From bd77584ade6799e2d0e5beb3b3c7bb0a30dcd2e2 Mon Sep 17 00:00:00 2001 From: Stefan Prodan Date: Mon, 30 Oct 2023 12:28:21 +0200 Subject: [PATCH] docs: Verify podinfo release assets with cosign Signed-off-by: Stefan Prodan --- .cosign/README.md | 56 +++++++++++++++++++++++++++++++++-------------- 1 file changed, 39 insertions(+), 17 deletions(-) diff --git a/.cosign/README.md b/.cosign/README.md index 1fe95916f..9752539a3 100644 --- a/.cosign/README.md +++ b/.cosign/README.md @@ -1,9 +1,10 @@ # Podinfo signed releases -Podinfo deployment manifests are published to GitHub Container Registry as OCI artifacts -and are signed using [cosign](https://github.com/sigstore/cosign). +Podinfo release assets (container image, Helm chart, Flux artifact, Timoni module) +are published to GitHub Container Registry and are signed with +[Cosign v2](https://github.com/sigstore/cosign) keyless & GitHub Actions OIDC. -## Verify the artifacts with cosign +## Verify podinfo with cosign Install the [cosign](https://github.com/sigstore/cosign) CLI: @@ -11,29 +12,50 @@ Install the [cosign](https://github.com/sigstore/cosign) CLI: brew install sigstore/tap/cosign ``` -Verify a podinfo release with cosign CLI: +### Container image + +Verify the podinfo container image hosted on GHCR: + +```sh +cosign verify ghcr.io/stefanprodan/podinfo:6.5.0 \ +--certificate-identity-regexp="^https://github.com/stefanprodan/podinfo.*$" \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com +``` + +Verify the podinfo container image hosted on Docker Hub: ```sh -cosign verify -key https://raw.githubusercontent.com/stefanprodan/podinfo/master/cosign/cosign.pub \ -ghcr.io/stefanprodan/podinfo-deploy:latest +cosign verify docker.io/stefanprodan/podinfo:6.5.0 \ +--certificate-identity-regexp="^https://github.com/stefanprodan/podinfo.*$" \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com ``` -## Download the artifacts with crane +### Helm chart -Install the [crane](https://github.com/google/go-containerregistry/tree/main/cmd/crane) CLI: +Verify the podinfo [Helm](https://helm.sh) chart hosted on GHCR: ```sh -brew install crane +cosign verify ghcr.io/stefanprodan/charts/podinfo:6.5.0 \ +--certificate-identity-regexp="^https://github.com/stefanprodan/podinfo.*$" \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com ``` -Download the podinfo deployment manifests with crane CLI: +### Flux artifact -```console -$ crane export ghcr.io/stefanprodan/podinfo-deploy:latest -| tar -xf - +Verify the podinfo [Flux](https://fluxcd.io) artifact hosted on GHCR: -$ ls -1 -deployment.yaml -hpa.yaml -kustomization.yaml -service.yaml +```sh +cosign verify ghcr.io/stefanprodan/manifests/podinfo:6.5.0 \ +--certificate-identity-regexp="^https://github.com/stefanprodan/podinfo.*$" \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com +``` + +### Timoni module + +Verify the podinfo [Timoni](https://timoni.sh) module hosted on GHCR: + +```sh +cosign verify ghcr.io/stefanprodan/modules/podinfo:6.5.0 \ +--certificate-identity-regexp="^https://github.com/stefanprodan/podinfo.*$" \ +--certificate-oidc-issuer=https://token.actions.githubusercontent.com ```