From 1fb32f33665efb4fc40622867325f3a0c8524f8a Mon Sep 17 00:00:00 2001
From: continuist <continuist02@gmail.com>
Date: Sun, 24 Aug 2025 21:46:37 -0400
Subject: [PATCH] Fix cosign installation steps

---
 Docker_Registry_Install_Guide.md | 29 +++++++++++++++++++++--------
 1 file changed, 21 insertions(+), 8 deletions(-)

diff --git a/Docker_Registry_Install_Guide.md b/Docker_Registry_Install_Guide.md
index e231683..33246bb 100644
--- a/Docker_Registry_Install_Guide.md
+++ b/Docker_Registry_Install_Guide.md
@@ -433,17 +433,30 @@ sudo update-ca-certificates
 
 # 4. Generate Cosign key pair for image signing
 # Install Cosign (pinned + verified)
-COSIGN_VERSION=v2.2.4
-COSIGN_URL="https://github.com/sigstore/cosign/releases/download/${COSIGN_VERSION}/cosign-linux-amd64"
-COSIGN_SHA256="<REPLACE_WITH_OFFICIAL_SHA256>"
+# Vars
+COSIGN_VERSION=v2.5.3 # Replace with the latest stable release version
+BASE="https://github.com/sigstore/cosign/releases/download/${COSIGN_VERSION}"
+FILE="cosign-linux-amd64"
 
-**⚠️ IMPORTANT:** Replace `<REPLACE_WITH_OFFICIAL_SHA256>` with the official release SHA256 before running.
+cd /tmp
 
-curl -fsSL -o /usr/local/bin/cosign "$COSIGN_URL"
-echo "${COSIGN_SHA256}  /usr/local/bin/cosign" | sha256sum -c -
-chmod +x /usr/local/bin/cosign
+# 1) Download binary + vendor checksums
+curl -fsSLO "${BASE}/${FILE}"
+curl -fsSLO "${BASE}/cosign_checksums.txt"
 
-# Verify installation
+# 2) Verify SHA256 for the exact artifact
+grep "  ${FILE}$" cosign_checksums.txt | sha256sum -c -
+
+# Expect: 'cosign-linux-amd64: OK'
+
+# (If your 'cosign_checksums.txt' has CRLFs and the check fails, do:
+#   sed -i 's/\r$//' cosign_checksums.txt
+# and run the check again.)
+
+# 3) Install
+sudo install -m 0755 "/tmp/${FILE}" /usr/local/bin/cosign
+
+# 4) Sanity check
 cosign version --json
 
 # Generate Cosign key pair (or use keyless OIDC in CI)