Skip to content

Commit

Permalink
Link to supply-chain details rather than including inline. (#6200)
Browse files Browse the repository at this point in the history
Co-authored-by: Evan Anderson <evan.k.anderson@gmail.com>
  • Loading branch information
knative-prow-robot and evankanderson authored Jan 20, 2025
1 parent d6ea0fe commit 7760feb
Show file tree
Hide file tree
Showing 2 changed files with 8 additions and 22 deletions.
7 changes: 6 additions & 1 deletion docs/reference/security/verifying-images.md
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,12 @@ cosign verify-attestation \
$IMAGE
```

Note that the in-toto document is base64 encoded in the `.payload` attribute
!!! note
Knative images are signed in `KEYLESS` mode. To learn more about keyless signing, please refer to
[Keyless Signatures](https://github.com/sigstore/cosign/blob/main/KEYLESS.md#keyless-signatures)
Our signing identity(Subject) for our releases is `signer@knative-releases.iam.gserviceaccount.com` and the Issuer is `https://accounts.google.com`

The in-toto document is base64 encoded in the `.payload` attribute
of the attestation; you can use `jq` to extract this with the following
invocation:

Expand Down
23 changes: 2 additions & 21 deletions docs/snippets/security-prereqs-images.md
Original file line number Diff line number Diff line change
@@ -1,21 +1,2 @@
## Verifying image signatures

Knative releases from 1.9 onwards are signed with [cosign](https://docs.sigstore.dev/quickstart/quickstart-cosign/).

1. Install [cosign](https://docs.sigstore.dev/cosign/system_config/installation/) and [jq](https://stedolan.github.io/jq/).

1. Extract the images from a manifeset and verify the signatures.

```bash
curl -sSL {{ artifact(repo="serving",file="serving-core.yaml") }} \
| grep 'gcr.io/' | awk '{print $2}' | sort | uniq \
| xargs -n 1 \
cosign verify -o text \
--certificate-identity=signer@knative-releases.iam.gserviceaccount.com \
--certificate-oidc-issuer=https://accounts.google.com
```

!!! note
Knative images are signed in `KEYLESS` mode. To learn more about keyless signing, please refer to
[Keyless Signatures](https://github.com/sigstore/cosign/blob/main/KEYLESS.md#keyless-signatures)
Our signing identity(Subject) for our releases is `signer@knative-releases.iam.gserviceaccount.com` and the Issuer is `https://accounts.google.com`
Optionally, you may choose to [verify the images before installing](/docs/reference/security/verifying-images.md).
You may also need the image verification information if your cluster is configured to verify image signatures during pod execution.

0 comments on commit 7760feb

Please sign in to comment.