Skip to content

Latest commit

 

History

History
93 lines (63 loc) · 2.67 KB

guide.md

File metadata and controls

93 lines (63 loc) · 2.67 KB

Cosign

Note: the 'keyless' signing feature of cosign used here is currently classified as 'experimental'

The jetstack-secure agent container image is signed using cosign.

An attestation is attached which satisfies the requirements of SLSA 1 and a CycloneDX Software Bill of Materials is also provided that details the dependencies of the image.

This document outlines how to verify the signature, attestation and download the SBOM with the cosign CLI.

Signature

To verify the container image signature:

  1. Ensure cosign is installed
  2. Configure the signature repository and enable experimental features:
export COSIGN_REPOSITORY=ghcr.io/jetstack/jetstack-secure/cosign
export COSIGN_EXPERIMENTAL=1
  1. Verify the image
cosign verify --cert-oidc-issuer https://token.actions.githubusercontent.com quay.io/jetstack/preflight:latest

If the container was properly signed then the command should exit successfully.

The Subject in the output should be https://github.com/jetstack/jetstack-secure/.github/workflows/release-master.yaml@<ref>, where <ref> is either the master branch or a release tag, i.e:

  • refs/heads/master
  • refs/tags/v0.1.35

SLSA Provenance Attestation

To verify and view the SLSA provenance attestation:

  1. Ensure cosign is installed
  2. Configure the signature repository and enable experimental features:
export COSIGN_REPOSITORY=ghcr.io/jetstack/jetstack-secure/cosign
export COSIGN_EXPERIMENTAL=1
  1. Verify and decode the attestation payload:
cosign verify-attestation --cert-oidc-issuer https://token.actions.githubusercontent.com quay.io/jetstack/preflight:latest | tail -n 1 | jq -r .payload | base64 -d | jq -r .

Software Bill of Materials (SBOM)

To verify and download the SBOM:

  1. Ensure cosign is installed
  2. Configure the signature repository and enable experimental features:
export COSIGN_REPOSITORY=ghcr.io/jetstack/jetstack-secure/cosign
export COSIGN_EXPERIMENTAL=1
  1. Verify the SBOM
cosign verify --attachment sbom --cert-oidc-issuer https://token.actions.githubusercontent.com quay.io/jetstack/preflight:latest

If the SBOM was properly signed then the command should exit successfully.

The Subject in the output should be https://github.com/jetstack/jetstack-secure/.github/workflows/release-master.yaml@<ref>, where <ref> is either the master branch or a release tag, i.e:

  • refs/heads/master
  • refs/tags/v0.1.35
  1. Download the SBOM
cosign download sbom quay.io/jetstack/preflight:latest > bom.xml