knative
/
docs
mirror of https://github.com/knative/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Update Knative cosign verify docs (#5569) 

Signed-off-by: Caleb Woodbine <calebwoodbine.public@gmail.com>
Co-authored-by: Caleb Woodbine <calebwoodbine.public@gmail.com>
This commit is contained in:
Knative Prow Robot 2023-05-17 22:27:12 +01:00 committed by GitHub
parent ce268d8f31
commit 228f76f7b1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 13 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
docs/snippets/security-prereqs-binaries.md
View File

@ -16,9 +16,11 @@ Knative `kn` CLI releases from 1.9 onwards are signed with [cosign](https://docs
1. Verify the signature by running the command: 1. Verify the signature by running the command:
```sh ```sh
COSIGN_EXPERIMENTAL=1 cosign verify-blob \ cosign verify-blob \
--cert checksums.txt.pem \ --cert checksums.txt.pem \
--signature checksums.txt.sig \ --signature checksums.txt.sig \
--certificate-identity=signer@knative-releases.iam.gserviceaccount.com \
--certificate-oidc-issuer=https://accounts.google.com \
checksums.txt checksums.txt
``` ```
@ -29,4 +31,5 @@ Knative `kn` CLI releases from 1.9 onwards are signed with [cosign](https://docs
``` ```
!!! note !!! note
`COSIGN_EXPERIMENTAL=1` is used to allow verification of images signed in `KEYLESS` mode. To learn more about keyless signing, please refer to [Keyless Signatures](https://github.com/sigstore/cosign/blob/main/KEYLESS.md#keyless-signatures). The signing identity for Knative releases is `signer@knative-nightly.iam.gserviceaccount.com`, and the issuer is `https://accounts.google.com`. Knative images are signed in `KEYLESS` mode. To learn more about keyless signing, please refer to [Keyless Signatures](https://github.com/sigstore/cosign/blob/main/KEYLESS.md#keyless-signatures). The signing identity for Knative releases is `signer@knative-releases.iam.gserviceaccount.com`, and the issuer is `https://accounts.google.com`.

20
docs/snippets/security-prereqs-images.md
View File

@ -7,19 +7,15 @@ Knative releases from 1.9 onwards are signed with [cosign](https://docs.sigstore
1. Extract the images from a manifeset and verify the signatures. 1. Extract the images from a manifeset and verify the signatures.
``` ```
# download the yaml file, this example uses the serving manifest curl -sSL https://github.com/knative/serving/releases/download/knative-v1.10.1/serving-core.yaml \
curl -fsSLO https://github.com/knative/serving/releases/download/knative-v1.9.0/serving-core.yaml | grep 'gcr.io/' | awk '{print $2}' | sort | uniq \
cat serving-core.yaml | grep 'gcr.io/' | awk '{print $2}' > images.txt | xargs -n 1 \
input=images.txt cosign verify -o text \
while IFS= read -r image --certificate-identity=signer@knative-releases.iam.gserviceaccount.com \
do --certificate-oidc-issuer=https://accounts.google.com
COSIGN_EXPERIMENTAL=1 cosign verify -o text "$image" | jq
done < "$input"
``` ```
!!! note !!! note
`COSIGN_EXPERIMENTAL=1` is used to allow verification of images signed Knative images are signed in `KEYLESS` mode. To learn more about keyless signing, please refer to
in `KEYLESS` mode. To learn more about keyless signing, please refer to
[Keyless Signatures](https://github.com/sigstore/cosign/blob/main/KEYLESS.md#keyless-signatures) [Keyless Signatures](https://github.com/sigstore/cosign/blob/main/KEYLESS.md#keyless-signatures)
Our signing identity(Subject) for our releases is `signer@knative-nightly.iam.gserviceaccount.com` and the Issuer is `https://accounts.google.com` Our signing identity(Subject) for our releases is `signer@knative-releases.iam.gserviceaccount.com` and the Issuer is `https://accounts.google.com`