docs: verify command takes in manifest file

edgelesssys · Jun 24, 2024 · fc60a9a · fc60a9a
1 parent b5d2c6f
commit fc60a9a
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 4 deletions.
diff --git a/docs/docs/deployment.md b/docs/docs/deployment.md
@@ -256,6 +256,7 @@ Attest the Coordinator and set the manifest:
 contrast set -c "${coordinator}:1313" resources/
 ```
 
+This will use the reference values from the manifest file to attest the Coordinator.
 After this step, the Coordinator will start issuing TLS certificates to the workloads. The init container
 will fetch a certificate for the workload and the workload is started.
 
@@ -267,9 +268,10 @@ An end user (data owner) can verify the Contrast deployment using the `verify` c
 contrast verify -c "${coordinator}:1313"
 ```
 
-The CLI will attest the Coordinator using embedded reference values. The CLI will write the service mesh
-root certificate and the history of manifests into the `verify/` directory. In addition, the policies referenced
-in the manifest are also written to the directory.
+The CLI will attest the Coordinator using the reference values from the given manifest file. It will then write the
+service mesh root certificate and the history of manifests into the `verify/` directory. In addition, the policies
+referenced in the active manifest are also written to the directory. The verification will fail if the active
+manifest at the Coordinator doesn't match the manifest passed to the CLI.
 
 ## Communicate with workloads
 

diff --git a/docs/docs/examples/emojivoto.md b/docs/docs/examples/emojivoto.md
@@ -145,7 +145,9 @@ command:
 contrast verify -c "${coordinator}:1313"
 ```
 
-The CLI will attest the Coordinator using embedded reference values. If the command succeeds,
+The CLI will attest the Coordinator using the reference values from a given manifest. This manifest needs
+to be communicated out of band to everyone wanting to verify the deployment, as the `verify` command checks
+if the currently active manifest at the Coordinator matches the manifest given to the CLI. If the command succeeds,
 the Coordinator deployment was successfully verified to be running in the expected Confidential
 Computing environment with the expected code version. The Coordinator will then return its
 configuration over the established TLS channel. The CLI will store this information, namely the root