Update OBI install docs (#9590)

Co-authored-by: otelbot <197425009+otelbot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

Author: 3 people

content/en/docs/zero-code/obi/setup/docker.md

@@ -11,9 +11,14 @@ cSpell:ignore: goblog
 OBI can run a standalone Docker container that can instrument a process running
 in another container.
 
-Find the latest image of OBI on
-[Docker Hub](https://hub.docker.com/r/otel/ebpf-instrument) with the following
-name:
+OBI container images are published to both registries:
+
+- [Docker Hub](https://hub.docker.com/r/otel/ebpf-instrument):
+  `otel/ebpf-instrument:v<version>`
+- [GHCR](https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/pkgs/container/opentelemetry-ebpf-instrumentation%2Febpf-instrument):
+  `ghcr.io/open-telemetry/opentelemetry-ebpf-instrumentation/ebpf-instrument:v<version>`
+
+The development tag is also published on Docker Hub as:
 
 ```text
 otel/ebpf-instrument:main
@@ -35,10 +40,17 @@ keys, authenticated via the OIDC (OpenID Connect) protocol in GitHub Actions.
 This ensures the authenticity and integrity of the container published by the
 OpenTelemetry project.
 
-You can verify the signature of the container image using the following command:
+You can verify the signature of the container image using the following
+commands:
 
 ```sh
-cosign verify --certificate-identity-regexp 'https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/' --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' otel/ebpf-instrument:main
+export VERSION=v0.7.0
+
+# Verify a release image from Docker Hub
+cosign verify --certificate-identity-regexp 'https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/' --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' otel/ebpf-instrument:${VERSION}
+
+# Verify the same release from GHCR
+cosign verify --certificate-identity-regexp 'https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/' --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' ghcr.io/open-telemetry/opentelemetry-ebpf-instrumentation/ebpf-instrument:${VERSION}
 ```
 
 Here is an example output:
@@ -53,13 +65,22 @@ The following checks were performed on each of these signatures:
 [{"critical":{"identity":{"docker-reference":"index.docker.io/otel/ebpf-instrument:main"},"image":{"docker-manifest-digest":"sha256:55426a2bbb8003573a961697888aa770a1f5f67fcda2276dc2187d1faf7181fe"},"type":"https://sigstore.dev/cosign/sign/v1"},"optional":{}}]
 ```
 
+Successful verification reports that the Cosign claims were validated and shows
+the signed image digest. If verification fails:
+
+- confirm that the tag exists in the registry you queried
+- make sure you are verifying a published release tag, not just `main`
+- verify that you are using the GitHub OIDC issuer and identity regular
+  expression shown above
+
 ## Docker CLI example
 
 For this example you need a container running an HTTP/S or gRPC service. If you
 don't have one, you can use this
 [simple blog engine service written in Go](https://macias.info):
 
 ```sh
+export VERSION=v0.7.0
 docker run -p 18443:8443 --name goblog mariomac/goblog:dev
 ```
 
@@ -87,7 +108,7 @@ docker run --rm \
   -e OTEL_EBPF_TRACE_PRINTER=text \
   --pid=host \
   --privileged \
-  otel/ebpf-instrument:main
+  otel/ebpf-instrument:${VERSION}
 ```
 
 After OBI is running, open `https://localhost:18443` in your browser, use the

content/en/docs/zero-code/obi/setup/standalone.md

@@ -3,6 +3,7 @@ title: Run OBI as a standalone process
 linkTitle: Standalone
 description: Learn how to setup and run OBI as a standalone Linux process.
 weight: 5
+cSpell:ignore: cyclonedx
 ---
 
 OBI can run as a standalone Linux OS process with elevated privileges that can
@@ -17,7 +18,20 @@ Each release includes:
 
 - `obi-v<version>-linux-amd64.tar.gz` - Linux AMD64/x86_64 archive
 - `obi-v<version>-linux-arm64.tar.gz` - Linux ARM64 archive
-- `SHA256SUMS` - Checksums for verification
+- `obi-v<version>-linux-amd64.cyclonedx.json` - CycloneDX SBOM for the AMD64
+  archive
+- `obi-v<version>-linux-arm64.cyclonedx.json` - CycloneDX SBOM for the ARM64
+  archive
+- `obi-v<version>-source-generated.cyclonedx.json` - CycloneDX SBOM for the
+  source-generated archive
+- `obi-java-agent-v<version>.cyclonedx.json` - CycloneDX SBOM for the embedded
+  Java agent and its Java dependencies
+- `SHA256SUMS` - Checksums for verification of the release archives and SBOM
+  assets
+
+Container images for the same release are also published. For image pull and
+signature verification instructions, see
+[Run OBI as a Docker container](../docker/).
 
 Set your desired version and architecture:
 
@@ -44,6 +58,18 @@ sha256sum -c SHA256SUMS --ignore-missing
 tar -xzf obi-v${VERSION}-linux-${ARCH}.tar.gz
 ```
 
