knative
/
docs
mirror of https://github.com/knative/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

docs: update instructions on client code-sign verification (#5610) 

* docs: update instructions on client code sign verification

* docs: update cosign keyless references
This commit is contained in:
Caleb Woodbine 2023-07-31 20:18:59 +12:00 committed by GitHub
parent aade0bb852
commit ac6b067b02
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 10 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
docs/reference/security/README.md
View File

@ -14,15 +14,17 @@ Our releases from 1.9 are signed with [cosign](https://docs.sigstore.dev/cosign/
1. Download the files you want, and the `checksums.txt`, `checksum.txt.pem` and `checksums.txt.sig` files from the releases page:
```sh
# this example verifies the 1.9.0 kn cli from the knative/client repository
wget https://github.com/knative/client/releases/download/knative-v1.9.0/checksums.txt
wget https://github.com/knative/client/releases/download/knative-v1.9.0/kn-darwin-amd64
wget https://github.com/knative/client/releases/download/knative-v1.9.0/checksums.txt.sig
wget https://github.com/knative/client/releases/download/knative-v1.9.0/checksums.txt.pem
# this example verifies the 1.10.0 kn cli from the knative/client repository
wget https://github.com/knative/client/releases/download/knative-v1.10.0/checksums.txt
wget https://github.com/knative/client/releases/download/knative-v1.10.0/kn-darwin-amd64
wget https://github.com/knative/client/releases/download/knative-v1.10.0/checksums.txt.sig
wget https://github.com/knative/client/releases/download/knative-v1.10.0/checksums.txt.pem
```
1. Verify the signature:
```sh
COSIGN_EXPERIMENTAL=1 cosign verify-blob \
cosign verify-blob \
--certificate-identity=signer@knative-releases.iam.gserviceaccount.com \
--certificate-oidc-issuer=https://accounts.google.com \
--cert checksums.txt.pem \
--signature checksums.txt.sig \
checksums.txt
@ -33,10 +35,9 @@ Our releases from 1.9 are signed with [cosign](https://docs.sigstore.dev/cosign/
```
!!! note
`COSIGN_EXPERIMENTAL=1` is used to allow verification of images signed
in `KEYLESS` mode. To learn more about keyless signing, please refer to
Knative images are signed in `KEYLESS` mode. To learn more about keyless signing, please refer to
[Keyless Signatures](https://github.com/sigstore/cosign/blob/main/KEYLESS.md#keyless-signatures)
Our signing identity(Subject) for our releases is `signer@knative-nightly.iam.gserviceaccount.com` and the Issuer is `https://accounts.google.com`
Our signing identity(Subject) for our releases is `signer@knative-releases.iam.gserviceaccount.com` and the Issuer is `https://accounts.google.com`
### Apple macOS