Please add link to instruction on how consumers verify xxx.sigstore.json

[sgpinkus]

Description

Using this action is simple. But how do you verify the output as a consumer of some software released signed this way. To most users all they see is a big cryptic JSON document with no idea how to verify it. Please add a link or instructions here.

[woodruffw]

Hi @sgpinkus, thanks for opening an issue.

There's some pre-existing documentation on how to verify with the action itself in the README: https://github.com/sigstore/gh-action-sigstore-python#verify

You can also use sigstore-python as a standalone tool to verify the outputs of these actions. There are recipes for doing so here: https://sigstore.github.io/sigstore-python/verify/

Do either of those resources help and, if so, do you have thoughts for where you'd like them linked to make them more prominent?

[jku]

I guess one issue is how hard it is to jump from "this project uses gh-action-sigstore-python" to "I can verify this signature locally with sigstore verify github --repository xyz --name abc ... command".

I suppose we could add an example to action output -- at that point we should know the correct values of --repository and --name

[woodruffw]

I suppose we could add an example to action output -- at that point we should know the correct values of --repository and --name

I like that idea!