From 6d3ea0c032f76658e4054eacdfc35682757a5e3f Mon Sep 17 00:00:00 2001
From: Kristian Klausen <kristian@klausen.dk>
Date: Thu, 21 Sep 2023 06:35:47 +0200
Subject: [PATCH] Fix incorrect cosign verify commands

The identity has been changed[1] to also include the "CI config path"
and the ref path should be the git tag of the release.

Also remove `jq` as it is only nice to have, not needed and it masks the
return code of `cosign verify`.

[1] https://github.com/sigstore/fulcio/commit/a4b3e128c119123138889cf57bf65c4f3fae811a

Fixes: 8317be4 ("Sign the images with sigstore's fulcio/rekor")
---
 README.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 2cd98d9..adcdcb7 100644
--- a/README.md
+++ b/README.md
@@ -25,9 +25,9 @@ All the images, with the exception of the official DockerHub library image, are
 signed by using [cosign's keyless signing][openid-signing]. The images can be
 verified with one of the following commands:
 ```sh
-$ cosign verify docker.io/archlinux/archlinux:latest --certificate-identity=https://gitlab.com/archlinux/archlinux-docker@refs/heads/master --certificate-oidc-issuer=https://gitlab.archlinux.org | jq .
-$ cosign verify quay.io/archlinux/archlinux:latest --certificate-identity=https://gitlab.com/archlinux/archlinux-docker@refs/heads/master --certificate-oidc-issuer=https://gitlab.archlinux.org | jq .
-$ cosign verify ghcr.io/archlinux/archlinux:latest --certificate-identity=https://gitlab.com/archlinux/archlinux-docker@refs/heads/master --certificate-oidc-issuer=https://gitlab.archlinux.org | jq .
+$ cosign verify docker.io/archlinux/archlinux:latest --certificate-identity-regexp="https://gitlab\.archlinux\.org/archlinux/archlinux-docker//\.gitlab-ci\.yml@refs/tags/v[0-9]+\.0\.[0-9]+" --certificate-oidc-issuer=https://gitlab.archlinux.org
+$ cosign verify quay.io/archlinux/archlinux:latest --certificate-identity-regexp="https://gitlab\.archlinux\.org/archlinux/archlinux-docker//\.gitlab-ci\.yml@refs/tags/v[0-9]+\.0\.[0-9]+" --certificate-oidc-issuer=https://gitlab.archlinux.org
+$ cosign verify ghcr.io/archlinux/archlinux:latest --certificate-identity-regexp="https://gitlab\.archlinux\.org/archlinux/archlinux-docker//\.gitlab-ci\.yml@refs/tags/v[0-9]+\.0\.[0-9]+" --certificate-oidc-issuer=https://gitlab.archlinux.org
 ```
 
 ## Principles