From 06af0dde5472b9ad6890358cae9de2b77cc21dde Mon Sep 17 00:00:00 2001 From: Evan Anderson Date: Sun, 19 Jan 2025 06:55:23 -0800 Subject: [PATCH] Link to supply-chain details rather than including inline. --- docs/reference/security/verifying-images.md | 7 ++++++- docs/snippets/security-prereqs-images.md | 23 ++------------------- 2 files changed, 8 insertions(+), 22 deletions(-) diff --git a/docs/reference/security/verifying-images.md b/docs/reference/security/verifying-images.md index 5a9204a2fc..759c18649a 100644 --- a/docs/reference/security/verifying-images.md +++ b/docs/reference/security/verifying-images.md @@ -25,7 +25,12 @@ cosign verify-attestation \ $IMAGE ``` -Note that the in-toto document is base64 encoded in the `.payload` attribute +!!! note + Knative images are signed in `KEYLESS` mode. To learn more about keyless signing, please refer to + [Keyless Signatures](https://github.com/sigstore/cosign/blob/main/KEYLESS.md#keyless-signatures) + Our signing identity(Subject) for our releases is `signer@knative-releases.iam.gserviceaccount.com` and the Issuer is `https://accounts.google.com` + +The in-toto document is base64 encoded in the `.payload` attribute of the attestation; you can use `jq` to extract this with the following invocation: diff --git a/docs/snippets/security-prereqs-images.md b/docs/snippets/security-prereqs-images.md index 701460ed80..a19be897c7 100644 --- a/docs/snippets/security-prereqs-images.md +++ b/docs/snippets/security-prereqs-images.md @@ -1,21 +1,2 @@ -## Verifying image signatures - -Knative releases from 1.9 onwards are signed with [cosign](https://docs.sigstore.dev/quickstart/quickstart-cosign/). - -1. Install [cosign](https://docs.sigstore.dev/cosign/system_config/installation/) and [jq](https://stedolan.github.io/jq/). - -1. Extract the images from a manifeset and verify the signatures. - -```bash -curl -sSL {{ artifact(repo="serving",file="serving-core.yaml") }} \ - | grep 'gcr.io/' | awk '{print $2}' | sort | uniq \ - | xargs -n 1 \ - cosign verify -o text \ - --certificate-identity=signer@knative-releases.iam.gserviceaccount.com \ - --certificate-oidc-issuer=https://accounts.google.com -``` - -!!! note - Knative images are signed in `KEYLESS` mode. To learn more about keyless signing, please refer to - [Keyless Signatures](https://github.com/sigstore/cosign/blob/main/KEYLESS.md#keyless-signatures) - Our signing identity(Subject) for our releases is `signer@knative-releases.iam.gserviceaccount.com` and the Issuer is `https://accounts.google.com` +Optionally, you may choose to [verify the images before installing](/docs/reference/security/verifying-images.md). +You may also need the image verification information if your cluster is configured to verify image signatures during pod execution.