diff --git a/docs/snippets/security-prereqs-binaries.md b/docs/snippets/security-prereqs-binaries.md index 594946ad2..cee5109f6 100644 --- a/docs/snippets/security-prereqs-binaries.md +++ b/docs/snippets/security-prereqs-binaries.md @@ -16,9 +16,11 @@ Knative `kn` CLI releases from 1.9 onwards are signed with [cosign](https://docs 1. Verify the signature by running the command: ```sh - COSIGN_EXPERIMENTAL=1 cosign verify-blob \ + cosign verify-blob \ --cert checksums.txt.pem \ --signature checksums.txt.sig \ + --certificate-identity=signer@knative-releases.iam.gserviceaccount.com \ + --certificate-oidc-issuer=https://accounts.google.com \ checksums.txt ``` @@ -29,4 +31,5 @@ Knative `kn` CLI releases from 1.9 onwards are signed with [cosign](https://docs ``` !!! note - `COSIGN_EXPERIMENTAL=1` is used to allow verification of images signed in `KEYLESS` mode. To learn more about keyless signing, please refer to [Keyless Signatures](https://github.com/sigstore/cosign/blob/main/KEYLESS.md#keyless-signatures). The signing identity for Knative releases is `signer@knative-nightly.iam.gserviceaccount.com`, and the issuer is `https://accounts.google.com`. + Knative images are signed in `KEYLESS` mode. To learn more about keyless signing, please refer to [Keyless Signatures](https://github.com/sigstore/cosign/blob/main/KEYLESS.md#keyless-signatures). The signing identity for Knative releases is `signer@knative-releases.iam.gserviceaccount.com`, and the issuer is `https://accounts.google.com`. + diff --git a/docs/snippets/security-prereqs-images.md b/docs/snippets/security-prereqs-images.md index e94dd8261..93f47594f 100644 --- a/docs/snippets/security-prereqs-images.md +++ b/docs/snippets/security-prereqs-images.md @@ -7,19 +7,15 @@ Knative releases from 1.9 onwards are signed with [cosign](https://docs.sigstore 1. Extract the images from a manifeset and verify the signatures. ``` -# download the yaml file, this example uses the serving manifest -curl -fsSLO https://github.com/knative/serving/releases/download/knative-v1.9.0/serving-core.yaml -cat serving-core.yaml | grep 'gcr.io/' | awk '{print $2}' > images.txt -input=images.txt -while IFS= read -r image -do - COSIGN_EXPERIMENTAL=1 cosign verify -o text "$image" | jq -done < "$input" - +curl -sSL https://github.com/knative/serving/releases/download/knative-v1.10.1/serving-core.yaml \ + | grep 'gcr.io/' | awk '{print $2}' | sort | uniq \ + | xargs -n 1 \ + cosign verify -o text \ + --certificate-identity=signer@knative-releases.iam.gserviceaccount.com \ + --certificate-oidc-issuer=https://accounts.google.com ``` !!! note - `COSIGN_EXPERIMENTAL=1` is used to allow verification of images signed - in `KEYLESS` mode. To learn more about keyless signing, please refer to + Knative images are signed in `KEYLESS` mode. To learn more about keyless signing, please refer to [Keyless Signatures](https://github.com/sigstore/cosign/blob/main/KEYLESS.md#keyless-signatures) - Our signing identity(Subject) for our releases is `signer@knative-nightly.iam.gserviceaccount.com` and the Issuer is `https://accounts.google.com` + Our signing identity(Subject) for our releases is `signer@knative-releases.iam.gserviceaccount.com` and the Issuer is `https://accounts.google.com`