anchore · wagoodman · Jun 6, 2024 · Jan 21, 2024 · Jan 21, 2024 · Feb 3, 2024
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -14,6 +14,16 @@ jobs:
     environment: release
     runs-on: ubuntu-20.04
     steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 #v4.1.1
+
+      - name: Check if running on main
+        if: github.ref != 'refs/heads/main'
+        # we are using the following flag when running `cosign blob-verify` for checksum signature verification:
+        #   --certificate-identity-regexp "https://github.com/anchore/.github/workflows/release.yaml@refs/heads/main"
+        # if we are not on the main branch, the signature will not be verifiable since the suffix requires the main branch
+        # at the time of when the OIDC token was issued on the Github Actions runner.
+        run: echo "This can only be run on the main branch otherwise releases produced will not be verifiable with cosign" && exit 1
+
       - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 #v4.1.6
 
       - name: Check if pinned syft is a release version

diff --git a/.github/workflows/validations.yaml b/.github/workflows/validations.yaml
@@ -177,6 +177,9 @@ jobs:
     needs: [Build-Snapshot-Artifacts]
     runs-on: macos-latest
     steps:
+      - name: Install Cosign
+        uses: sigstore/[email protected]
+
       - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 #v4.1.6
 
       - name: Download snapshot build

diff --git a/README.md b/README.md
@@ -60,12 +60,10 @@ If you encounter an issue, please [let us know using the issue tracker](https://
 ```bash
 curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin
 ```
-
-You can also choose another destination directory and release version for the installation. The destination directory doesn't need to be `/usr/local/bin`, it just needs to be a location found in the user's PATH and writable by the user that's installing Grype.
-
-```
-curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b <DESTINATION_DIR> <RELEASE_VERSION>
-```
+Install script options:
+-	`-b`: Specify a custom installation directory (defaults to `./bin`)
+-	`-d`: More verbose logging levels (`-d` for debug, `-dd` for trace)
+-	`-v`: Verify the signature of the downloaded artifact before installation (requires [`cosign`](https://github.com/sigstore/cosign) to be installed)
 
 ### Chocolatey