crane: installation instructions have wrong command for slsa verification

[Hi-Fi]

Describe the bug

Installation can't be done following instructions from https://github.com/google/go-containerregistry/blob/main/cmd/crane/README.md#installation.

./slsa-verifier-linux-amd64 -artifact-path go-containerregistry.tar.gz -provenance provenance.intoto.jsonl -source github.com/google/go-containerregistry -tag "v${CRANE_VERSION}"
unknown command "go-containerregistry.tar.gz" for "slsa-verifier"

To Reproduce

Follow instructions at https://github.com/google/go-containerregistry/blob/main/cmd/crane/README.md#installation

Note that provenance file was downloaded correctly even fix from #1539 is not visible in README.

Expected behavior

Installation to pass with all steps mentioned.

Working command:

./slsa-verifier-linux-amd64 verify-artifact go-containerregistry.tar.gz --provenance-path provenance.intoto.jsonl --source-uri github.com/google/go-containerregistry --source-tag "v${CRANE_VERSION}"

Additional context

Breaking change introduced at https://github.com/slsa-framework/slsa-verifier/releases/tag/v2.0.0

Add any other context about the problem here.

• Output of crane version: 0.13.0
• Registry used (e.g., GCR, ECR, Quay): none

[imjasonh]

cc @laurentsimon @asraa

[ianlewis]

Hi. Starting in v2 of slsa-verifier we updated the CLI to better support other types of artifacts.

I think this may just be a matter of updating the doc with the new command. We maintain backwards compatibility in the CLI (but may update it for major versions) and aren't likely to make more backwards incompatible changes any time soon.

I have some doubts but is it maybe helpful to note the version of the verifier used?

[Hi-Fi]

Thank you, this would help new users as they don't get errors at installation.