docs: add 'Signature Verification' guide (#4731)

* add 'Signature Verification' guide

* add gpg signature verification doc

---------

Signed-off-by: knqyf263 <[email protected]>
Co-authored-by: knqyf263 <[email protected]>

docs/getting-started/signature-verification.md

@@ -0,0 +1,99 @@
+# Signature Verification
+
+## Verifying a Cosign signature
+All binaries and container images are signed by [Cosign](https://github.com/sigstore/cosign).
+
+You need the following tool:
+
+- [Cosign](https://docs.sigstore.dev/cosign/installation/)
+
+### Verifying signed container images
+1. Use the following command for keyless [verification](https://docs.sigstore.dev/cosign/verify/):
+   ```shell
+   cosign verify aquasec/trivy:<version> \
+   --certificate-identity-regexp 'https://github\.com/aquasecurity/trivy/\.github/workflows/.+' \
+   --certificate-oidc-issuer "https://token.actions.githubusercontent.com"
+   ```
+
+2. You should get the following output
+   ```shell
+   Verification for index.docker.io/aquasec/trivy:latest --
+   The following checks were performed on each of these signatures:
+     - The cosign claims were validated
+     - Existence of the claims in the transparency log was verified offline
+     - The code-signing certificate was verified using trusted certificate authority certificates
+
+     ....
+   ```
+
+### Verifying signed binaries
+
+1. Download the required tarball, associated signature and certificate files
+2. Use the following command for keyless verification:
+   ```shell
+   cosign verify-blob <path to binray> \
+   --certificate <path to cert> \
+   --signature <path to sig> \
+   --certificate-identity-regexp 'https://github\.com/aquasecurity/trivy/\.github/workflows/.+' \
+   --certificate-oidc-issuer "https://token.actions.githubusercontent.com"
+   ```
+3. You should get the following output
+   ```
+   Verified OK
+   ```
+
+For example:
+
+```shell
+$ wget "https://github.com/aquasecurity/trivy/releases/download/v0.45.0/trivy_0.45.0_Linux-32bit.tar.gz"
+$ wget "https://github.com/aquasecurity/trivy/releases/download/v0.45.0/trivy_0.45.0_Linux-32bit.tar.gz.pem"
+$ wget "https://github.com/aquasecurity/trivy/releases/download/v0.45.0/trivy_0.45.0_Linux-32bit.tar.gz.sig"
+$ cosign verify-blob trivy_0.45.0_Linux-32bit.tar.gz \
+  --certificate trivy_0.45.0_Linux-32bit.tar.gz.pem \
+  --signature trivy_0.45.0_Linux-32bit.tar.gz.sig \
+  --certificate-identity-regexp 'https://github\.com/aquasecurity/trivy/\.github/workflows/.+' \
+  --certificate-oidc-issuer "https://token.actions.githubusercontent.com" 
+  
+Vetified OK
+```
+
+## Verifying a GPG signature
+
+RPM and Deb packages are also signed by GPG.
+
+### Verifying RPM
+
+The public key downloaded [here](https://aquasecurity.github.io/trivy-repo/rpm/public.key).
+
+1. Download the public key
+   ```shell
+   curl https://aquasecurity.github.io/trivy-repo/rpm/public.key \ 
+   --output pub.key
+   ```
+2. Import the key
+   ```shell
+   rpm --import pub.key
+   ```
+3. Verify that the key has been imported
+   ```shell
+   rpm -q --queryformat "%{SUMMARY}\n" $(rpm -q gpg-pubkey)
+   ```
+   You should get the following output
+   ```shell
+   gpg(trivy)
+   ```
+
+4. Download the required binary
+   ```shell
+   curl -L https://github.com/aquasecurity/trivy/releases/download/<version>/<file name>.rpm \
+   --output trivy.rpm
+   ```
+5. Check the binary with the following command
+   ```shell
+   rpm -K trivy.rpm
+   ```
+   You should get the following output
+   ```shell
+   trivy.rpm: digests signatures OK
+   ```
+

mkdocs.yml

@@ -10,6 +10,7 @@ nav:
   - Getting Started: 
       - Overview: index.md
       - Installation: getting-started/installation.md
+      - Signature Verification: getting-started/signature-verification.md
       - FAQ: getting-started/faq.md
   - Tutorials:
       - Overview: tutorials/overview.md