sigstore · steiza · Feb 20, 2025 · Feb 18, 2025 · Feb 20, 2025
@@ -17,9 +17,9 @@ all: build-examples
 
 .PHONY: build-examples
 build-examples:
+	go build -C ./examples/oci-image-verification -o oci-image-verification .
 	go build -C ./examples/sigstore-go-signing -o sigstore-go-signing .
 	go build -C ./examples/sigstore-go-verification -o sigstore-go-verification .
-	go build -C ./examples/oci-image-verification -o oci-image-verification .
 
 .PHONY: test
 test:

@@ -1,9 +1,80 @@
+# Building examples
+
+To build example programs, run `make build-examples` in the repo root.
+The built executables will be in the `examples/` subdirectory:
+```shell
+$ make build-examples
+go build -C ./examples/oci-image-verification -o oci-image-verification .
+go build -C ./examples/sigstore-go-signing -o sigstore-go-signing .
+go build -C ./examples/sigstore-go-verification -o sigstore-go-verification .
+
+$ find examples -type f -perm -u+x | sort
+examples/oci-image-verification/oci-image-verification
+examples/sigstore-go-signing/sigstore-go-signing
+examples/sigstore-go-verification/sigstore-go-verification
+```
+
+# oci-image-verification
+
+This is a CLI for verifying signatures on the OCI images. View the help text with `-h` or `--help` for all the options.
+```shell
+$ ./oci-image-verification -h
+Usage of ./oci-image-verification:
+  -artifact string
+        Path to artifact to verify
+  -artifact-digest string
+        Hex-encoded digest of artifact to verify
+  -artifact-digest-algorithm string
+        Digest algorithm (default "sha256")
+  -expectedIssuer string
+        The expected OIDC issuer for the signing certificate
+  -expectedIssuerRegex string
+        The expected OIDC issuer for the signing certificate
+  -expectedSAN string
+        The expected identity in the signing certificate's SAN extension
+  -expectedSANRegex string
+        The expected identity in the signing certificate's SAN extension
+  -ignore-sct
+        Ignore SCT verification - do not check that a certificate contains an embedded SCT, a proof of inclusion in a certificate transparency log
+  -minBundleVersion string
+        Minimum acceptable bundle version (e.g. '0.1')
+  -ociImage string
+        OCI image to verify
+  -publicKey string
+        Path to trusted public key
+  -requireTimestamp
+        Require either an RFC3161 signed timestamp or log entry integrated timestamp (default true)
+  -requireTlog
+        Require Artifact Transparency log entry (Rekor) (default true)
+  -trustedrootJSONpath string
+        Path to trustedroot JSON file (default "examples/trusted-root-public-good.json")
+  -tufDirectory string
+        Directory to store TUF metadata (default "tufdata")
+  -tufRootURL string
+        URL of TUF root containing trusted root JSON file
+```
+
+# sigstore-go-signing
+This is a test CLI for signing sigstore bundles.
+```shell
+$ ./sigstore-go-signing -h
+Usage of ./sigstore-go-signing:
+  -id-token string
+    OIDC token to send to Fulcio
+  -in-toto
+    Content to sign is in-toto document
+  -rekor
+    Including transparency log entry from Rekor
+  -tsa
+    Include signed timestamp from timestamp authority
+```
+
 # sigstore-go-verification
 
 This is a CLI for verifying Sigstore bundles. View the help text with `-h` or `--help` for all the options.
 
 ```shell
-$ go run . \
+$ ./sigstore-go-verification \
   -artifact-digest 76176ffa33808b54602c7c35de5c6e9a4deb96066dba6533f50ac234f4f1f4c6b3527515dc17c06fbe2860030f410eee69ea20079bd3a2c6f3dcf3b329b10751 \
   -artifact-digest-algorithm sha512 \
   -expectedIssuer https://token.actions.githubusercontent.com \
@@ -22,4 +93,3 @@ Verification successful!
 ```
 
 You can also specify a TUF root with something like `-tufRootURL tuf-repo-cdn.sigstore.dev`.
-