Merge branch 'doc-sign-images-verify' into 'main'

Document commands to verify image signatures

See merge request components/opentofu!149

.gitlab/README.md.template

@@ -333,10 +333,23 @@ See https://github.com/distribution/distribution/issues/1201*
 Every released image is [signed](https://docs.gitlab.com/ee/ci/yaml/signing_examples.html)
 using [`sigstore/cosign`](https://github.com/sigstore/cosign).
 
-Check the following docs to learn more about verifying the signature:
+You can use the following command to verify the signatures:
 
-- https://docs.sigstore.dev/cosign/verifying/verify/
-- https://docs.gitlab.com/ee/ci/yaml/signing_examples.html#verification
+```shell
+VERSION=X.Y.Z # put a released components/opentofu version here
+IMAGE_REF=... # put a released components/opentofu image reference here
+cosign verify "${IMAGE_REF}" --certificate-identity="https://gitlab.com/components/opentofu//.gitlab-ci.yml@refs/tags/${VERSION}" --certificate-oidc-issuer="https://gitlab.com"
+```
+
+For example, for image ref `registry.gitlab.com/components/opentofu/gitlab-opentofu:0.34.0-opentofu1.6.0-alpine` and version `0.34.0`:
+
+```shell
+cosign verify "registry.gitlab.com/components/opentofu/gitlab-opentofu:0.34.0-opentofu1.6.0-alpine" \
+    --certificate-identity "https://gitlab.com/components/opentofu//.gitlab-ci.yml@refs/tags/0.34.0" \
+    --certificate-oidc-issuer "https://gitlab.com"
+```
+
+For self-managed mirrors the OIDC issuer must be changed, too.
 
 ### Using with Renovate
 

.gitlab/release-notes.md.template

@@ -43,7 +43,14 @@ And with the follow base OS images:
 - `alpine`, use `base_os: alpine` input to use it (default).
 - `debian`, use `base_os: debian` input to use it.
 
-The images have been signed with `cosign`.
+The images have been signed with `cosign` and can be verified with the following command:
+
+```shell
+cosign verify \
+  "$CI_REGISTRY_IMAGE/gitlab-opentofu:$CI_COMMIT_TAG-alpine" \
+  --certificate-identity "$CI_PROJECT_URL//.gitlab-ci.yml@refs/tags/$CI_COMMIT_TAG" \
+  --certificate-oidc-issuer "https://gitlab.com"
+```
 
 > **Note:**
 >

README.md

@@ -352,10 +352,23 @@ See https://github.com/distribution/distribution/issues/1201*
 Every released image is [signed](https://docs.gitlab.com/ee/ci/yaml/signing_examples.html)
 using [`sigstore/cosign`](https://github.com/sigstore/cosign).
 
-Check the following docs to learn more about verifying the signature:
+You can use the following command to verify the signatures:
 
-- https://docs.sigstore.dev/cosign/verifying/verify/
-- https://docs.gitlab.com/ee/ci/yaml/signing_examples.html#verification
+```shell
+VERSION=X.Y.Z # put a released components/opentofu version here
+IMAGE_REF=... # put a released components/opentofu image reference here
+cosign verify "${IMAGE_REF}" --certificate-identity="https://gitlab.com/components/opentofu//.gitlab-ci.yml@refs/tags/${VERSION}" --certificate-oidc-issuer="https://gitlab.com"
+```
+
+For example, for image ref `registry.gitlab.com/components/opentofu/gitlab-opentofu:0.34.0-opentofu1.6.0-alpine` and version `0.34.0`:
+
+```shell
+cosign verify "registry.gitlab.com/components/opentofu/gitlab-opentofu:0.34.0-opentofu1.6.0-alpine" \
+    --certificate-identity "https://gitlab.com/components/opentofu//.gitlab-ci.yml@refs/tags/0.34.0" \
+    --certificate-oidc-issuer "https://gitlab.com"
+```
+
+For self-managed mirrors the OIDC issuer must be changed, too.
 
 ### Using with Renovate