Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[release-1.16] Link to supply-chain details rather than including inline. #6200

Merged
merged 1 commit into from
Jan 20, 2025
Merged

[release-1.16] Link to supply-chain details rather than including inline. #6200

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 6 additions & 1 deletion docs/reference/security/verifying-images.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,12 @@ cosign verify-attestation \
$IMAGE
```

Note that the in-toto document is base64 encoded in the `.payload` attribute
!!! note
Knative images are signed in `KEYLESS` mode. To learn more about keyless signing, please refer to
[Keyless Signatures](https://github.com/sigstore/cosign/blob/main/KEYLESS.md#keyless-signatures)
Our signing identity(Subject) for our releases is `signer@knative-releases.iam.gserviceaccount.com` and the Issuer is `https://accounts.google.com`

The in-toto document is base64 encoded in the `.payload` attribute
of the attestation; you can use `jq` to extract this with the following
invocation:

Expand Down
23 changes: 2 additions & 21 deletions docs/snippets/security-prereqs-images.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,21 +1,2 @@
## Verifying image signatures

Knative releases from 1.9 onwards are signed with [cosign](https://docs.sigstore.dev/quickstart/quickstart-cosign/).

1. Install [cosign](https://docs.sigstore.dev/cosign/system_config/installation/) and [jq](https://stedolan.github.io/jq/).

1. Extract the images from a manifeset and verify the signatures.

```bash
curl -sSL {{ artifact(repo="serving",file="serving-core.yaml") }} \
| grep 'gcr.io/' | awk '{print $2}' | sort | uniq \
| xargs -n 1 \
cosign verify -o text \
--certificate-identity=signer@knative-releases.iam.gserviceaccount.com \
--certificate-oidc-issuer=https://accounts.google.com
```

!!! note
Knative images are signed in `KEYLESS` mode. To learn more about keyless signing, please refer to
[Keyless Signatures](https://github.com/sigstore/cosign/blob/main/KEYLESS.md#keyless-signatures)
Our signing identity(Subject) for our releases is `signer@knative-releases.iam.gserviceaccount.com` and the Issuer is `https://accounts.google.com`
Optionally, you may choose to [verify the images before installing](/docs/reference/security/verifying-images.md).
You may also need the image verification information if your cluster is configured to verify image signatures during pod execution.
Loading