From 85f9cfdccb083265a3575d3f38b3962680fb8364 Mon Sep 17 00:00:00 2001 From: Phill MV Date: Thu, 12 Dec 2024 16:56:02 -0500 Subject: [PATCH] further tweaks to the long description --- pkg/cmd/attestation/inspect/inspect.go | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/pkg/cmd/attestation/inspect/inspect.go b/pkg/cmd/attestation/inspect/inspect.go index fad33dca2..7a1e58f5e 100644 --- a/pkg/cmd/attestation/inspect/inspect.go +++ b/pkg/cmd/attestation/inspect/inspect.go @@ -37,14 +37,17 @@ func NewInspectCmd(f *cmdutil.Factory, runF func(*Options) error) *cobra.Command associated with your artifact(s), see the %[1]sgh at download%[1]s command. Given a .json or .jsonl file, this command will: - - check the bundles' "authenticity", i.e. whether we have the trusted materials to - verify the included certificates, transparency logs entries and signed timestamps, - and whether the included signatures match the certificate's key. - - if a bundle contains a certificate, we also: - - denote whether the certificate was issued by GitHub or by Sigstore's Public - Good Instance (PGI) - - provide a certificate summary - - extract the bundle's statement and predicate + - Extract the bundle's statement and predicate + - Provide a certificate summary, if present, and indicate whether the cert + was issued by GitHub or by Sigstore's Public Good Instance (PGI) + - Check the bundles' "authenticity" + + For our purposes, a bundle is authentic if we have the trusted materials to + verify the included certificate(s), transparency log entries, and signed + timestamps, and if the included signatures match the provided public key. + + This command cannot be used to verify a bundle. To verify a bundle, see the + %[1]sgh at verify%[1]s command. By default, this command prints a condensed table. To see full results, provide the %[1]s--format=json%[1]s flag.