From 911da6ddf59a8f029534d75e55301b69d94b4aa2 Mon Sep 17 00:00:00 2001
From: Felix Moessbauer <felix.moessbauer@siemens.com>
Date: Fri, 3 May 2024 15:20:44 +0200
Subject: [PATCH] docs(attestation): add references to sigstore

This patch improves the attestation signing part of the documentation by
adding links to the external tooling, as well as where to find the
external documentation.

Proposed-by: Joerg Sommer <joerg.sommer@navimatix.de>
Signed-off-by: Felix Moessbauer <felix.moessbauer@siemens.com>
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 docs/userguide/build-attestation.rst | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/docs/userguide/build-attestation.rst b/docs/userguide/build-attestation.rst
index 9164c612..3747a951 100644
--- a/docs/userguide/build-attestation.rst
+++ b/docs/userguide/build-attestation.rst
@@ -45,10 +45,12 @@ For example, to build the configuration described in the file
 Working with sigstore cosign
 ----------------------------
 
-The sigstore cosign tool has native support for in-toto build predicates.
-However, it currently can only operate directly on the predicate but not
-on the enclosing attestation (cosign 2.2.4). By that, the predicate first
-needs to be extracted (provenance in this example)::
+The `cosign tool <https://github.com/sigstore/cosign>`_ from the `sigstore
+project <https://www.sigstore.dev/>`_ (`documentation <https://docs.sigstore.dev/>`_)
+has native support for in-toto build predicates. However, it currently can only
+operate directly on the predicate but not on the enclosing attestation
+(cosign 2.2.4). By that, the predicate first needs to be extracted (provenance
+in this example)::
 
     cat build/attestation/kas-build.provenance.json | jq '.predicate' > provenance.json