From 718ec29ec65a88f87aeb69b0b0aac8f02f50caf7 Mon Sep 17 00:00:00 2001
From: Igor Adulyan <53629576+igoradulian@users.noreply.github.com>
Date: Thu, 11 Dec 2025 22:56:26 -0800
Subject: [PATCH] docs: update binary signature verification for sigstore
 bundles (#9929)

---
 .../getting-started/signature-verification.md | 22 ++++++++++++++-----
 1 file changed, 16 insertions(+), 6 deletions(-)

diff --git a/docs/getting-started/signature-verification.md b/docs/getting-started/signature-verification.md
index d805106b39..ea76b72f3c 100644
--- a/docs/getting-started/signature-verification.md
+++ b/docs/getting-started/signature-verification.md
@@ -26,16 +26,26 @@ The following checks were performed on each of these signatures:
 
 ## Verifying binary
 
-Download the required tarball, associated signature and certificate files from the [GitHub Release](https://github.com/aquasecurity/trivy/releases).
+Since Trivy v0.68.1, GitHub Releases provide [sigstore signature bundles](https://docs.sigstore.dev/cosign/bundle/). Separate `.sig` and certificate (`.pem`) files are no longer published.
+
+Download the required tarball and its associated `.sigstore.json` bundle file from the [GitHub Release](https://github.com/aquasecurity/trivy/releases).
 
 Use the following command for keyless verification:
 
 ```shell
-cosign verify-blob <path to binary> \
---certificate <path to cert> \
---signature <path to sig> \
---certificate-identity-regexp 'https://github\.com/aquasecurity/trivy/\.github/workflows/.+' \
---certificate-oidc-issuer "https://token.actions.githubusercontent.com"
+cosign verify-blob-attestation <path to tarball> \
+    --bundle <path to tarball>.sigstore.json \
+    --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
+    --certificate-identity 'https://github.com/aquasecurity/trivy/.github/workflows/reusable-release.yaml@refs/tags/<release tag>'
+```
+
+Example for `trivy_0.68.1_Linux-64bit.tar.gz`:
+
+```shell
+cosign verify-blob-attestation trivy_0.68.1_Linux-64bit.tar.gz \
+    --bundle trivy_0.68.1_Linux-64bit.tar.gz.sigstore.json \
+    --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
+    --certificate-identity 'https://github.com/aquasecurity/trivy/.github/workflows/reusable-release.yaml@refs/tags/v0.68.1'
 ```
 
 You should get the following output