mirror of https://github.com/knative/docs.git
Update Knative cosign verify docs (#5569)
Signed-off-by: Caleb Woodbine <calebwoodbine.public@gmail.com> Co-authored-by: Caleb Woodbine <calebwoodbine.public@gmail.com>
This commit is contained in:
parent
ce268d8f31
commit
228f76f7b1
|
@ -16,9 +16,11 @@ Knative `kn` CLI releases from 1.9 onwards are signed with [cosign](https://docs
|
|||
1. Verify the signature by running the command:
|
||||
|
||||
```sh
|
||||
COSIGN_EXPERIMENTAL=1 cosign verify-blob \
|
||||
cosign verify-blob \
|
||||
--cert checksums.txt.pem \
|
||||
--signature checksums.txt.sig \
|
||||
--certificate-identity=signer@knative-releases.iam.gserviceaccount.com \
|
||||
--certificate-oidc-issuer=https://accounts.google.com \
|
||||
checksums.txt
|
||||
```
|
||||
|
||||
|
@ -29,4 +31,5 @@ Knative `kn` CLI releases from 1.9 onwards are signed with [cosign](https://docs
|
|||
```
|
||||
|
||||
!!! note
|
||||
`COSIGN_EXPERIMENTAL=1` is used to allow verification of images signed in `KEYLESS` mode. To learn more about keyless signing, please refer to [Keyless Signatures](https://github.com/sigstore/cosign/blob/main/KEYLESS.md#keyless-signatures). The signing identity for Knative releases is `signer@knative-nightly.iam.gserviceaccount.com`, and the issuer is `https://accounts.google.com`.
|
||||
Knative images are signed in `KEYLESS` mode. To learn more about keyless signing, please refer to [Keyless Signatures](https://github.com/sigstore/cosign/blob/main/KEYLESS.md#keyless-signatures). The signing identity for Knative releases is `signer@knative-releases.iam.gserviceaccount.com`, and the issuer is `https://accounts.google.com`.
|
||||
|
||||
|
|
|
@ -7,19 +7,15 @@ Knative releases from 1.9 onwards are signed with [cosign](https://docs.sigstore
|
|||
1. Extract the images from a manifeset and verify the signatures.
|
||||
|
||||
```
|
||||
# download the yaml file, this example uses the serving manifest
|
||||
curl -fsSLO https://github.com/knative/serving/releases/download/knative-v1.9.0/serving-core.yaml
|
||||
cat serving-core.yaml | grep 'gcr.io/' | awk '{print $2}' > images.txt
|
||||
input=images.txt
|
||||
while IFS= read -r image
|
||||
do
|
||||
COSIGN_EXPERIMENTAL=1 cosign verify -o text "$image" | jq
|
||||
done < "$input"
|
||||
|
||||
curl -sSL https://github.com/knative/serving/releases/download/knative-v1.10.1/serving-core.yaml \
|
||||
| grep 'gcr.io/' | awk '{print $2}' | sort | uniq \
|
||||
| xargs -n 1 \
|
||||
cosign verify -o text \
|
||||
--certificate-identity=signer@knative-releases.iam.gserviceaccount.com \
|
||||
--certificate-oidc-issuer=https://accounts.google.com
|
||||
```
|
||||
|
||||
!!! note
|
||||
`COSIGN_EXPERIMENTAL=1` is used to allow verification of images signed
|
||||
in `KEYLESS` mode. To learn more about keyless signing, please refer to
|
||||
Knative images are signed in `KEYLESS` mode. To learn more about keyless signing, please refer to
|
||||
[Keyless Signatures](https://github.com/sigstore/cosign/blob/main/KEYLESS.md#keyless-signatures)
|
||||
Our signing identity(Subject) for our releases is `signer@knative-nightly.iam.gserviceaccount.com` and the Issuer is `https://accounts.google.com`
|
||||
Our signing identity(Subject) for our releases is `signer@knative-releases.iam.gserviceaccount.com` and the Issuer is `https://accounts.google.com`
|
||||
|
|
Loading…
Reference in New Issue