diff --git a/pkg/cmd/attestation/download/download.go b/pkg/cmd/attestation/download/download.go index 4f3517b0f..dfff7c422 100644 --- a/pkg/cmd/attestation/download/download.go +++ b/pkg/cmd/attestation/download/download.go @@ -21,35 +21,39 @@ func NewDownloadCmd(f *cmdutil.Factory) *cobra.Command { downloadCmd := &cobra.Command{ Use: "download [ | oci://]", Args: cobra.ExactArgs(1), - Short: "Download trusted metadata about a binary artifact for offline use", + Short: "Download an artifact's Sigstore bundle(s) for offline use", Long: heredoc.Docf(` - Download trusted metadata about a binary artifact for offline use. + Download an artifact's Sigstore bundle(s) for offline use. - The command accepts either: - * a relative path to a local artifact - * a container image URI (e.g. oci://) + The command requires either: + * a relative path to a local artifact, or + * a container image URI (e.g. %[1]soci://%[1]s) - Note that you must already be authenticated with a container registry - if you provide an OCI image URI as the artifact. + Note that if you provide an OCI URI for the artifact you must already + be authenticated with a container registry. - The command also requires you provide either the %[1]s--owner%[1]s or %[1]s--repo%[1]s flag. - The value of the %[1]s--owner%[1]s flag should be the name of the GitHub organization - that the artifact is associated with. - The value of the %[1]s--repo%[1]s flag should be the name of the GitHub repository - that the artifact is associated with. + In addition, the command also requires either: + * the %[1]s--owner%[1]s flag (e.g. github), or + * the %[1]s--repo%[1]s flag (e.g. github/example). - Metadata is written to a file in the current directory named after the artifact's digest. - For example, if the artifact's digest is "sha256:1234", the metadata will be - written to "sha256:1234.jsonl". + The value of the %[1]s--owner%[1]s flag must match the name of the GitHub + organization that the artifact is associated with. + + The value of the %[1]s--repo%[1]s flag must match the name of the GitHub + repository that the artifact is associated with. + + The corresponding Sigstore bundle(s) will be written to a file in the + current directory named after the artifact's digest. For example, if the + artifact's digest is "sha256:1234", the file will be named "sha256:1234.jsonl". `, "`"), Example: heredoc.Doc(` - # Download trusted metadata for a local artifact associated with a GitHub organization + # Download Sigstore bundle(s) for a local artifact associated with a GitHub organization $ gh attestation download -o - # Download trusted metadata for a local artifact associated with a GitHub repository + # Download Sigstore bundle(s) for a local artifact associated with a GitHub repository $ gh attestation download -R - # Download trusted metadata for an OCI image associated with a GitHub organization + # Download Sigstore bundle(s) for an OCI image associated with a GitHub organization $ gh attestation download oci:// -o `), // PreRunE is used to validate flags before the command is run @@ -86,7 +90,7 @@ func NewDownloadCmd(f *cmdutil.Factory) *cobra.Command { os.Exit(1) } if err := RunDownload(opts); err != nil { - opts.Logger.Println(opts.Logger.ColorScheme.Redf("Failed to download the artifact's trusted metadata: %s", err.Error())) + opts.Logger.ColorScheme.Redf("Failed to download the artifact's bundle(s): %s", err.Error()) os.Exit(1) } }, diff --git a/pkg/cmd/attestation/inspect/inspect.go b/pkg/cmd/attestation/inspect/inspect.go index ffb663b66..a7902c9f9 100644 --- a/pkg/cmd/attestation/inspect/inspect.go +++ b/pkg/cmd/attestation/inspect/inspect.go @@ -19,35 +19,35 @@ import ( func NewInspectCmd(f *cmdutil.Factory) *cobra.Command { opts := &Options{} inspectCmd := &cobra.Command{ - Use: "inspect [ | oci://]", + Use: "inspect [ | oci://] --bundle ", Args: cobra.ExactArgs(1), - Short: "Inspect an artifact's trusted metadata bundle", + Short: "Inspect a sigstore bundle", Long: heredoc.Docf(` - Inspect downloaded trusted metadata associated with a given artifact. + Inspect a downloaded Sigstore bundle for a given artifact. - The command accepts either: - * a relative path to a local artifact - * a container image URI (e.g. %[1]soci://%[1]s) + The command requires either: + * a relative path to a local artifact, or + * a container image URI (e.g. %[1]soci://%[1]s) - Note that you must already be authenticated with a container registry - if you provide an OCI image URI as the artifact. + Note that if you provide an OCI URI for the artifact you must already + be authenticated with a container registry. - The command also requires you provide the path a local trusted metadata bundle with - the %[1]s--bundle%[1]s flag. - You can download a trusted metadata bundle using the %[1]sdownload%[1]s command. + The command also requires the %[1]s--bundle%[1]s flag, which provides a file + path to a previously downloaded Sigstore bundle. (See also the %[1]sdownload%[1]s + command). By default, the command will print information about the bundle in a table format. If the %[1]s--json-result%[1]s flag is provided, the command will print the information in JSON format. `, "`"), Example: heredoc.Doc(` - # Inspect a local artifact bundle and print the results in table format + # Inspect a Sigstore bundle and print the results in table format $ gh attestation inspect --bundle - # Inspect a local artifact bundle and print the results in JSON format + # Inspect a Sigstore bundle and print the results in JSON format $ gh attestation inspect --bundle --json-result - # Inspect an OCI image bundle and print the results in table format + # Inspect a Sigsore bundle for an OCI artifact, and print the results in table format $ gh attestation inspect oci:// --bundle `), PreRunE: func(cmd *cobra.Command, args []string) error {