Outdated docs on trivy binary verification

[chludwig-haufe]

Description

The doc section Getting Started / Signatuire Verification / Verifying binary says: "Download the required tarball, associated signature and certificate files from the GitHub Release."

However, since release v0.68.1 (more specifically: PR #9863), the release does not contain the signature and certificate files anymore. Instead, the release includes the new cosign signature bundles.

By digging through the GitHub workflow files in the trivy repository, I eventually managed to verify a binary of the release as follows:

$ cosign verify-blob-attestation trivy_0.68.1_Linux-64bit.tar.gz --bundle trivy_0.68.1_Linux-64bit.tar.gz.sigstore.json --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity 'https://github.com/aquasecurity/trivy/.github/workflows/reusable-release.yaml@refs/tags/v0.68.1'
Verified OK

Link

https://trivy.dev/docs/latest/getting-started/signature-verification/#verifying-binary

Suggestions

Since trivy v0.68, the release generates sigstore v0.3 signature bundles.
Download the required tarball and the associated bundle JSON file from the GitHub Release.

Use the following command for keyless verification:

cosign verify-blob-attestation  <path to binary> \
    --bundle <path to bundle> \
    --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
    --certificate-identity 'https://github.com/aquasecurity/trivy/.github/workflows/reusable-release.yaml@refs/tags/<release tag>'

For instance, to verify trivy_0.68.1_Linux-64bit.tar.gz:

cosign verify-blob-attestation trivy_0.68.1_Linux-64bit.tar.gz \
    --bundle trivy_0.68.1_Linux-64bit.tar.gz.sigstore.json \
    --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
    --certificate-identity 'https://github.com/aquasecurity/trivy/.github/workflows/reusable-release.yaml@refs/tags/v0.68.1'

You should get the following output:

Verified OK

[knqyf263]

Thanks for letting us know. Created #9920