From 78dabf31d6d487ab71e0fe1449a7ddc63f20ff02 Mon Sep 17 00:00:00 2001
From: Matthias Glastra <matglas.git@gmail.com>
Date: Wed, 2 Oct 2024 12:42:11 +0200
Subject: [PATCH] chore: Add install tutorial with cosign check.

Signed-off-by: Matthias Glastra <matglas.git@gmail.com>
---
 .goreleaser.yaml |  3 +++
 INSTALL.md       | 39 +++++++++++++++++++++++++++++++++++++++
 README.md        |  2 ++
 3 files changed, 44 insertions(+)
 create mode 100644 INSTALL.md

diff --git a/.goreleaser.yaml b/.goreleaser.yaml
index 4c79c450..e0f21b3e 100644
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -23,9 +23,12 @@ source:
   enabled: true
 signs:
   - cmd: cosign
+    certificate: '${artifact}.pem'
+    signature: '${artifact}.sig'
     args:
       - "sign-blob"
       - "--output-signature=${signature}"
+      - '--output-certificate=${certificate}'
       - "${artifact}"
       - "--yes" # needed on cosign 2.0.0+
     artifacts: all
diff --git a/INSTALL.md b/INSTALL.md
new file mode 100644
index 00000000..e5b4284e
--- /dev/null
+++ b/INSTALL.md
@@ -0,0 +1,39 @@
+# Install Witness manually and verify
+
+> [!NOTE]
+> Please use release v0.7.0 or higher, as prior releases were created to
+> test the release workflow.
+
+This repository provides pre-built binaries that are signed and published using
+[GoReleaser]. The signature for these binaries are generated using [Sigstore],
+using the release workflow's identity. Make sure you have [cosign] installed on
+your system, then you will be able to securely download and verify the gittuf
+release:
+
+## Unix-like operating systems
+
+```sh
+# Modify these values as necessary.
+# One of: amd64, arm64
+ARCH=amd64
+# One of: linux, darwin, freebsd
+OS=linux
+# See https://github.com/in-toto/witness/releases for the latest version
+VERSION=0.6.0
+cd $(mktemp -d)
+
+curl -LO https://github.com/in-toto/witness/releases/download/v${VERSION}/witness_${VERSION}_${OS}_${ARCH}
+curl -LO https://github.com/in-toto/witness/releases/download/v${VERSION}/witness_${VERSION}_${OS}_${ARCH}.sig
+curl -LO https://github.com/in-toto/witness/releases/download/v${VERSION}/witness_${VERSION}_${OS}_${ARCH}.pem
+
+cosign verify-blob \
+    --certificate witness_${VERSION}_${OS}_${ARCH}.pem \
+    --signature witness_${VERSION}_${OS}_${ARCH}.sig \
+    --certificate-identity https://github.com/in-toto/witness/.github/workflows/release.yml@refs/tags/v${VERSION} \
+    --certificate-oidc-issuer https://token.actions.githubusercontent.com \
+    witness_${VERSION}_${OS}_${ARCH}
+
+sudo install witness_${VERSION}_${OS}_${ARCH} /usr/local/bin/witness
+cd -
+witness version
+```
diff --git a/README.md b/README.md
index 70d3c8cc..80d2755b 100644
--- a/README.md
+++ b/README.md
@@ -49,6 +49,8 @@ latest release:
 bash <(curl -s https://raw.githubusercontent.com/in-toto/witness/main/install-witness.sh)
 ```
 
+If you want install it manually and verify its integrity follow the instructions in the [INSTALL.md](./INSTALL.md).
+
 ### Tutorials
 Check out our Tutorials: