chore: Add install tutorial with cosign check

in-toto / witness

Witness is a pluggable framework for software supply chain risk management. It automates, normalizes, and verifies software artifact provenance.

https://witness.dev

Apache License 2.0

415 stars 59 forks source link

chore: Add install tutorial with cosign check #506

Open matglas opened 1 month ago

matglas commented 1 month ago

What this PR does / why we need it

Add install tutorial with cosign check. This allows people to install and verify the witness release. The additional pem output is needed to allow cosign verify-blob to work.

The information that is in there is inspired by gittuf documentation that had it in there already. Thanks @adityasaky.

Which issue(s) this PR fixes (optional)

Fixes

https://github.com/in-toto/witness/issues/418

Acceptance Criteria Met

[x] Docs changes if needed
[x] Testing changes if needed
[x] All workflow checks passing (automatically enforced)
[x] All review conversations resolved (automatically enforced)
[x] DCO Sign-off

Special notes for your reviewer:

It could be an option to move the INSTALL.md to the docs folder and make it part of the website too. Open for feedback.

netlify[bot] commented 1 month ago

Deploy Preview for witness-project ready!

Name	Link
Latest commit	c8895d64e51d7d9d5ade6b4a6bd18e92b8346421
Latest deploy log	https://app.netlify.com/sites/witness-project/deploys/670938bf9026e6000847fcb0
Deploy Preview	https://deploy-preview-506--witness-project.netlify.app
Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

kairoaraujo commented 1 month ago

IMO, this should be the way we install using our install-witness.sh 😄

Of course, giving users details on installing it without the script is always good for clarity. A lot of folks don't like executing scripts blindly (even more folks from security 🤣 )

jkjell commented 1 month ago

With #508 merged, we can test after the next release is cut and merge the docs. 🎉

adityasaky commented 1 month ago

IMO, this should be the way we install using our install-witness.sh 😄

Personally, I think it might be better to get rid of this script. In the script, we can't assume people have cosign installed (the right way) either, so overall it's quite complicated to get it right. I think perhaps pointing to brew.sh etc might be more appropriate alongside the downloading pre-built binary + sig check steps added in this PR. Maybe we also get it listed on winget? cc @patzielinski who oversaw that for gittuf recently.

patzielinski commented 1 month ago

This looks to be a self-contained binary, so getting Witness onto Winget should be trivial. Note that version update pull requests need to be manually submitted to the Winget repo unlike Homebrew (unless a workflow is added to CI to automatically open PRs upon release - this requires a PAT to my knowledge)

See the manifests for gittuf here: https://github.com/microsoft/winget-pkgs/tree/master/manifests/g/gittuf/gittuf/0.6.2