how to use ".sigstore" file for verification?

[Patterner]

i tried using "cosign" but the file is not properly recognized.
wrong app? wrong arguments?
what is the proper commandline to verify?

[lpil]

@maennchen Can you offer any guidance? Would be good to have this documented now that I think about it

[maennchen]

There's multiple ways to verify release assets:

• Using the gh CLI:

  gh attestation verify \
    --predicate-type "https://spdx.dev/Document/v2.3" \
    --repo "gleam-lang/gleam" \
    --source-ref "refs/tags/v1.12.0" \
    "gleam-v1.12.0-aarch64-apple-darwin.tar.gz"

• Using cosign directly:

  cosign verify-blob-attestation \
    --bundle "gleam-v1.12.0-aarch64-apple-darwin.tar.gz.sigstore" \
    --new-bundle-format \
    --type "https://spdx.dev/Document/v2.3" \
    --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
    --certificate-identity "https://github.com/gleam-lang/gleam/.github/workflows/release.yaml@refs/tags/v1.12.0" \
    "gleam-v1.12.0-aarch64-apple-darwin.tar.gz"