From a8eaf788463e8e0d6bf748ed1866042852bb7ce0 Mon Sep 17 00:00:00 2001
From: Kazuma Watanabe <watassbass@gmail.com>
Date: Sat, 25 Feb 2023 17:10:58 +0900
Subject: [PATCH] Deprecate GPG key signed signature (#1587)

---
 README.md | 12 ++----------
 1 file changed, 2 insertions(+), 10 deletions(-)

diff --git a/README.md b/README.md
index 889388b34..ae065fb47 100644
--- a/README.md
+++ b/README.md
@@ -40,18 +40,10 @@ NOTE: The Chocolatey package is NOT directly maintained by the TFLint maintainer
 
 ### Verification
 
-GnuPG
+Releases are signed by [Cosign](https://github.com/sigstore/cosign). `cosign verify-blob` ensures that the release was built with this repository's GitHub Actions.
 
 ```
-gpg --import 8CE69160EB3F2FE9.key
-gpg --verify checksum.txt.sig checksum.txt
-sha256sum --ignore-missing -c checksums.txt
-```
-
-Cosign
-
-```
-COSIGN_EXPERIMENTAL=1 cosign verify-blob --certificate checksums.txt.pem --signature checksums.txt.keyless.sig --certificate-github-workflow-repository=terraform-linters/tflint checksums.txt
+cosign verify-blob --certificate=checksums.txt.pem --signature=checksums.txt.keyless.sig --certificate-identity-regexp="^https://github.com/terraform-linters/tflint" --certificate-oidc-issuer=https://token.actions.githubusercontent.com checksums.txt
 sha256sum --ignore-missing -c checksums.txt
 ```