docs: combine trivy.dev into trivy docs (#7884)

Co-authored-by: simar7 <1254783+simar7@users.noreply.github.com>
2025-12-21 14:50:53 -08:00 · 2024-11-17 23:34:48 -07:00
parent 0d3d934f76
commit 94791f8343
22 changed files with 1357 additions and 331 deletions
--- a/docs/getting-started/signature-verification.md
+++ b/docs/getting-started/signature-verification.md
@@ -1,60 +1,47 @@
 # Signature Verification

-## Verifying a Cosign signature
 All binaries and container images are signed by [Cosign](https://github.com/sigstore/cosign).

-You need the following tool:
+## Verifying container image

- [Cosign](https://docs.sigstore.dev/cosign/installation/)
-
-### Verifying signed container images
-1. Use the following command for keyless [verification](https://docs.sigstore.dev/cosign/verify/):
-   ```shell
-   cosign verify aquasec/trivy:<version> \
-   --certificate-identity-regexp 'https://github\.com/aquasecurity/trivy/\.github/workflows/.+' \
-   --certificate-oidc-issuer "https://token.actions.githubusercontent.com"
-   ```
-   
-2. You should get the following output
-   ```shell
-   Verification for index.docker.io/aquasec/trivy:latest --
-   The following checks were performed on each of these signatures:
-     - The cosign claims were validated
-     - Existence of the claims in the transparency log was verified offline
-     - The code-signing certificate was verified using trusted certificate authority certificates
-
-     ....
-   ```
-
-### Verifying signed binaries
-
-1. Download the required tarball, associated signature and certificate files
-2. Use the following command for keyless verification:
-   ```shell
-   cosign verify-blob <path to binray> \
-   --certificate <path to cert> \
-   --signature <path to sig> \
-   --certificate-identity-regexp 'https://github\.com/aquasecurity/trivy/\.github/workflows/.+' \
-   --certificate-oidc-issuer "https://token.actions.githubusercontent.com"
-   ```
-3. You should get the following output
-   ```
-   Verified OK
-   ```
-   
-For example:
+Use the following command for keyless [verification](https://docs.sigstore.dev/cosign/verify/):

 ```shell
-$ wget "https://github.com/aquasecurity/trivy/releases/download/v0.45.0/trivy_0.45.0_Linux-32bit.tar.gz"
-$ wget "https://github.com/aquasecurity/trivy/releases/download/v0.45.0/trivy_0.45.0_Linux-32bit.tar.gz.pem"
-$ wget "https://github.com/aquasecurity/trivy/releases/download/v0.45.0/trivy_0.45.0_Linux-32bit.tar.gz.sig"
-$ cosign verify-blob trivy_0.45.0_Linux-32bit.tar.gz \
-  --certificate trivy_0.45.0_Linux-32bit.tar.gz.pem \
-  --signature trivy_0.45.0_Linux-32bit.tar.gz.sig \
-  --certificate-identity-regexp 'https://github\.com/aquasecurity/trivy/\.github/workflows/.+' \
-  --certificate-oidc-issuer "https://token.actions.githubusercontent.com" 
-  
-Vetified OK
+cosign verify aquasec/trivy:<version> \
+--certificate-identity-regexp 'https://github\.com/aquasecurity/trivy/\.github/workflows/.+' \
+--certificate-oidc-issuer "https://token.actions.githubusercontent.com"
+```
+   
+You should get the following output
+
+```
+Verification for index.docker.io/aquasec/trivy:latest --
+The following checks were performed on each of these signatures:
+   - The cosign claims were validated
+   - Existence of the claims in the transparency log was verified offline
+   - The code-signing certificate was verified using trusted certificate authority certificates
+
+   ....
+```
+
+## Verifying binary
+
+Download the required tarball, associated signature and certificate files from the [GitHub Release](https://github.com/aquasecurity/trivy/releases).
+
+Use the following command for keyless verification:
+
+```shell
+cosign verify-blob <path to binray> \
+--certificate <path to cert> \
+--signature <path to sig> \
+--certificate-identity-regexp 'https://github\.com/aquasecurity/trivy/\.github/workflows/.+' \
+--certificate-oidc-issuer "https://token.actions.githubusercontent.com"
+```
+
+You should get the following output
+
+```
+Verified OK
 ```

 ## Verifying a GPG signature
@@ -63,37 +50,33 @@ RPM and Deb packages are also signed by GPG.

 ### Verifying RPM

-The public key downloaded [here](https://aquasecurity.github.io/trivy-repo/rpm/public.key).
+The public key is available at <https://aquasecurity.github.io/trivy-repo/rpm/public.key>.

-1. Download the public key
-   ```shell
-   curl https://aquasecurity.github.io/trivy-repo/rpm/public.key \ 
-   --output pub.key
-   ```
-2. Import the key
-   ```shell
-   rpm --import pub.key
-   ```
-3. Verify that the key has been imported
-   ```shell
-   rpm -q --queryformat "%{SUMMARY}\n" $(rpm -q gpg-pubkey)
-   ```
-   You should get the following output
-   ```shell
-   gpg(trivy)
-   ```
+First, download and import the key: 
+
+```shell
+curl https://aquasecurity.github.io/trivy-repo/rpm/public.key \ 
+--output pub.key
+rpm --import pub.key
+rpm -q --queryformat "%{SUMMARY}\n" $(rpm -q gpg-pubkey)
+```
+
+You should get the following output:
+
+```
+gpg(trivy)
+```
   
-4. Download the required binary
-   ```shell
-   curl -L https://github.com/aquasecurity/trivy/releases/download/<version>/<file name>.rpm \
-   --output trivy.rpm
-   ```
-5. Check the binary with the following command
-   ```shell
-   rpm -K trivy.rpm
-   ```
-   You should get the following output
-   ```shell
-   trivy.rpm: digests signatures OK
-   ```
+Then you can verify the signature:

+```shell
+curl -L https://github.com/aquasecurity/trivy/releases/download/<version>/<file name>.rpm \
+--output trivy.rpm
+rpm -K trivy.rpm
+```
+
+You should get the following output
+
+```
+trivy.rpm: digests signatures OK
+```