Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docs: Verify podinfo release assets with cosign #313

Merged
merged 1 commit into from
Oct 30, 2023
Merged

docs: Verify podinfo release assets with cosign #313

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
56 changes: 39 additions & 17 deletions .cosign/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,39 +1,61 @@
# Podinfo signed releases

Podinfo deployment manifests are published to GitHub Container Registry as OCI artifacts
and are signed using [cosign](https://github.com/sigstore/cosign).
Podinfo release assets (container image, Helm chart, Flux artifact, Timoni module)
are published to GitHub Container Registry and are signed with
[Cosign v2](https://github.com/sigstore/cosign) keyless & GitHub Actions OIDC.

## Verify the artifacts with cosign
## Verify podinfo with cosign

Install the [cosign](https://github.com/sigstore/cosign) CLI:

```sh
brew install sigstore/tap/cosign
```

Verify a podinfo release with cosign CLI:
### Container image

Verify the podinfo container image hosted on GHCR:

```sh
cosign verify ghcr.io/stefanprodan/podinfo:6.5.0 \
--certificate-identity-regexp="^https://github.com/stefanprodan/podinfo.*$" \
--certificate-oidc-issuer=https://token.actions.githubusercontent.com
```

Verify the podinfo container image hosted on Docker Hub:

```sh
cosign verify -key https://raw.githubusercontent.com/stefanprodan/podinfo/master/cosign/cosign.pub \
ghcr.io/stefanprodan/podinfo-deploy:latest
cosign verify docker.io/stefanprodan/podinfo:6.5.0 \
--certificate-identity-regexp="^https://github.com/stefanprodan/podinfo.*$" \
--certificate-oidc-issuer=https://token.actions.githubusercontent.com
```

## Download the artifacts with crane
### Helm chart

Install the [crane](https://github.com/google/go-containerregistry/tree/main/cmd/crane) CLI:
Verify the podinfo [Helm](https://helm.sh) chart hosted on GHCR:

```sh
brew install crane
cosign verify ghcr.io/stefanprodan/charts/podinfo:6.5.0 \
--certificate-identity-regexp="^https://github.com/stefanprodan/podinfo.*$" \
--certificate-oidc-issuer=https://token.actions.githubusercontent.com
```

Download the podinfo deployment manifests with crane CLI:
### Flux artifact

```console
$ crane export ghcr.io/stefanprodan/podinfo-deploy:latest -| tar -xf -
Verify the podinfo [Flux](https://fluxcd.io) artifact hosted on GHCR:

$ ls -1
deployment.yaml
hpa.yaml
kustomization.yaml
service.yaml
```sh
cosign verify ghcr.io/stefanprodan/manifests/podinfo:6.5.0 \
--certificate-identity-regexp="^https://github.com/stefanprodan/podinfo.*$" \
--certificate-oidc-issuer=https://token.actions.githubusercontent.com
```

### Timoni module

Verify the podinfo [Timoni](https://timoni.sh) module hosted on GHCR:

```sh
cosign verify ghcr.io/stefanprodan/modules/podinfo:6.5.0 \
--certificate-identity-regexp="^https://github.com/stefanprodan/podinfo.*$" \
--certificate-oidc-issuer=https://token.actions.githubusercontent.com
```