knative
/
docs
mirror of https://github.com/knative/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add image/binary signing verification docs (#5272) 

* add image signing instructions

* move signing to separate snippets

* fix lint error

* remove the snippets properly

* Apply suggestions from code review

Co-authored-by: Ashleigh Brennan <abrennan@redhat.com>

* bump versions to 1.9

* break out the steps

* add feature to the blogs

---------

Co-authored-by: Ashleigh Brennan <abrennan@redhat.com>
This commit is contained in:
Mahamed 2023-02-07 19:42:47 +00:00 committed by GitHub
parent 98890d0b79
commit 788eb6c165
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
9 changed files with 119 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
blog/docs/releases/announcing-knative-v1-9-release.md
View File

@ -35,7 +35,8 @@ This release brings a number of smaller improvements to the core Knative Serving
- `allowPrivilegeEscalation` (empty means `true`)
- `seccompProfile.type` (empty string means `Unconfined`)
- `capabilities.drop` (default maintains privileges, use `ALL` to drop unneeded linux capabilities) (#13399, @evankanderson)
- All Serving container images are signed with cosign (@upodroid).
## 💫 New Features & Changes
- Net-contour respects the `internal-encryption` Knative configuration, and encrypts traffic from Contour controlled Envoy to Activator. Requires Contour 1.24.0 or greater (#819, @KauzClay)
@ -68,6 +69,7 @@ This release brings a number of smaller improvements to the core Knative Serving
## 💫 New Features & Changes
- 📄 ApiServerSource can specify a selector to target one or more namespaces. If the selector is missing, it will default to targeting the namespace in which the source resides (#6665, @gab-satchi)
- All Eventing container images are signed with cosign (@upodroid).
## Bug fixes
@ -81,6 +83,8 @@ This release brings a number of smaller improvements to the core Knative Serving
### 💫 New Features & Changes
* `quickstart` plugin will now create a local registry. (#376, @ehudyonasi)
* All Client container images are signed with cosign (@upodroid).
### Small improvements
@ -118,6 +122,7 @@ This release brings a number of smaller improvements to the core Knative Serving
[Release Notes](https://github.com/knative/operator/releases/tag/knative-v1.9.0)
- Security-Guard version 0.4 can now be installed using the Knative Operator. This new release of Security-Guard also includes TLS+Token support to secure internal communications between Security-Guard components (#1301, @houshengbo)
- All Operator container images are signed with cosign (@upodroid).
## Thank you, contributors

1
docs/client/install-kn.md
View File

@ -2,6 +2,7 @@
This guide provides details about how you can install the Knative `kn` CLI.
--8<-- "security-prereqs-binaries.md"
--8<-- "install-kn.md"
## Install kn using the nightly-built binary

1
docs/install/operator/knative-with-operator-cli.md
View File

@ -5,6 +5,7 @@ you with a parameter-driven way to configure the Knative cluster, without intera
resources.
--8<-- "prerequisites.md"
--8<-- "security-prereqs-binaries.md"
## Install the Knative Operator CLI Plugin

1
docs/install/operator/knative-with-operators.md
View File

@ -10,6 +10,7 @@ The following table describes the supported versions of Serving and Eventing for
| v1.9 | v1.9.0<br/>v1.8.0, v1.8.1, v1.8.2 and v1.8.3<br/>v1.7.0, v1.7.1, v1.7.2, v1.7.3 and v1.7.4<br/>v1.6.0, v1.6.1, v1.6.2 and v1.6.3 | v1.9.0<br/>v1.8.0, v1.8.1, v1.8.2, v1.8.3, v1.8.4 and v1.8.5<br/>v1.7.0, v1.7.1, v1.7.2, v1.7.3, v1.7.4, v1.7.5, v1.7.6 and v1.7.7<br/>v1.6.0, v1.6.1, v1.6.2 and v1.6.3 |
--8<-- "prerequisites.md"
--8<-- "security-prereqs-images.md"
## Install the Knative Operator

1
docs/install/yaml-install/eventing/install-eventing-with-yaml.md
View File

@ -3,6 +3,7 @@
This topic describes how to install Knative Eventing by applying YAML files using the `kubectl` CLI.
--8<-- "prerequisites.md"
--8<-- "security-prereqs-images.md"
## Install Knative Eventing

1
docs/install/yaml-install/serving/install-serving-with-yaml.md
View File

@ -3,6 +3,7 @@
This topic describes how to install Knative Serving by applying YAML files using the `kubectl` CLI.
--8<-- "prerequisites.md"
--8<-- "security-prereqs-images.md"
## Install the Knative Serving component