+Successful verification prints an `OK` result for each downloaded file:
+
+```text
+obi-v${VERSION}-linux-${ARCH}.tar.gz: OK
+```
+
+If verification fails, `sha256sum` reports `FAILED`. When that happens:
+
+- confirm that `VERSION` matches the archive and `SHA256SUMS` you downloaded
+- remove any partially downloaded files and fetch them again
+- verify only the files you actually downloaded from that release
+
 The archive contains:
 
 - `obi` - Main OBI binary
@@ -66,6 +92,42 @@ The archive contains:
 > (for example `XDG_CACHE_HOME=/var/cache/obi sudo -E obi ...`) or configure an
 > explicit cache path according to your environment.
 
+## SBOMs
+
+CycloneDX SBOM files are optional metadata for supply-chain review and
+automation. They are not required to install or run OBI.
+
+The published SBOMs describe the contents of the binary archives and embedded
+components in [CycloneDX JSON format](https://cyclonedx.org/). They can be used
+with standard SBOM tooling to inspect dependencies, licenses, and components
+without executing the binaries.
+
+Download the SBOMs you want to inspect:
+
+```sh
+# SBOM for the binary archive you downloaded
+wget https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/releases/download/v${VERSION}/obi-v${VERSION}-linux-${ARCH}.cyclonedx.json
+
+# SBOM for the embedded Java agent and its Java dependencies
+wget https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/releases/download/v${VERSION}/obi-java-agent-v${VERSION}.cyclonedx.json
+
+# Optional: verify the downloaded SBOM files against SHA256SUMS too
+sha256sum -c SHA256SUMS --ignore-missing
+```
+
+Example inspection commands:
+
+```sh
+# List component names and versions from the archive SBOM
+jq '.components[] | {name, version}' obi-v${VERSION}-linux-${ARCH}.cyclonedx.json
+
+# Scan the SBOM with Grype
+grype sbom:obi-v${VERSION}-linux-${ARCH}.cyclonedx.json
+
+# Inspect the Java agent dependency graph
+jq '.components[] | {name, version}' obi-java-agent-v${VERSION}.cyclonedx.json
+```
+
 ## Install to system
 
 After extracting the archive, you can install the binaries to a location in your

static/refcache.json

@@ -1247,6 +1247,10 @@
     "StatusCode": 206,
     "LastSeen": "2026-03-17T09:54:50.430034452Z"
   },
+  "https://cyclonedx.org/": {
+    "StatusCode": 200,
+    "LastSeen": "2026-04-06T21:47:59.459109645Z"
+  },
   "https://danielmiessler.com/blog/ai-influence-level-ail": {
     "StatusCode": 206,
     "LastSeen": "2026-03-03T09:52:09.028680117Z"
@@ -12571,6 +12575,10 @@
     "StatusCode": 206,
     "LastSeen": "2026-03-10T09:53:15.207792097Z"
   },
+  "https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/pkgs/container/opentelemetry-ebpf-instrumentation%2Febpf-instrument": {
+    "StatusCode": 206,
+    "LastSeen": "2026-04-07T00:19:16.233031662Z"
+  },
   "https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/releases": {
     "StatusCode": 206,
     "LastSeen": "2026-03-12T09:59:20.644535557Z"