 --- a/docs/versioned_docs/version-2.5/workflows/verify-cli.md +++ b/docs/versioned_docs/version-2.5/workflows/verify-cli.md @@ -1,6 +1,6 @@ # Verify the CLI -Edgeless Systems uses [sigstore](https://www.sigstore.dev/) and [SLSA](https://slsa.dev) to ensure supply-chain security for the Constellation CLI and node images ("artifacts"). sigstore consists of three components: [Cosign](https://docs.sigstore.dev/signing/quickstart), [Rekor](https://docs.sigstore.dev/logging/overview), and Fulcio. Edgeless Systems uses Cosign to sign artifacts. All signatures are uploaded to the public Rekor transparency log, which resides at . +Edgeless Systems uses [sigstore](https://www.sigstore.dev/) and [SLSA](https://slsa.dev) to ensure supply-chain security for the Constellation CLI and node images ("artifacts"). sigstore consists of three components: [Cosign](https://docs.sigstore.dev/docs/signing/quickstart), [Rekor](https://docs.sigstore.dev/docs/logging/overview), and Fulcio. Edgeless Systems uses Cosign to sign artifacts. All signatures are uploaded to the public Rekor transparency log, which resides at . :::note The public key for Edgeless Systems' long-term code-signing key is: @@ -25,7 +25,7 @@ You don't need to verify the Constellation node images. This is done automatical ## Verify the signature -First, [install the Cosign CLI](https://docs.sigstore.dev/system_config/installation). Next, [download](https://github.com/edgelesssys/constellation/releases) and verify the signature that accompanies your CLI executable, for example: +First, [install the Cosign CLI](https://docs.sigstore.dev/docs/system_config/installation). Next, [download](https://github.com/edgelesssys/constellation/releases) and verify the signature that accompanies your CLI executable, for example: ```shell-session $ cosign verify-blob --key https://edgeless.systems/es.pub --signature constellation-linux-amd64.sig constellation-linux-amd64 @@ -46,7 +46,7 @@ Verified OK ### Optional: Manually inspect the transparency log -To further inspect the public Rekor transparency log, [install the Rekor CLI](https://docs.sigstore.dev/logging/installation). A search for the CLI executable should give a single UUID. (Note that this UUID contains the UUID from the previous `cosign` command.) +To further inspect the public Rekor transparency log, [install the Rekor CLI](https://docs.sigstore.dev/docs/logging/installation). A search for the CLI executable should give a single UUID. (Note that this UUID contains the UUID from the previous `cosign` command.) ```shell-session $ rekor-cli search --artifact constellation-linux-amd64 diff --git a/docs/versioned_docs/version-2.6/workflows/sbom.md b/docs/versioned_docs/version-2.6/workflows/sbom.md index 44b347a55..b87bb8cb4 100644 --- a/docs/versioned_docs/version-2.6/workflows/sbom.md +++ b/docs/versioned_docs/version-2.6/workflows/sbom.md @@ -40,7 +40,7 @@ cosign verify-blob --key cosign.pub --signature constellation.spdx.sbom.sig cons ### Container Images -SBOMs for container images are [attached to the image using Cosign](https://docs.sigstore.dev/signing/other_types#sboms-software-bill-of-materials) and uploaded to the same registry. +SBOMs for container images are [attached to the image using Cosign](https://docs.sigstore.dev/docs/signing/other_types#sboms-software-bill-of-materials) and uploaded to the same registry. As a consumer, use cosign to download and verify the SBOM: diff --git a/docs/versioned_docs/version-2.6/workflows/verify-cli.md b/docs/versioned_docs/version-2.6/workflows/verify-cli.md index 1280c51b0..806e171a0 100644 --- a/docs/versioned_docs/version-2.6/workflows/verify-cli.md +++ b/docs/versioned_docs/version-2.6/workflows/verify-cli.md @@ -8,7 +8,7 @@ This recording presents the essence of this page. It's recommended to read it in --- -Edgeless Systems uses [sigstore](https://www.sigstore.dev/) and [SLSA](https://slsa.dev) to ensure supply-chain security for the Constellation CLI and node images ("artifacts"). sigstore consists of three components: [Cosign](https://docs.sigstore.dev/signing/quickstart), [Rekor](https://docs.sigstore.dev/logging/overview), and Fulcio. Edgeless Systems uses Cosign to sign artifacts. All signatures are uploaded to the public Rekor transparency log, which resides at . +Edgeless Systems uses [sigstore](https://www.sigstore.dev/) and [SLSA](https://slsa.dev) to ensure supply-chain security for the Constellation CLI and node images ("artifacts"). sigstore consists of three components: [Cosign](https://docs.sigstore.dev/docs/signing/quickstart), [Rekor](https://docs.sigstore.dev/docs/logging/overview), and Fulcio. Edgeless Systems uses Cosign to sign artifacts. All signatures are uploaded to the public Rekor transparency log, which resides at . :::note The public key for Edgeless Systems' long-term code-signing key is: @@ -33,7 +33,7 @@ You don't need to verify the Constellation node images. This is done automatical ## Verify the signature -First, [install the Cosign CLI](https://docs.sigstore.dev/system_config/installation). Next, [download](https://github.com/edgelesssys/constellation/releases) and verify the signature that accompanies your CLI executable, for example: +First, [install the Cosign CLI](https://docs.sigstore.dev/docs/system_config/installation). Next, [download](https://github.com/edgelesssys/constellation/releases) and verify the signature that accompanies your CLI executable, for example: ```shell-session $ cosign verify-blob --key https://edgeless.systems/es.pub --signature constellation-linux-amd64.sig constellation-linux-amd64 @@ -54,7 +54,7 @@ Verified OK ### Optional: Manually inspect the transparency log -To further inspect the public Rekor transparency log, [install the Rekor CLI](https://docs.sigstore.dev/logging/installation). A search for the CLI executable should give a single UUID. (Note that this UUID contains the UUID from the previous `cosign` command.) +To further inspect the public Rekor transparency log, [install the Rekor CLI](https://docs.sigstore.dev/docs/logging/installation). A search for the CLI executable should give a single UUID. (Note that this UUID contains the UUID from the previous `cosign` command.) ```shell-session $ rekor-cli search --artifact constellation-linux-amd64 diff --git a/docs/versioned_docs/version-2.7/workflows/sbom.md b/docs/versioned_docs/version-2.7/workflows/sbom.md index 44b347a55..b87bb8cb4 100644 --- a/docs/versioned_docs/version-2.7/workflows/sbom.md +++ b/docs/versioned_docs/version-2.7/workflows/sbom.md @@ -40,7 +40,7 @@ cosign verify-blob --key cosign.pub --signature constellation.spdx.sbom.sig cons ### Container Images -SBOMs for container images are [attached to the image using Cosign](https://docs.sigstore.dev/signing/other_types#sboms-software-bill-of-materials) and uploaded to the same registry. +SBOMs for container images are [attached to the image using Cosign](https://docs.sigstore.dev/docs/signing/other_types#sboms-software-bill-of-materials) and uploaded to the same registry. As a consumer, use cosign to download and verify the SBOM: diff --git a/docs/versioned_docs/version-2.7/workflows/verify-cli.md b/docs/versioned_docs/version-2.7/workflows/verify-cli.md index 1280c51b0..806e171a0 100644 --- a/docs/versioned_docs/version-2.7/workflows/verify-cli.md +++ b/docs/versioned_docs/version-2.7/workflows/verify-cli.md @@ -8,7 +8,7 @@ This recording presents the essence of this page. It's recommended to read it in --- -Edgeless Systems uses [sigstore](https://www.sigstore.dev/) and [SLSA](https://slsa.dev) to ensure supply-chain security for the Constellation CLI and node images ("artifacts"). sigstore consists of three components: [Cosign](https://docs.sigstore.dev/signing/quickstart), [Rekor](https://docs.sigstore.dev/logging/overview), and Fulcio. Edgeless Systems uses Cosign to sign artifacts. All signatures are uploaded to the public Rekor transparency log, which resides at . +Edgeless Systems uses [sigstore](https://www.sigstore.dev/) and [SLSA](https://slsa.dev) to ensure supply-chain security for the Constellation CLI and node images ("artifacts"). sigstore consists of three components: [Cosign](https://docs.sigstore.dev/docs/signing/quickstart), [Rekor](https://docs.sigstore.dev/docs/logging/overview), and Fulcio. Edgeless Systems uses Cosign to sign artifacts. All signatures are uploaded to the public Rekor transparency log, which resides at . :::note The public key for Edgeless Systems' long-term code-signing key is: @@ -33,7 +33,7 @@ You don't need to verify the Constellation node images. This is done automatical ## Verify the signature -First, [install the Cosign CLI](https://docs.sigstore.dev/system_config/installation). Next, [download](https://github.com/edgelesssys/constellation/releases) and verify the signature that accompanies your CLI executable, for example: +First, [install the Cosign CLI](https://docs.sigstore.dev/docs/system_config/installation). Next, [download](https://github.com/edgelesssys/constellation/releases) and verify the signature that accompanies your CLI executable, for example: ```shell-session $ cosign verify-blob --key https://edgeless.systems/es.pub --signature constellation-linux-amd64.sig constellation-linux-amd64 @@ -54,7 +54,7 @@ Verified OK ### Optional: Manually inspect the transparency log -To further inspect the public Rekor transparency log, [install the Rekor CLI](https://docs.sigstore.dev/logging/installation). A search for the CLI executable should give a single UUID. (Note that this UUID contains the UUID from the previous `cosign` command.) +To further inspect the public Rekor transparency log, [install the Rekor CLI](https://docs.sigstore.dev/docs/logging/installation). A search for the CLI executable should give a single UUID. (Note that this UUID contains the UUID from the previous `cosign` command.) ```shell-session $ rekor-cli search --artifact constellation-linux-amd64 diff --git a/docs/versioned_docs/version-2.8/workflows/sbom.md b/docs/versioned_docs/version-2.8/workflows/sbom.md index c9dc0d5cc..ee8a00426 100644 --- a/docs/versioned_docs/version-2.8/workflows/sbom.md +++ b/docs/versioned_docs/version-2.8/workflows/sbom.md @@ -40,7 +40,7 @@ cosign verify-blob --key cosign.pub --signature constellation.spdx.sbom.sig cons ### Container Images -SBOMs for container images are [attached to the image using Cosign](https://docs.sigstore.dev/signing/other_types#sboms-software-bill-of-materials) and uploaded to the same registry. +SBOMs for container images are [attached to the image using Cosign](https://docs.sigstore.dev/docs/signing/other_types#sboms-software-bill-of-materials) and uploaded to the same registry. As a consumer, use cosign to download and verify the SBOM: diff --git a/docs/versioned_docs/version-2.8/workflows/verify-cli.md b/docs/versioned_docs/version-2.8/workflows/verify-cli.md index 1280c51b0..806e171a0 100644 --- a/docs/versioned_docs/version-2.8/workflows/verify-cli.md +++ b/docs/versioned_docs/version-2.8/workflows/verify-cli.md @@ -8,7 +8,7 @@ This recording presents the essence of this page. It's recommended to read it in --- -Edgeless Systems uses [sigstore](https://www.sigstore.dev/) and [SLSA](https://slsa.dev) to ensure supply-chain security for the Constellation CLI and node images ("artifacts"). sigstore consists of three components: [Cosign](https://docs.sigstore.dev/signing/quickstart), [Rekor](https://docs.sigstore.dev/logging/overview), and Fulcio. Edgeless Systems uses Cosign to sign artifacts. All signatures are uploaded to the public Rekor transparency log, which resides at . +Edgeless Systems uses [sigstore](https://www.sigstore.dev/) and [SLSA](https://slsa.dev) to ensure supply-chain security for the Constellation CLI and node images ("artifacts"). sigstore consists of three components: [Cosign](https://docs.sigstore.dev/docs/signing/quickstart), [Rekor](https://docs.sigstore.dev/docs/logging/overview), and Fulcio. Edgeless Systems uses Cosign to sign artifacts. All signatures are uploaded to the public Rekor transparency log, which resides at . :::note The public key for Edgeless Systems' long-term code-signing key is: @@ -33,7 +33,7 @@ You don't need to verify the Constellation node images. This is done automatical ## Verify the signature -First, [install the Cosign CLI](https://docs.sigstore.dev/system_config/installation). Next, [download](https://github.com/edgelesssys/constellation/releases) and verify the signature that accompanies your CLI executable, for example: +First, [install the Cosign CLI](https://docs.sigstore.dev/docs/system_config/installation). Next, [download](https://github.com/edgelesssys/constellation/releases) and verify the signature that accompanies your CLI executable, for example: ```shell-session $ cosign verify-blob --key https://edgeless.systems/es.pub --signature constellation-linux-amd64.sig constellation-linux-amd64 @@ -54,7 +54,7 @@ Verified OK ### Optional: Manually inspect the transparency log -To further inspect the public Rekor transparency log, [install the Rekor CLI](https://docs.sigstore.dev/logging/installation). A search for the CLI executable should give a single UUID. (Note that this UUID contains the UUID from the previous `cosign` command.) +To further inspect the public Rekor transparency log, [install the Rekor CLI](https://docs.sigstore.dev/docs/logging/installation). A search for the CLI executable should give a single UUID. (Note that this UUID contains the UUID from the previous `cosign` command.) ```shell-session $ rekor-cli search --artifact constellation-linux-amd64 diff --git a/docs/versioned_docs/version-2.9/workflows/sbom.md b/docs/versioned_docs/version-2.9/workflows/sbom.md index c9dc0d5cc..ee8a00426 100644 --- a/docs/versioned_docs/version-2.9/workflows/sbom.md +++ b/docs/versioned_docs/version-2.9/workflows/sbom.md @@ -40,7 +40,7 @@ cosign verify-blob --key cosign.pub --signature constellation.spdx.sbom.sig cons ### Container Images -SBOMs for container images are [attached to the image using Cosign](https://docs.sigstore.dev/signing/other_types#sboms-software-bill-of-materials) and uploaded to the same registry. +SBOMs for container images are [attached to the image using Cosign](https://docs.sigstore.dev/docs/signing/other_types#sboms-software-bill-of-materials) and uploaded to the same registry. As a consumer, use cosign to download and verify the SBOM: diff --git a/docs/versioned_docs/version-2.9/workflows/verify-cli.md b/docs/versioned_docs/version-2.9/workflows/verify-cli.md index 1280c51b0..806e171a0 100644 --- a/docs/versioned_docs/version-2.9/workflows/verify-cli.md +++ b/docs/versioned_docs/version-2.9/workflows/verify-cli.md @@ -8,7 +8,7 @@ This recording presents the essence of this page. It's recommended to read it in --- -Edgeless Systems uses [sigstore](https://www.sigstore.dev/) and [SLSA](https://slsa.dev) to ensure supply-chain security for the Constellation CLI and node images ("artifacts"). sigstore consists of three components: [Cosign](https://docs.sigstore.dev/signing/quickstart), [Rekor](https://docs.sigstore.dev/logging/overview), and Fulcio. Edgeless Systems uses Cosign to sign artifacts. All signatures are uploaded to the public Rekor transparency log, which resides at . +Edgeless Systems uses [sigstore](https://www.sigstore.dev/) and [SLSA](https://slsa.dev) to ensure supply-chain security for the Constellation CLI and node images ("artifacts"). sigstore consists of three components: [Cosign](https://docs.sigstore.dev/docs/signing/quickstart), [Rekor](https://docs.sigstore.dev/docs/logging/overview), and Fulcio. Edgeless Systems uses Cosign to sign artifacts. All signatures are uploaded to the public Rekor transparency log, which resides at . :::note The public key for Edgeless Systems' long-term code-signing key is: @@ -33,7 +33,7 @@ You don't need to verify the Constellation node images. This is done automatical ## Verify the signature -First, [install the Cosign CLI](https://docs.sigstore.dev/system_config/installation). Next, [download](https://github.com/edgelesssys/constellation/releases) and verify the signature that accompanies your CLI executable, for example: +First, [install the Cosign CLI](https://docs.sigstore.dev/docs/system_config/installation). Next, [download](https://github.com/edgelesssys/constellation/releases) and verify the signature that accompanies your CLI executable, for example: ```shell-session $ cosign verify-blob --key https://edgeless.systems/es.pub --signature constellation-linux-amd64.sig constellation-linux-amd64 @@ -54,7 +54,7 @@ Verified OK ### Optional: Manually inspect the transparency log -To further inspect the public Rekor transparency log, [install the Rekor CLI](https://docs.sigstore.dev/logging/installation). A search for the CLI executable should give a single UUID. (Note that this UUID contains the UUID from the previous `cosign` command.) +To further inspect the public Rekor transparency log, [install the Rekor CLI](https://docs.sigstore.dev/docs/logging/installation). A search for the CLI executable should give a single UUID. (Note that this UUID contains the UUID from the previous `cosign` command.) ```shell-session $ rekor-cli search --artifact constellation-linux-amd64