Update verification instructions for bundle (#397)

Mostly just renames the bundle example to be a JSON file. Also updated
some text regarding the contents of the bundle being more than just a
signature and certificate.

Signed-off-by: Hayden <8418760+haydentherapper@users.noreply.github.com>
Signed-off-by: Hayden <haydentherapper@users.noreply.github.com>
Co-authored-by: Hayden <8418760+haydentherapper@users.noreply.github.com>

Author: Hayden

content/en/cosign/signing/signing_with_blobs.md

@@ -12,14 +12,15 @@ You can use Cosign for signing and verifying standard files and blobs (or binary
 Cosign supports identity-based signing, associating an ephemeral signing key with an identity from an OpenID Connect provider. We refer to this process as "keyless signing". You use `cosign sign-blob` to sign standard files as well as blobs. You can store signature and certificate information either as separate file, or in a bundled text file, but using a bundle is the recommended way of signing a blob, as users can specify just the bundle name instead of separate files for the signature and certificate.  Use the `cosign` command to sign:
 
 ```shell
-$ cosign sign-blob <file> --bundle cosign.bundle
+$ cosign sign-blob <file> --bundle artifact.sigstore.json 
 ```
-The bundle is output as a `base64` encoded string that contains the certificate and signature. In addition, signatures are output as `base64` encoded strings to stdout by default. 
+The bundle contains verification metadata, including an artifact's signature, certificate and proof of transparency log inclusion.
 
-When using `cosign sign-blob` in keyless mode, you need to store the bundle for verification. If you don't want to use the bundle, you can direct the output of the certificate by using the `--output-certificate` and `--output-signature` flags. The result from using the output flags:
+When using `cosign sign-blob` in keyless mode, you need to store the bundle for verification. If you don't want to use the bundle, you can direct the output of the certificate by using the `--output-certificate` and `--output-signature` flags. Note that this will be removed in future versions of Cosign, as the
+bundle format is standardized across Sigstore clients. The result from using the output flags:
 
 ```shell
-$ cosign sign-blob README.md --output-certificate cert.pem --output-signature sig
+$ cosign sign-blob README.md --new-bundle-format=false --output-certificate cert.pem --output-signature sig
 Using payload from: README.md
 Generating ephemeral keys...
 Retrieving signed certificate...
@@ -56,7 +57,7 @@ Certificate wrote in the file cert.pem
 While keyless signing is recommended, you may specify your own keys for signing.  You will need the password for the private key to sign:
 
 ```shell
-$ cosign sign-blob --key cosign.key README.md
+$ cosign sign-blob --key cosign.key --bundle artifact.sigstore.json README.md
 Using payload from: README.md
 Enter password for private key:
 MEQCIAU4wPBpl/U5Vtdx/eJFgR0nICiiNCgyWPWarupH0onwAiAv5ycIKgztxHNVG7bzUjqHuvK2gsc4MWxwDgtDh0JINw==
@@ -101,5 +102,5 @@ $ cosign sign gcr.io/user/demo/artifact
 In situations where automated signing is required, such as within CI/CD pipelines, the `--yes` flag becomes essential. This flag, when used with signing commands, bypasses any confirmation prompts, enabling a smooth, uninterrupted signing process. This is particularly crucial in automated environments where manual input isn't feasible. The `--yes` flag ensures that your signing operations can proceed without manual intervention, maintaining the efficiency and speed of your automated workflows.
 
 ```
-cosign sign-blob --yes -key cosign.key myregistry/myimage:latest
+cosign sign-blob --yes --key cosign.key --bundle artifact.sigstore.json myregistry/myimage:latest
 ```

content/en/cosign/verifying/verify.md

@@ -28,11 +28,11 @@ cosign verify <image URI> --certificate-identity=name@example.com
 
 The oidc-issuer for Google is https://accounts.google.com, Microsoft is https://login.microsoftonline.com, GitHub is https://github.com/login/oauth, and GitLab is https://gitlab.com.
 
-The following example verifies the signature on file.txt from user name@example.com issued by accounts@example.com. It uses a provided bundle cosign.bundle that contains the certificate and signature.
+The following example verifies the signature on file.txt from user name@example.com issued by accounts@example.com. It uses a provided bundle `artifact.sigstore.json` that contains the certificate and signature.
 
 ```shell
-cosign verify-blob <file> --bundle cosign.bundle --certificate-identity=name@example.com
-                          --certificate-oidc-issuer=https://accounts.example.com
+cosign verify-blob <file> --bundle artifact.sigstore.json \
+  --certificate-identity=name@example.com --certificate-oidc-issuer=https://accounts.example.com
 ```
 
 With container images, the signature and certificate are attached to the container.  For blobs, the signature and certificate can be stored in a bundle file that is created at the time of signing.  Either the bundle must be specified, or the individual signature and certificate must be specified.

