From 35a37c61bd30eff8a299bde60dd1b64c4d742025 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 24 Feb 2026 20:39:50 +0000
Subject: [PATCH 1/2] Initial plan


From 178a938999b923fb36e21bb985eb8863974fff33 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 24 Feb 2026 20:44:03 +0000
Subject: [PATCH 2/2] Fix release verification instructions and include .bundle
 in artifacts

- RELEASE.md: Correct certificate identity from release.yml@refs/tags/... to
  action-build.yml@refs/heads/main (matching actual OIDC behavior for reusable
  workflows). Replace .bundle-based instructions with .sig/.pem flags matching
  what is actually shipped in releases. Add step-by-step download/unpack/verify
  flow with explanatory note.
- installation.md: Add context about signing artifacts included in tarballs,
  link to cosign docs, and add explanatory note about certificate identity.
- sign/action.yml: Also copy .bundle file to dist/bin/ so it ships alongside
  .sig and .pem in release tarballs.

Co-authored-by: Mossaka <5447827+Mossaka@users.noreply.github.com>
---
 .github/actions/sign/action.yml          |  3 ++-
 RELEASE.md                               | 34 +++++++++++++++++++-----
 docs/src/getting-started/installation.md | 18 ++++++++-----
 3 files changed, 41 insertions(+), 14 deletions(-)

diff --git a/.github/actions/sign/action.yml b/.github/actions/sign/action.yml
index fbb2f7de56..b89e61b9fb 100644
--- a/.github/actions/sign/action.yml
+++ b/.github/actions/sign/action.yml
@@ -26,9 +26,10 @@ runs:
             --bundle containerd-shim-${{ inputs.runtime }}-v1.bundle \
             dist/bin/containerd-shim-${{ inputs.runtime }}-v1
           
-          # Copy the certs to the dist/bin folder
+          # Copy the signing artifacts to the dist/bin folder
           cp *.sig dist/bin/
           cp *.pem dist/bin/
+          cp *.bundle dist/bin/
         else
           echo "::warning::No files to sign"
         fi
\ No newline at end of file
diff --git a/RELEASE.md b/RELEASE.md
index 1afadc4173..b2a9e3223f 100644
--- a/RELEASE.md
+++ b/RELEASE.md
@@ -65,16 +65,36 @@ containerd-shim-wasm = { path = "crates/containerd-shim-wasm", version = "0.4.0"
 
 ### Verify signing
 
-The release pipeline uses `cosign` to sign the release blobs, if any. It uses Github's OIDC token to authenticate with Sigstore to prove identity and outputs a `.bundle` file, which contains a signature and a key. This file can be verified using `cosign verify-blob` command, providing the workflow tag and Github as the issuer. The full command looks like this (e.g. wasmtime shim):
+The release pipeline uses [cosign](https://docs.sigstore.dev/cosign/system_config/installation/) to sign the release binaries. It leverages Github's OIDC token to authenticate with Sigstore, proving identity, and produces `.sig` (signature) and `.pem` (certificate) files for each binary. These signing artifacts are included in the release tarball alongside the binary itself.
 
-```sh
-cosign verify-blob --bundle containerd-shim-wasmtime-v1.bundle \
---certificate-identity https://github.com/containerd/runwasi/.github/workflows/release.yml@refs/tags/containerd-shim-wasmtime/<tag> \ 
---certificate-oidc-issuer https://token.actions.githubusercontent.com \
-containerd-shim-wasmtime-v1
+To verify a release binary (using the wasmtime shim as an example):
+
+**Step 1.** Download and unpack the release tarball:
+
+```console
+# Fetch the release tarball — substitute <tag> (e.g. 0.8.0) and <arch> (e.g. x86_64 or aarch64) accordingly
+$ wget "https://github.com/containerd/runwasi/releases/download/containerd-shim-wasmtime%2Fv<tag>/containerd-shim-wasmtime-<arch>-linux-musl.tar.gz"
+
+# Unpack — the tarball contains the binary plus .sig and .pem signing artifacts
+$ tar -xvf containerd-shim-wasmtime-<arch>-linux-musl.tar.gz
 ```
 
-In the Github release page, please provide the above command in the instructions for the consumer to verify the release.
+**Step 2.** Verify the binary with cosign:
+
+```console
+$ cosign verify-blob \
+    --certificate containerd-shim-wasmtime-v1.pem \
+    --signature containerd-shim-wasmtime-v1.sig \
+    --certificate-identity \
+      "https://github.com/containerd/runwasi/.github/workflows/action-build.yml@refs/heads/main" \
+    --certificate-oidc-issuer \
+      "https://token.actions.githubusercontent.com" \
+    containerd-shim-wasmtime-v1
+```
+
+> **Why does the certificate identity reference `action-build.yml@refs/heads/main` instead of `release.yml`?**
+> Signing runs inside the reusable build workflow ([action-build.yml](.github/workflows/action-build.yml)), which is invoked by the release workflow. GitHub OIDC tokens for reusable workflows use the *called* workflow's identity, not the caller's, so the certificate always references `action-build.yml@refs/heads/main`.
+
 
 ### First time release of a crate
 
diff --git a/docs/src/getting-started/installation.md b/docs/src/getting-started/installation.md
index a4456ebe19..7998839029 100644
--- a/docs/src/getting-started/installation.md
+++ b/docs/src/getting-started/installation.md
@@ -33,16 +33,22 @@ sudo install containerd-shim-wasmtime-v1 /usr/local/bin/
 
 4. Verify the binary signature (recommended):
 
-```bash
-# Verify using cosign
-cosign verify-blob \
-    --signature containerd-shim-wasmtime-v1.sig \
+Each release tarball includes `.sig` (signature) and `.pem` (certificate) files alongside the binary.
+After unpacking the tarball, verify the binary with [cosign](https://docs.sigstore.dev/cosign/system_config/installation/):
+
+```console
+$ cosign verify-blob \
     --certificate containerd-shim-wasmtime-v1.pem \
-    --certificate-identity https://github.com/containerd/runwasi/.github/workflows/action-build.yml@refs/heads/main \
-    --certificate-oidc-issuer https://token.actions.githubusercontent.com \
+    --signature containerd-shim-wasmtime-v1.sig \
+    --certificate-identity \
+      "https://github.com/containerd/runwasi/.github/workflows/action-build.yml@refs/heads/main" \
+    --certificate-oidc-issuer \
+      "https://token.actions.githubusercontent.com" \
     containerd-shim-wasmtime-v1
 ```
 
+> **Note:** The certificate identity references `action-build.yml@refs/heads/main` because signing runs inside the reusable build workflow, which is invoked by the release workflow. See [RELEASE.md](https://github.com/containerd/runwasi/blob/main/RELEASE.md#verify-signing) for more details.
+
 ### Option 2: Building from Source
 
 To build and install Runwasi from source: