From 04ea29fcc1bf7245c794700de66bb658889b23a8 Mon Sep 17 00:00:00 2001
From: Markus Rudy <mr@edgeless.systems>
Date: Thu, 14 Dec 2023 09:54:55 +0100
Subject: [PATCH 01/12] bootstrapper: remove obsolete log statement

---
 bootstrapper/cmd/bootstrapper/main.go | 1 -
 1 file changed, 1 deletion(-)

diff --git a/bootstrapper/cmd/bootstrapper/main.go b/bootstrapper/cmd/bootstrapper/main.go
index f2f6008239..670b063b66 100644
--- a/bootstrapper/cmd/bootstrapper/main.go
+++ b/bootstrapper/cmd/bootstrapper/main.go
@@ -114,7 +114,6 @@ func main() {
 		)
 		openDevice = vtpm.OpenVTPM
 		fs = afero.NewOsFs()
-		log.Infof("Added load balancer IP to routing table")
 
 	case cloudprovider.Azure:
 		metadata, err := azurecloud.New(ctx)

From 444d077bd3ad1438fc43ba95bf96299007bfc6dd Mon Sep 17 00:00:00 2001
From: Markus Rudy <mr@edgeless.systems>
Date: Wed, 20 Dec 2023 08:33:26 +0100
Subject: [PATCH 02/12] ci: simplify variable usage
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: Daniel Weiße <daniel-weisse@users.noreply.github.com>
---
 .github/workflows/on-release.yml | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/.github/workflows/on-release.yml b/.github/workflows/on-release.yml
index b0f43ff7a9..98192e5b65 100644
--- a/.github/workflows/on-release.yml
+++ b/.github/workflows/on-release.yml
@@ -126,6 +126,4 @@ jobs:
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: Remove temporary branch
-        env:
-          WORKING_BRANCH: ${{needs.complete-release-branch-transaction.outputs.WORKING_BRANCH}}
-        run: git push origin --delete "${WORKING_BRANCH}"
+        run: git push origin --delete "${{needs.complete-release-branch-transaction.outputs.WORKING_BRANCH}}"

From 4ca8d8ed923d5304ae75c22e096756d6186dcfa4 Mon Sep 17 00:00:00 2001
From: Markus Rudy <mr@edgeless.systems>
Date: Wed, 20 Dec 2023 08:49:25 +0100
Subject: [PATCH 03/12] cli: add missing formatting directive

---
 cli/internal/cmd/configfetchmeasurements.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cli/internal/cmd/configfetchmeasurements.go b/cli/internal/cmd/configfetchmeasurements.go
index 14dd11c874..aaa5b1cf06 100644
--- a/cli/internal/cmd/configfetchmeasurements.go
+++ b/cli/internal/cmd/configfetchmeasurements.go
@@ -153,7 +153,7 @@ func (cfm *configFetchMeasurementsCmd) configFetchMeasurements(
 			return fmt.Errorf("fetching and verifying measurements: %w", err)
 		}
 	}
-	cfm.log.Debugf("Measurements:\n", fetchedMeasurements)
+	cfm.log.Debugf("Measurements: %#v\n", fetchedMeasurements)
 
 	cfm.log.Debugf("Updating measurements in configuration")
 	conf.UpdateMeasurements(fetchedMeasurements)

From bf3b9c88123ec5e4310f0056b81dec7f53aced22 Mon Sep 17 00:00:00 2001
From: Markus Rudy <mr@edgeless.systems>
Date: Wed, 20 Dec 2023 11:45:58 +0100
Subject: [PATCH 04/12] helm: fix rm invocation

---
 internal/constellation/helm/generateCertManager.sh | 2 +-
 internal/constellation/helm/generateCilium.sh      | 2 +-
 internal/constellation/helm/update-csi-charts.sh   | 9 +++------
 3 files changed, 5 insertions(+), 8 deletions(-)

diff --git a/internal/constellation/helm/generateCertManager.sh b/internal/constellation/helm/generateCertManager.sh
index 85cc9e6725..02b98676e4 100755
--- a/internal/constellation/helm/generateCertManager.sh
+++ b/internal/constellation/helm/generateCertManager.sh
@@ -8,7 +8,7 @@ echo "Pulling cert-manager Helm chart..."
 version="1.12.6"
 
 function cleanup {
-  rm -r "charts/cert-manager/README.md" "charts/cert-manager-v${version}.tgz"
+  rm -rf "charts/cert-manager/README.md" "charts/cert-manager-v${version}.tgz"
 }
 
 trap cleanup EXIT
diff --git a/internal/constellation/helm/generateCilium.sh b/internal/constellation/helm/generateCilium.sh
index 9f2ac1e12d..9a1f42921d 100755
--- a/internal/constellation/helm/generateCilium.sh
+++ b/internal/constellation/helm/generateCilium.sh
@@ -7,7 +7,7 @@ shopt -s inherit_errexit
 echo "Pulling Cilium Helm chart..."
 
 function cleanup {
-  rm -r "${ciliumTmpDir}"
+  rm -rf -- "${ciliumTmpDir}"
 }
 
 trap cleanup EXIT
diff --git a/internal/constellation/helm/update-csi-charts.sh b/internal/constellation/helm/update-csi-charts.sh
index 9c2e70531b..36ddd7dcdc 100755
--- a/internal/constellation/helm/update-csi-charts.sh
+++ b/internal/constellation/helm/update-csi-charts.sh
@@ -27,9 +27,6 @@ fi
 #   $3: path to the Helm chart in the git repo
 #   $4: name of the Helm chart
 download_chart() {
-  cleanup() {
-    rm -r "${repo_tmp_dir}"
-  }
   chart_url=$1
   branch=$2
   chart_dir=$3
@@ -55,19 +52,19 @@ download_chart() {
   cd "${callDir}"
 
   # remove old chart
-  rm -r "${chart_base_path:?}/${chart_name}"
+  rm -rf -- "${chart_base_path:?}/${chart_name}"
 
   # move new chart
   mkdir -p "${chart_base_path}/${chart_name}"
   cp -r "${repo_tmp_dir}/${chart_dir}"/* "${chart_base_path}/${chart_name}"
 
+  rm -r -- "${repo_tmp_dir}"
+
   # get new version from Chart.yaml
   new_version=$(yq '.version' "${chart_base_path}/${chart_name}/Chart.yaml")
 
   # update dependency version in parent Chart.yaml
   yq -i "(.dependencies[] | select( .name== \"${chart_name}\").version) = \"${new_version}\"" "${csi_chart_path}/Chart.yaml"
-
-  return
 }
 
 ## AWS CSI Driver

From db55847f2bf23fa2c7ccc026108fabc041e90695 Mon Sep 17 00:00:00 2001
From: Markus Rudy <mr@edgeless.systems>
Date: Sat, 23 Dec 2023 14:53:05 +0100
Subject: [PATCH 05/12] ci: check integrity of rekor-cli

---
 .github/workflows/build-os-image.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/build-os-image.yml b/.github/workflows/build-os-image.yml
index 5cca210819..ffaf646f90 100644
--- a/.github/workflows/build-os-image.yml
+++ b/.github/workflows/build-os-image.yml
@@ -575,6 +575,7 @@ jobs:
         shell: bash
         run: |
           curl -fsSLO https://github.com/sigstore/rekor/releases/download/v0.12.0/rekor-cli-linux-amd64
+          echo 23c9baefe12b28879275f5aa84dbe9cd734d67ba42bf9bbb28a3eedbf1ed2dd4  rekor-cli-linux-amd64 | sha256sum -c --strict
           sudo install rekor-cli-linux-amd64 /usr/local/bin/rekor-cli
           rm rekor-cli-linux-amd64
 

From 0e6f93faa750125122c92faee04c41c010adc431 Mon Sep 17 00:00:00 2001
From: Markus Rudy <mr@edgeless.systems>
Date: Sun, 24 Dec 2023 11:10:31 +0100
Subject: [PATCH 06/12] ci: document reproducible-builds workflow

---
 .github/workflows/reproducible-builds.yml | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/reproducible-builds.yml b/.github/workflows/reproducible-builds.yml
index 033b79542f..a7a675e65d 100644
--- a/.github/workflows/reproducible-builds.yml
+++ b/.github/workflows/reproducible-builds.yml
@@ -1,4 +1,11 @@
-# Build Constellation CLI + OS images and check for reproducible builds
+# Verify that Constellation builds are reproducible.
+#
+# The build-* jobs' matrix has two dimensions: a list of targets to build and
+# a list of runners to build on. The produced binaries and OS images are
+# expected to be bit-for-bit identical, regardless of the chosen build runner.
+#
+# The compare-* jobs only have the target dimension. They obtain the built
+# targets from all runners and check that there are no diffs between them.
 name: Reproducible Builds
 
 on:

From baabbe61fb15e3f5b7a0df723efcdc3a4a372e4c Mon Sep 17 00:00:00 2001
From: Markus Rudy <mr@edgeless.systems>
Date: Sun, 24 Dec 2023 11:18:22 +0100
Subject: [PATCH 07/12] constants: use variables for measurement files

---
 .../measurements/measurement-generator/BUILD.bazel           | 1 +
 .../measurements/measurement-generator/generate.go           | 5 +++--
 .../osimage/measurementsuploader/measurementsuploader.go     | 4 ++--
 3 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/internal/attestation/measurements/measurement-generator/BUILD.bazel b/internal/attestation/measurements/measurement-generator/BUILD.bazel
index 35e8c82591..a678991e9a 100644
--- a/internal/attestation/measurements/measurement-generator/BUILD.bazel
+++ b/internal/attestation/measurements/measurement-generator/BUILD.bazel
@@ -11,6 +11,7 @@ go_library(
         "//internal/attestation/measurements",
         "//internal/attestation/variant",
         "//internal/cloud/cloudprovider",
+        "//internal/constants",
         "//internal/sigstore",
         "//internal/sigstore/keyselect",
         "@org_golang_x_tools//go/ast/astutil",
diff --git a/internal/attestation/measurements/measurement-generator/generate.go b/internal/attestation/measurements/measurement-generator/generate.go
index 0050760add..bb5bbc7e58 100644
--- a/internal/attestation/measurements/measurement-generator/generate.go
+++ b/internal/attestation/measurements/measurement-generator/generate.go
@@ -27,6 +27,7 @@ import (
 	"github.com/edgelesssys/constellation/v2/internal/attestation/measurements"
 	"github.com/edgelesssys/constellation/v2/internal/attestation/variant"
 	"github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider"
+	"github.com/edgelesssys/constellation/v2/internal/constants"
 	"github.com/edgelesssys/constellation/v2/internal/sigstore"
 	"github.com/edgelesssys/constellation/v2/internal/sigstore/keyselect"
 	"golang.org/x/tools/go/ast/astutil"
@@ -109,11 +110,11 @@ func main() {
 
 // mustGetMeasurements fetches the measurements for the given image and CSP and verifies them.
 func mustGetMeasurements(ctx context.Context, verifier rekorVerifier, provider cloudprovider.Provider, attestationVariant variant.Variant, image string) measurements.M {
-	measurementsURL, err := measurementURL(image, "measurements.json")
+	measurementsURL, err := measurementURL(image, constants.CDNMeasurementsFile)
 	if err != nil {
 		panic(err)
 	}
-	signatureURL, err := measurementURL(image, "measurements.json.sig")
+	signatureURL, err := measurementURL(image, constants.CDNMeasurementsSignature)
 	if err != nil {
 		panic(err)
 	}
diff --git a/internal/osimage/measurementsuploader/measurementsuploader.go b/internal/osimage/measurementsuploader/measurementsuploader.go
index 7e98a41b20..ab2bcce7bd 100644
--- a/internal/osimage/measurementsuploader/measurementsuploader.go
+++ b/internal/osimage/measurementsuploader/measurementsuploader.go
@@ -84,11 +84,11 @@ func (a *Uploader) Upload(ctx context.Context, rawMeasurement, signature io.Read
 	if err != nil {
 		return "", "", fmt.Errorf("creating version: %w", err)
 	}
-	key, err := url.JoinPath(ver.ArtifactPath(versionsapi.APIV2), ver.Kind().String(), "measurements.json")
+	key, err := url.JoinPath(ver.ArtifactPath(versionsapi.APIV2), ver.Kind().String(), constants.CDNMeasurementsFile)
 	if err != nil {
 		return "", "", err
 	}
-	sigKey, err := url.JoinPath(ver.ArtifactPath(versionsapi.APIV2), ver.Kind().String(), "measurements.json.sig")
+	sigKey, err := url.JoinPath(ver.ArtifactPath(versionsapi.APIV2), ver.Kind().String(), constants.CDNMeasurementsSignature)
 	if err != nil {
 		return "", "", err
 	}

From 6d32a18b60445ea1b856409ec66178f80730c312 Mon Sep 17 00:00:00 2001
From: Markus Rudy <mr@edgeless.systems>
Date: Sun, 24 Dec 2023 11:20:08 +0100
Subject: [PATCH 08/12] constants: use variables for CDN distribution ID

---
 hack/cli-k8s-compatibility/BUILD.bazel          | 1 +
 hack/cli-k8s-compatibility/main.go              | 3 ++-
 image/upload/internal/cmd/BUILD.bazel           | 1 +
 image/upload/internal/cmd/image.go              | 3 ++-
 image/upload/internal/cmd/info.go               | 3 ++-
 image/upload/internal/cmd/measurementsupload.go | 3 ++-
 6 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/hack/cli-k8s-compatibility/BUILD.bazel b/hack/cli-k8s-compatibility/BUILD.bazel
index 8ea67b87da..d31d56b7de 100644
--- a/hack/cli-k8s-compatibility/BUILD.bazel
+++ b/hack/cli-k8s-compatibility/BUILD.bazel
@@ -7,6 +7,7 @@ go_library(
     visibility = ["//visibility:private"],
     deps = [
         "//internal/api/versionsapi",
+        "//internal/constants",
         "//internal/logger",
         "//internal/versions",
         "@org_uber_go_zap//zapcore",
diff --git a/hack/cli-k8s-compatibility/main.go b/hack/cli-k8s-compatibility/main.go
index 1f58209a32..616c6fd984 100644
--- a/hack/cli-k8s-compatibility/main.go
+++ b/hack/cli-k8s-compatibility/main.go
@@ -12,6 +12,7 @@ import (
 	"flag"
 
 	"github.com/edgelesssys/constellation/v2/internal/api/versionsapi"
+	"github.com/edgelesssys/constellation/v2/internal/constants"
 	"github.com/edgelesssys/constellation/v2/internal/logger"
 	"github.com/edgelesssys/constellation/v2/internal/versions"
 	"go.uber.org/zap/zapcore"
@@ -49,7 +50,7 @@ func main() {
 		cliInfo.Kubernetes = append(cliInfo.Kubernetes, v.ClusterVersion)
 	}
 
-	c, cclose, err := versionsapi.NewClient(ctx, "eu-central-1", "cdn-constellation-backend", "E1H77EZTHC3NE4", false, log)
+	c, cclose, err := versionsapi.NewClient(ctx, "eu-central-1", "cdn-constellation-backend", constants.CDNDefaultDistributionID, false, log)
 	if err != nil {
 		log.Fatalf("creating s3 client: %w", err)
 	}
diff --git a/image/upload/internal/cmd/BUILD.bazel b/image/upload/internal/cmd/BUILD.bazel
index e89acc665d..0717cab0e4 100644
--- a/image/upload/internal/cmd/BUILD.bazel
+++ b/image/upload/internal/cmd/BUILD.bazel
@@ -27,6 +27,7 @@ go_library(
         "//internal/api/versionsapi",
         "//internal/attestation/measurements",
         "//internal/cloud/cloudprovider",
+        "//internal/constants",
         "//internal/logger",
         "//internal/osimage",
         "//internal/osimage/archive",
diff --git a/image/upload/internal/cmd/image.go b/image/upload/internal/cmd/image.go
index 0f4e94e4ce..048ef4e6f9 100644
--- a/image/upload/internal/cmd/image.go
+++ b/image/upload/internal/cmd/image.go
@@ -9,6 +9,7 @@ package cmd
 import (
 	"os"
 
+	"github.com/edgelesssys/constellation/v2/internal/constants"
 	"github.com/spf13/cobra"
 )
 
@@ -32,7 +33,7 @@ func NewImageCmd() *cobra.Command {
 	cmd.PersistentFlags().String("timestamp", "", "Optional timestamp to use for resource names. Uses format 2006-01-02T15:04:05Z07:00.")
 	cmd.PersistentFlags().String("region", "eu-central-1", "AWS region of the archive S3 bucket")
 	cmd.PersistentFlags().String("bucket", "cdn-constellation-backend", "S3 bucket name of the archive")
-	cmd.PersistentFlags().String("distribution-id", "E1H77EZTHC3NE4", "CloudFront distribution ID of the API")
+	cmd.PersistentFlags().String("distribution-id", constants.CDNDefaultDistributionID, "CloudFront distribution ID of the API")
 	cmd.PersistentFlags().String("out", "", "Optional path to write the upload result to. If not set, the result is written to stdout.")
 	cmd.PersistentFlags().Bool("verbose", false, "Enable verbose output")
 	must(cmd.MarkPersistentFlagRequired("raw-image"))
diff --git a/image/upload/internal/cmd/info.go b/image/upload/internal/cmd/info.go
index 51ba533ccc..c837c6a03e 100644
--- a/image/upload/internal/cmd/info.go
+++ b/image/upload/internal/cmd/info.go
@@ -12,6 +12,7 @@ import (
 	"os"
 
 	"github.com/edgelesssys/constellation/v2/internal/api/versionsapi"
+	"github.com/edgelesssys/constellation/v2/internal/constants"
 	"github.com/edgelesssys/constellation/v2/internal/logger"
 	infoupload "github.com/edgelesssys/constellation/v2/internal/osimage/imageinfo"
 	"github.com/spf13/cobra"
@@ -31,7 +32,7 @@ func NewInfoCmd() *cobra.Command {
 
 	cmd.Flags().String("region", "eu-central-1", "AWS region of the archive S3 bucket")
 	cmd.Flags().String("bucket", "cdn-constellation-backend", "S3 bucket name of the archive")
-	cmd.Flags().String("distribution-id", "E1H77EZTHC3NE4", "CloudFront distribution ID of the API")
+	cmd.Flags().String("distribution-id", constants.CDNDefaultDistributionID, "CloudFront distribution ID of the API")
 	cmd.Flags().Bool("verbose", false, "Enable verbose output")
 
 	return cmd
diff --git a/image/upload/internal/cmd/measurementsupload.go b/image/upload/internal/cmd/measurementsupload.go
index 4398a0dfc9..e266fda3f5 100644
--- a/image/upload/internal/cmd/measurementsupload.go
+++ b/image/upload/internal/cmd/measurementsupload.go
@@ -10,6 +10,7 @@ import (
 	"fmt"
 	"os"
 
+	"github.com/edgelesssys/constellation/v2/internal/constants"
 	"github.com/edgelesssys/constellation/v2/internal/logger"
 	"github.com/edgelesssys/constellation/v2/internal/osimage/measurementsuploader"
 	"github.com/spf13/cobra"
@@ -31,7 +32,7 @@ func newMeasurementsUploadCmd() *cobra.Command {
 	cmd.Flags().String("signature", "", "Path to signature file to upload")
 	cmd.Flags().String("region", "eu-central-1", "AWS region of the archive S3 bucket")
 	cmd.Flags().String("bucket", "cdn-constellation-backend", "S3 bucket name of the archive")
-	cmd.Flags().String("distribution-id", "E1H77EZTHC3NE4", "CloudFront distribution ID of the API")
+	cmd.Flags().String("distribution-id", constants.CDNDefaultDistributionID, "CloudFront distribution ID of the API")
 	cmd.Flags().Bool("verbose", false, "Enable verbose output")
 
 	must(cmd.MarkFlagRequired("measurements"))