51
docs/reference/security/README.md
View File

@ -6,6 +6,57 @@ This page describes Knative security and disclosure information.
* [Threat model](https://github.com/knative/community/blob/main/working-groups/security/threat-model.md)
## Code Signature Verification
### All platforms
Our releases from 1.9 are signed with [cosign](https://docs.sigstore.dev/cosign/overview). You can use the following steps to verify our binaries.
1. Download the files you want, and the `checksums.txt`, `checksum.txt.pem` and `checksums.txt.sig` files from the releases page:
```sh
# this example verifies the 1.9.0 kn cli from the knative/client repository
wget https://github.com/knative/client/releases/download/knative-v1.9.0/checksums.txt
wget https://github.com/knative/client/releases/download/knative-v1.9.0/kn-darwin-amd64
wget https://github.com/knative/client/releases/download/knative-v1.9.0/checksums.txt.sig
wget https://github.com/knative/client/releases/download/knative-v1.9.0/checksums.txt.pem
```
1. Verify the signature:
```sh
COSIGN_EXPERIMENTAL=1 cosign verify-blob \
--cert checksums.txt.pem \
--signature checksums.txt.sig \
checksums.txt
```
1. If the signature is valid, you can then verify the SHA256 sums match with the downloaded binary:
```sh
sha256sum --ignore-missing -c checksums.txt
```
!!! note
`COSIGN_EXPERIMENTAL=1` is used to allow verification of images signed
in `KEYLESS` mode. To learn more about keyless signing, please refer to
[Keyless Signatures](https://github.com/sigstore/cosign/blob/main/KEYLESS.md#keyless-signatures)
Our signing identity(Subject) for our releases is `signer@knative-nightly.iam.gserviceaccount.com` and the Issuer is `https://accounts.google.com`
### Apple macOS
In addition to signing our binaries with `cosign`, we [notarize](https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution) our macOS binaries. You can use the `codesign` utility to verify our binaries from 1.9 release. You should expect an output that looks
like this. The expected TeamIdentifier is `7R64489VHL`
```
codesign --verify -d --verbose=2 ~/Downloads/kn-quickstart-darwin-amd64
Executable=/Users/REDACTED/Downloads/kn-quickstart-darwin-amd64
Identifier=kn-quickstart-darwin-amd64
...
Authority=Developer ID Application: Mahamed Ali (7R64489VHL)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=3 Oct 2022 at 22:50:07
...
TeamIdentifier=7R64489VHL
```
## Report a vulnerability
We're extremely grateful for security researchers and users that report vulnerabilities to the Knative Open Source Community. All reports are thoroughly investigated by a set of community volunteers.

32
docs/snippets/security-prereqs-binaries.md Normal file
View File

@ -0,0 +1,32 @@
## Verifying CLI binaries
Knative `kn` CLI releases from 1.9 onwards are signed with [cosign](https://docs.sigstore.dev/cosign/overview). You can use the following steps to verify the CLI binaries:
1. Download the files you want, and the `checksums.txt`, `checksum.txt.pem`, and `checksums.txt.sig` files from the releases page, by running the commands:
```sh
wget https://github.com/knative/client/releases/download/<kn-version>/checksums.txt
wget https://github.com/knative/client/releases/download/<kn-version>/kn-darwin-amd64
wget https://github.com/knative/client/releases/download/<kn-version>/checksums.txt.sig
wget https://github.com/knative/client/releases/download/<kn-version>/checksums.txt.pem
```
Where `<kn-version>` is the version of the CLI that you want to verify. For example, `knative-v1.8.0`.
1. Verify the signature by running the command:
```sh
COSIGN_EXPERIMENTAL=1 cosign verify-blob \
--cert checksums.txt.pem \
--signature checksums.txt.sig \
checksums.txt
```
1. If the signature is valid, you can then verify the `SHA256` sums match the downloaded binary, by running the command:
```sh
sha256sum --ignore-missing -c checksums.txt
```
!!! note
`COSIGN_EXPERIMENTAL=1` is used to allow verification of images signed in `KEYLESS` mode. To learn more about keyless signing, please refer to [Keyless Signatures](https://github.com/sigstore/cosign/blob/main/KEYLESS.md#keyless-signatures). The signing identity for Knative releases is `signer@knative-nightly.iam.gserviceaccount.com`, and the issuer is `https://accounts.google.com`.

25
docs/snippets/security-prereqs-images.md Normal file
View File

@ -0,0 +1,25 @@
## Verifying image signatures
Knative releases from 1.9 onwards are signed with [cosign](https://docs.sigstore.dev/cosign/overview).
1. Install [cosign](https://docs.sigstore.dev/cosign/installation/) and [jq](https://stedolan.github.io/jq/).
1. Extract the images from a manifeset and verify the signatures.
```
# download the yaml file, this example uses the serving manifest
curl -fsSLO https://github.com/knative/serving/releases/download/knative-v1.9.0/serving-core.yaml
cat serving-core.yaml | grep 'gcr.io/' | awk '{print $2}' > images.txt
input=images.txt
while IFS= read -r image
do
COSIGN_EXPERIMENTAL=1 cosign verify -o text "$image" | jq
done < "$input"
```
!!! note
`COSIGN_EXPERIMENTAL=1` is used to allow verification of images signed
in `KEYLESS` mode. To learn more about keyless signing, please refer to
[Keyless Signatures](https://github.com/sigstore/cosign/blob/main/KEYLESS.md#keyless-signatures)
Our signing identity(Subject) for our releases is `signer@knative-nightly.iam.gserviceaccount.com` and the Issuer is `https://accounts.google.com`