Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: Add install tutorial with cosign check #506

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore: Add install tutorial with cosign check #506

wants to merge 1 commit into from
+41 −0

Conversation

matglas
Copy link
Contributor

@matglas matglas commented Oct 2, 2024
edited
Loading

What this PR does / why we need it

Add install tutorial with cosign check. This allows people to install and verify the witness release. The additional pem output is needed to allow cosign verify-blob to work.

The information that is in there is inspired by gittuf documentation that had it in there already. Thanks @adityasaky.

Which issue(s) this PR fixes (optional)

Fixes

Acceptance Criteria Met

  • Docs changes if needed
  • Testing changes if needed
  • All workflow checks passing (automatically enforced)
  • All review conversations resolved (automatically enforced)
  • DCO Sign-off

Special notes for your reviewer:

It could be an option to move the INSTALL.md to the docs folder and make it part of the website too. Open for feedback.

@netlify Netlify
Copy link

netlify bot commented Oct 2, 2024
edited
Loading

Deploy Preview for witness-project ready!

Name Link
🔨 Latest commit c8895d6
🔍 Latest deploy log https://app.netlify.com/sites/witness-project/deploys/670938bf9026e6000847fcb0
😎 Deploy Preview https://deploy-preview-506--witness-project.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

@kairoaraujo
Copy link
Collaborator

IMO, this should be the way we install using our install-witness.sh 😄

Of course, giving users details on installing it without the script is always good for clarity. A lot of folks don't like executing scripts blindly (even more folks from security 🤣 )

@matglas @jkjell
chore: Add install tutorial with cosign check.
c8895d6 
Signed-off-by: Matthias Glastra <matglas.git@gmail.com>
@jkjell
Copy link
Member

jkjell commented Oct 11, 2024

With #508 merged, we can test after the next release is cut and merge the docs. 🎉

@adityasaky
Copy link
Member

IMO, this should be the way we install using our install-witness.sh 😄

Personally, I think it might be better to get rid of this script. In the script, we can't assume people have cosign installed (the right way) either, so overall it's quite complicated to get it right. I think perhaps pointing to brew.sh etc might be more appropriate alongside the downloading pre-built binary + sig check steps added in this PR. Maybe we also get it listed on winget? cc @patzielinski who oversaw that for gittuf recently.

@patzielinski
Copy link

This looks to be a self-contained binary, so getting Witness onto Winget should be trivial. Note that version update pull requests need to be manually submitted to the Winget repo unlike Homebrew (unless a workflow is added to CI to automatically open PRs upon release - this requires a PAT to my knowledge)

See the manifests for gittuf here: https://github.com/microsoft/winget-pkgs/tree/master/manifests/g/gittuf/gittuf/0.6.2

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
next release
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@matglas @kairoaraujo @jkjell @adityasaky @patzielinski