From a9a6151b6aa52274cdb4c84deef9ec4b5ca338ed Mon Sep 17 00:00:00 2001
From: Markus Rudy <mr@edgeless.systems>
Date: Fri, 5 Jan 2024 15:26:00 +0100
Subject: [PATCH 09/12] ci: make Helm version explicit

---
 .github/actions/deploy_logcollection/action.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/actions/deploy_logcollection/action.yml b/.github/actions/deploy_logcollection/action.yml
index 942ef56e4a..8bafa9ed23 100644
--- a/.github/actions/deploy_logcollection/action.yml
+++ b/.github/actions/deploy_logcollection/action.yml
@@ -65,7 +65,7 @@ runs:
     - name: Install Helm
       uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5
       with:
-        version: latest
+        version: v3.9.0
 
     - name: Deploy Logstash
       id: deploy-logstash

From 0085e16c63cebeb781767b709a70ff0c89bc8c48 Mon Sep 17 00:00:00 2001
From: Markus Rudy <mr@edgeless.systems>
Date: Wed, 3 Jan 2024 12:08:52 +0100
Subject: [PATCH 10/12] api: prettify versionsapi-list output

---
 internal/api/versionsapi/cli/list.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/internal/api/versionsapi/cli/list.go b/internal/api/versionsapi/cli/list.go
index 152d0c5f7c..f158d6d3c8 100644
--- a/internal/api/versionsapi/cli/list.go
+++ b/internal/api/versionsapi/cli/list.go
@@ -94,7 +94,7 @@ func runList(cmd *cobra.Command, _ []string) (retErr error) {
 		for _, v := range patchVersions {
 			vers = append(vers, v.Version())
 		}
-		raw, err := json.Marshal(vers)
+		raw, err := json.MarshalIndent(vers, "", "  ")
 		if err != nil {
 			return fmt.Errorf("marshaling versions: %w", err)
 		}

From 82ed7b4bf521198d2be63e4631061289d3a56001 Mon Sep 17 00:00:00 2001
From: Markus Rudy <mr@edgeless.systems>
Date: Fri, 5 Jan 2024 13:18:18 +0100
Subject: [PATCH 11/12] ci: remove obsolete docstring

---
 .github/actions/login_gcp/action.yml | 2 --
 1 file changed, 2 deletions(-)

diff --git a/.github/actions/login_gcp/action.yml b/.github/actions/login_gcp/action.yml
index 4a05a03b79..5c40696063 100644
--- a/.github/actions/login_gcp/action.yml
+++ b/.github/actions/login_gcp/action.yml
@@ -19,8 +19,6 @@ runs:
         echo "GCP_PROJECT=" >> "$GITHUB_ENV"
         echo "GOOGLE_CLOUD_PROJECT=" >> "$GITHUB_ENV"
 
-    # As described at:
-    # https://github.com/google-github-actions/setup-gcloud#service-account-key-json
     - name: Authorize GCP access
       uses: google-github-actions/auth@35b0e87d162680511bf346c299f71c9c5c379033 # v1.1.1
       with:

From e02a5fba805b9f2ac4d1245a07147fc24cf313fc Mon Sep 17 00:00:00 2001
From: Markus Rudy <mr@edgeless.systems>
Date: Mon, 8 Jan 2024 17:17:35 +0100
Subject: [PATCH 12/12] Revert "ci: check integrity of rekor-cli"

This reverts commit fd03e62fdbdc621fab9400864b71ff157f6ff5e2.
---
 .github/workflows/build-os-image.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.github/workflows/build-os-image.yml b/.github/workflows/build-os-image.yml
index ffaf646f90..5cca210819 100644
--- a/.github/workflows/build-os-image.yml
+++ b/.github/workflows/build-os-image.yml
@@ -575,7 +575,6 @@ jobs:
         shell: bash
         run: |
           curl -fsSLO https://github.com/sigstore/rekor/releases/download/v0.12.0/rekor-cli-linux-amd64
-          echo 23c9baefe12b28879275f5aa84dbe9cd734d67ba42bf9bbb28a3eedbf1ed2dd4  rekor-cli-linux-amd64 | sha256sum -c --strict
           sudo install rekor-cli-linux-amd64 /usr/local/bin/rekor-cli
           rm rekor-cli-linux-amd64