[docs]: Installation routine not working - cosign verification failed

[robert-heinzmann-logmein]

Hello!

I am trying to install (using cosign verification) the step-cli on Linux package. I follow https://smallstep.com/docs/step-cli/installation/index.html#linux-packages-amd64 and run:

shell$ ls -al step_linux_0.25.0_amd64.tar.gz*
... 12496986 Sep 27 07:50 step_linux_0.25.0_amd64.tar.gz
... 3192 Sep 27 07:51 step_linux_0.25.0_amd64.tar.gz.pem
... 96 Sep 27 07:51 step_linux_0.25.0_amd64.tar.gz.sig
shell$ cosign verify-blob   --certificate step_linux_0.25.0_amd64.tar.gz.pem   --signature step_linux_0.25.0_amd64.tar.gz.sig   --certificate-identity-regexp "https://github\.com/smallstep/cli/.*"   --certificate-oidc-issuer https://token.actions.githubusercontent.com   step_linux_0.25.0_amd64.tar.gz

And I get this error:

Error: none of the expected identities matched what was in the certificate, got subjects [https://github.com/smallstep/workflows/.github/workflows/goreleaser.yml@refs/heads/main] with issuer https://token.actions.githubusercontent.com
main.go:74: error during command execution: none of the expected identities matched what was in the certificate, got subjects [https://github.com/smallstep/workflows/.github/workflows/goreleaser.yml@refs/heads/main] with issuer https://token.actions.githubusercontent.com

Is this a documentation bug ?

Affected area/feature

Installation

[hslatman]

Hi @robert-heinzmann-logmein,

Can you try it with the fix from #1025? That was created in response to #1023, which reads similar to your case. We haven't released a new version yet, so the instructions may not be up-to-date everywhere.

[robert-heinzmann-logmein]

Yes that works now. Thank you

shell$ cosign verify-blob   --certificate step_linux_0.25.0_amd64.tar.gz.pem   --signature step_linux_0.25.0_amd64.tar.gz.sig --certificate-identity-regexp "https://github\.com/smallstep/workflows/.*"   --certificate-oidc-issuer https://token.actions.githubusercontent.com   step_linux_0.25.0_amd64.tar.gz
Verified OK