diff --git a/pkg/cmd/release/verify-asset/verify_asset.go b/pkg/cmd/release/verify-asset/verify_asset.go index cad436eaa..43cdec990 100644 --- a/pkg/cmd/release/verify-asset/verify_asset.go +++ b/pkg/cmd/release/verify-asset/verify_asset.go @@ -40,23 +40,16 @@ func NewCmdVerifyAsset(f *cmdutil.Factory, runF func(*VerifyAssetConfig) error) cmd := &cobra.Command{ Use: "verify-asset [] ", - Short: "Verify that a given asset originated from a specific GitHub Release.", + Short: "Verify that a given asset originated from a release", Long: heredoc.Doc(` Verify that a given asset file originated from a specific GitHub Release using cryptographically signed attestations. - ## Understanding Verification - An attestation is a claim made by GitHub regarding a release and its assets. - ## What This Command Does - - This command checks that the asset you provide matches an attestation produced by GitHub for a particular release. - It ensures the asset's integrity by validating: - * The asset's digest matches the subject in the attestation - * The attestation is associated with the specified release + This command checks that the asset you provide matches a valid attestation for the specified release (or the latest release, if no tag is given). + It ensures the asset's integrity by validating that the asset's digest matches the subject in the attestation and that the attestation is associated with the release. `), - Hidden: true, - Args: cobra.MaximumNArgs(2), + Args: cobra.MaximumNArgs(2), Example: heredoc.Doc(` # Verify an asset from the latest release $ gh release verify-asset ./dist/my-asset.zip diff --git a/pkg/cmd/release/verify/verify.go b/pkg/cmd/release/verify/verify.go index f0b92677a..2654977f7 100644 --- a/pkg/cmd/release/verify/verify.go +++ b/pkg/cmd/release/verify/verify.go @@ -41,21 +41,16 @@ func NewCmdVerify(f *cmdutil.Factory, runF func(config *VerifyConfig) error) *co opts := &VerifyOptions{} cmd := &cobra.Command{ - Use: "verify []", - Short: "Verify the attestation for a GitHub Release.", - Hidden: true, - Args: cobra.MaximumNArgs(1), + Use: "verify []", + Short: "Verify the attestation for a release", + Args: cobra.MaximumNArgs(1), Long: heredoc.Doc(` Verify that a GitHub Release is accompanied by a valid cryptographically signed attestation. - ## Understanding Verification - An attestation is a claim made by GitHub regarding a release and its assets. - ## What This Command Does - - This command checks that the specified release (or the latest release, if no tag is given) has a valid attestation. - It fetches the attestation for the release and prints out metadata about all assets referenced in the attestation, including their digests. + This command checks that the specified release (or the latest release, if no tag is given) has a valid attestation. + It fetches the attestation for the release and prints metadata about all assets referenced in the attestation, including their digests. `), Example: heredoc.Doc(` # Verify the latest release