docs: update binary signature verification for sigstore bundles (#9929 )

chore(deps): bump alpine from 3.22.1 to 3.23.0 (#9935 )
chore(alpine): add EOL date for alpine 3.23 (#9934 )
2025-12-12 07:40:48 -08:00 · 2025-12-12 06:56:26 +00:00 · 2025-12-12 06:55:39 +00:00 · 2025-12-12 06:55:09 +00:00
4 changed files with 19 additions and 8 deletions
--- a/2
+++ b/2
@@ -1,4 +1,4 @@
-FROM alpine:3.22.1
+FROM alpine:3.23.0
 RUN apk --no-cache add ca-certificates git
 COPY trivy /usr/local/bin/trivy
 COPY contrib/*.tpl contrib/
--- a/Dockerfile.canary
+++ b/Dockerfile.canary
@@ -1,4 +1,4 @@
-FROM alpine:3.22.1
+FROM alpine:3.23.0
 RUN apk --no-cache add ca-certificates git

 # binaries were created with GoReleaser
--- a/docs/getting-started/signature-verification.md
+++ b/docs/getting-started/signature-verification.md
@@ -26,16 +26,26 @@ The following checks were performed on each of these signatures:

 ## Verifying binary

-Download the required tarball, associated signature and certificate files from the [GitHub Release](https://github.com/aquasecurity/trivy/releases).
+Since Trivy v0.68.1, GitHub Releases provide [sigstore signature bundles](https://docs.sigstore.dev/cosign/bundle/). Separate `.sig` and certificate (`.pem`) files are no longer published.
+
+Download the required tarball and its associated `.sigstore.json` bundle file from the [GitHub Release](https://github.com/aquasecurity/trivy/releases).

 Use the following command for keyless verification:

 ```shell
-cosign verify-blob <path to binary> \
--certificate <path to cert> \
--signature <path to sig> \
--certificate-identity-regexp 'https://github\.com/aquasecurity/trivy/\.github/workflows/.+' \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com"
+cosign verify-blob-attestation <path to tarball> \
+    --bundle <path to tarball>.sigstore.json \
+    --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
+    --certificate-identity 'https://github.com/aquasecurity/trivy/.github/workflows/reusable-release.yaml@refs/tags/<release tag>'
+```
+
+Example for `trivy_0.68.1_Linux-64bit.tar.gz`:
+
+```shell
+cosign verify-blob-attestation trivy_0.68.1_Linux-64bit.tar.gz \
+    --bundle trivy_0.68.1_Linux-64bit.tar.gz.sigstore.json \
+    --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
+    --certificate-identity 'https://github.com/aquasecurity/trivy/.github/workflows/reusable-release.yaml@refs/tags/v0.68.1'
 ```

 You should get the following output
--- a/pkg/detector/ospkg/alpine/alpine.go
+++ b/pkg/detector/ospkg/alpine/alpine.go
@@ -50,6 +50,7 @@ var eolDates = map[string]time.Time{
 	"3.20": time.Date(2026, 4, 1, 23, 59, 59, 0, time.UTC),
 	"3.21": time.Date(2026, 12, 5, 23, 59, 59, 0, time.UTC),
 	"3.22": time.Date(2027, 4, 30, 23, 59, 59, 0, time.UTC),
+	"3.23": time.Date(2027, 11, 1, 23, 59, 59, 0, time.UTC),
 	"edge": time.Date(9999, 1, 1, 0, 0, 0, 0, time.UTC),
 }
Author	SHA1	Message	Date
Igor Adulyan	718ec29ec6	docs: update binary signature verification for sigstore bundles (#9929 )	2025-12-12 06:56:26 +00:00
DmitriyLewen	d528250a1d	chore(deps): bump alpine from `3.22.1` to `3.23.0` (#9935 )	2025-12-12 06:55:39 +00:00
DmitriyLewen	f50b96a815	chore(alpine): add EOL date for alpine 3.23 (#9934 )	2025-12-12 06:55:09 +00:00