From eceb82d82c3996aa87b6e6bdb8d1f692fce8437e Mon Sep 17 00:00:00 2001
From: Dmitry S <dsavints@gmail.com>
Date: Mon, 29 Jan 2024 19:40:18 +0100
Subject: [PATCH] document --ca-roots flag for 'cosign verify'

Related to https://github.com/sigstore/cosign/issues/3462.
Document the new 'cosign verify' --ca-roots flag and
its difference to the --certificate-chain flag.
List the supported and currently unsupported use cases
(single/multiple CA(s), intermediate CAs).

Signed-off-by: Dmitry S <dsavints@gmail.com>
---
 content/en/verifying/verify.md | 19 ++++++++++++++++---
 1 file changed, 16 insertions(+), 3 deletions(-)

diff --git a/content/en/verifying/verify.md b/content/en/verifying/verify.md
index 9ac4a095..1bf81f1b 100644
--- a/content/en/verifying/verify.md
+++ b/content/en/verifying/verify.md
@@ -80,12 +80,25 @@ $ cosign verify --certificate cosign.crt --certificate-chain chain.crt --certifi
 ```
 
 ## Verify image with user-provided trusted chain
-Verify image with the provided certificate chain and identity parameters (intended for
-a "bring your own PKI" use case):
-
+Verify image with the provided certificate chain(s) and identity parameters (intended for
+"bring your own PKI" use cases).
+* with a single certificate chain file - which may contain one or several intermediate
+certificates followed by the root CA certificate - use the `--certificate-chain` parameter:
 ```shell
 $ cosign verify --certificate-chain chain.crt --certificate-oidc-issuer https://issuer.example.com --certificate-identity foo@example.com user/demo
 ```
+* with a certificate bundle PEM file containing several CA roots (but without
+intermediate certificate), use the `--ca-roots` parameter:
+```shell
+$ cosign verify --ca-roots ca-roots.pem --certificate-oidc-issuer https://issuer.example.com --certificate-identity foo@example.com user/demo
+```
+
+The `--ca-roots` and `--certificate-chain` flags are mutually exclusive.
+
+Note that the hypothetical use case of "multiple chains with multiple CA roots and intermediate
+certificates" is not yet supported.  There are plans to add the `--ca-intermediates` parameter
+(see [issue #3462](https://github.com/sigstore/cosign/issues/3462)).  If you need this,
+please open an issue and mention it on the Sigstore #cosign Slack.
 
 ## Verify an image on the transparency log