content/en/quickstart/quickstart-ci.md

@@ -43,7 +43,7 @@ jobs:
       id-token: write
     steps:
         # This step ensures that your project is available in the workflow environment.
-        - uses: actions/checkout@v4
+        - uses: actions/checkout@v5
         with:
           persist-credentials: false
 
@@ -180,10 +180,10 @@ The cosign-installer GitHub Action can also do simpler tasks, like signing a blo
 ```yaml
 # This step makes sure your project is available in the workflow environment.
 - name: Import project
-  uses: actions/checkout@v4
+  uses: actions/checkout@v5
 # This step signs a blob (a text file in the root directory named to_be_signed.txt). The `--yes` flag agrees to Sigstore's terms of use.
 - name: Sign Blob
-  run: cosign sign-blob to_be_signed.txt --bundle cosign.bundle --yes
+  run: cosign sign-blob to_be_signed.txt --bundle artifact.sigstore.json --yes
 ```
 
 ### Verifying a blob
@@ -193,7 +193,7 @@ To verify the signature that you just created, add the following step to your wo
 ```yaml
 - name: Verify blob
   run: >
-    cosign verify-blob README.md --bundle cosign.bundle
+    cosign verify-blob README.md --bundle artifact.sigstore.json
     --certificate-identity=https://github.com/USERNAME/REPOSITORY_NAME/.github/workflows/WORKFLOW_NAME@refs/heads/BRANCH_NAME
     --certificate-oidc-issuer=https://token.actions.githubusercontent.com
 ```

content/en/quickstart/quickstart-cosign.md

@@ -26,13 +26,13 @@ To sign software artifacts and verify signatures using Sigstore, you need to ins
 
 The basic signing format for a blob is as follows:
 
-```
-$ cosign sign-blob <file> --bundle cosign.bundle
+```bash
+cosign sign-blob <file> --bundle artifact.sigstore.json
 ```
 
-The bundle contains signing metadata, including the signature and certificate.
+The bundle contains signing metadata, including the signature, certificate, timestamp and proof of transparency log inclusion.
 
-The Cosign command requests a certificate from the Sigstore certificate authority, Fulcio. Fulcio checks your identity by using an authentication protocol (OpenID Connect) to confirm your email address. If your identity is correct, Fulcio grants a short-lived, time-stamped certificate. The certificate is bound to the public key to attest to your identity. This activity is logged using the Sigstore transparency and timestamping log, Rekor.
+The Cosign command requests a certificate from the Sigstore certificate authority, Fulcio. Fulcio checks your identity by using an authentication protocol (OpenID Connect) to confirm your email address. If your identity is correct, Fulcio grants a short-lived, time-stamped certificate. The certificate is bound to the public key to attest to your identity. This activity is logged using the Sigstore signature transparency log, Rekor.
 
 Note that you don’t need to use a key to sign. Currently, you can authenticate with Google, GitHub, or Microsoft, which will associate your identity with a short-lived signing key. 
 
@@ -46,20 +46,21 @@ cosign sign-blob --help
 
 To verify a signed blob, you need to provide three pieces of information:
 
-- The certificate
-- The signature
+- The artifact blob
+- The verification bundle, containing the signature, certificate, and proof of log inclusion
 - The identity used in signing
 
-You may be provided with a bundle that includes the certificate and signature. The blob maintainer should provide the trusted identity.
-
-The following example verifies the signature on `file.txt` from user `name@example.com` issued by `accounts@example.com`. It uses a provided bundle `cosign.bundle` that contains the certificate and signature.
+The following example verifies the signature on `file.txt` from user `name@example.com` issued by `accounts@example.com`. It uses a provided bundle `artifact.sigstore.json` that contains the certificate and signature.
 
-```
-$ cosign verify-blob <file> --bundle cosign.bundle --certificate-identity=name@example.com
-                              --certificate-oidc-issuer=https://accounts.example.com
+```bash
+cosign verify-blob file.txt --bundle artifact.sigstore.json \
+  --certificate-identity=name@example.com --certificate-oidc-issuer=https://accounts.example.com
 ```
 
-To verify, Cosign queries the transparency log (Rekor) to compare the public key bound to the certificate, and checks the timestamp on the signature against the artifact’s entry in the transparency log. The signature is valid if its timestamp falls within the small window of time that the key pair and certificate issued by the certificate authority were valid.
+Cosign verifies the signed timestamp in the bundle, and uses the timestamp when verifying the short-lived code signing certificate containing the ephemeral public key.
+A signature is valid if the timestamp falls within the small time window of certificate issuance.
+Cosign then uses the certificate's public key to verify the artifact signature. Cosign also verifies the proof of transparency log inclusion
+artifact and its certificate.
 
 ## Example: Working with containers