Skip to content

Commit

Permalink
Add blog post about binary artifact signing
Browse files Browse the repository at this point in the history
Signed-off-by: Sascha Grunert <[email protected]>
  • Loading branch information
saschagrunert committed Nov 29, 2022
1 parent 49f6127 commit 082f885
Showing 1 changed file with 83 additions and 0 deletions.
Original file line number Diff line number Diff line change
@@ -0,0 +1,83 @@
---
layout: blog
title: "Kubernetes 1.26: We're now signing our binary release artifacts!"
date: 2022-12-6
slug: kubernetes-release-artifact-signing
---

**Author:** Sascha Grunert

The Kubernetes Special Interest Group (SIG) Release is proud to announce that we
graduated the [Signing Release Artifacts Enhancement Proposal][kep] to _beta_.

[kep]: https://github.com/kubernetes/enhancements/issues/3031

Signing artifacts provides end users a chance to verify the integrity of the
downloaded resource. It allows to mitigate man-in-the-middle attacks directly on
the client side and therefore ensures the trustfulness of the remote serving the
artifacts. The overall goal of the Kubernetes Enhancement Proposal (KEP) is to
define the used tooling for signing all Kubernetes related artifacts as well as
providing a standard signing process for related projects (for example in
[kubernetes-sigs][k-sigs]).

[k-sigs]: https://github.com/kubernetes-sigs

We already sign all officially released container images from Kubernetes v1.24.
Now in v1.26, we added all **binary artifacts** to the signing process as well!
This means that now all [client, server and source tarballs][tarballs], [binary
artifacts][binaries], [Software Bills of Material (SBOMs)][sboms] as well as the
[build provenance][provenance] will be signed using [cosign][cosign].
Technically speaking, we now ship additional `*.sig` (signature) and `*.cert`
(certificate) files side by side to the artifact locations for verifying their
integrity.

[tarballs]: https://github.com/kubernetes/kubernetes/blob/release-1.26/CHANGELOG/CHANGELOG-1.26.md#downloads-for-v1260
[binaries]: https://gcsweb.k8s.io/gcs/kubernetes-release/release/v1.26.0/bin
[sboms]: https://storage.googleapis.com/kubernetes-release/release/v1.26.0/kubernetes-release.spdx
[provenance]: https://storage.googleapis.com/kubernetes-release/release/v1.26.0/provenance.json
[cosign]: https://github.com/sigstore/cosign

To verify an artifact, for example `kubectl`, we just have to download the
signature and certificate alongside with the binary:

```shell
curl -sSfL https://dl.k8s.io/release/v1.26.0/bin/linux/amd64/kubectl -o kubectl
curl -sSfL https://dl.k8s.io/release/v1.26.0/bin/linux/amd64/kubectl.sig -o kubectl.sig
curl -sSfL https://dl.k8s.io/release/v1.26.0/bin/linux/amd64/kubectl.cert -o kubectl.cert
```

Then we can verify `kubectl` using `cosign`:

```shell
cosign verify-blob kubectl --signature kubectl.sig --certificate kubectl.cert
```

All of the mentioned steps as well as how to verify container images are
outlined in the official documentation about how to [Verify Signed Kubernetes
Artifacts][docs]. In one of the next upcoming Kubernetes releases we will
consider graduating the KEP to become Generally Available (GA). This would
incorporate that all Kubernetes artifacts are signed excluding everything which
gets build outside of the main Kubernetes repository. Beside that, we plan to
use Kubernetes owned infrastructure for the signing (root trust) and
verification (transparency log) process.

[docs]: /docs/tasks/administer-cluster/verify-signed-artifacts

We're looking forward to shipping more of those awesome features in future
Kubernetes releases. For example, we're working on the [SLSA Level 3 Compliance
in the Kubernetes Release Process][slsa] or the [Renaming of the kubernetes/kubernetes
default branch name to `main`][kkmain].

If you're interested in contributing to SIG Release, then consider applying for
the upcoming v1.27 shadowing program (watch for the announcement on
[k-dev][k-dev]) or join our [weekly meeting][meeting] to say _hi_.

Thank you for reading this blog post! Feel free to reach out to us by using the
[SIG Release mailing list][mail] or the [#sig-release][slack] Slack channel.

[mail]: https://groups.google.com/g/kubernetes-sig-release
[slsa]: https://github.com/kubernetes/enhancements/issues/3027
[kkmain]: https://github.com/kubernetes/enhancements/issues/2853
[slack]: http://slack.k8s.io
[k-dev]: https://groups.google.com/a/kubernetes.io/g/dev
[meeting]: http://bit.ly/k8s-sig-release-meeting

0 comments on commit 082f885

Please sign in to comment.