github.com/argoproj/argo-cd/v3@v3.2.1/docs/operator-manual/signed-release-assets.md (about) 1 # Verification of Argo CD Artifacts 2 3 ## Prerequisites 4 - cosign `v2.0.0` or higher [installation instructions](https://docs.sigstore.dev/cosign/installation) 5 - slsa-verifier [installation instructions](https://github.com/slsa-framework/slsa-verifier#installation) 6 - crane [installation instructions](https://github.com/google/go-containerregistry/blob/main/cmd/crane/README.md) (for container verification only) 7 8 *** 9 ## Release Assets 10 | Asset | Description | 11 |--------------------------|-------------------------------| 12 | argocd-darwin-amd64 | CLI Binary | 13 | argocd-darwin-arm64 | CLI Binary | 14 | argocd-linux_amd64 | CLI Binary | 15 | argocd-linux_arm64 | CLI Binary | 16 | argocd-linux_ppc64le | CLI Binary | 17 | argocd-linux_s390x | CLI Binary | 18 | argocd-windows_amd64 | CLI Binary | 19 | argocd-cli.intoto.jsonl | Attestation of CLI binaries | 20 | argocd-sbom.intoto.jsonl | Attestation of SBOM | 21 | cli_checksums.txt | Checksums of binaries | 22 | sbom.tar.gz | Sbom | 23 | sbom.tar.gz.pem | Certificate used to sign sbom | 24 | sbom.tar.gz.sig | Signature of sbom | 25 26 *** 27 ## Verification of container images 28 29 Argo CD container images are signed by [cosign](https://github.com/sigstore/cosign) using identity-based ("keyless") signing and transparency. Executing the following command can be used to verify the signature of a container image: 30 31 ```bash 32 cosign verify \ 33 --certificate-identity-regexp https://github.com/argoproj/argo-cd/.github/workflows/image-reuse.yaml@refs/tags/v \ 34 --certificate-oidc-issuer https://token.actions.githubusercontent.com \ 35 --certificate-github-workflow-repository "argoproj/argo-cd" \ 36 quay.io/argoproj/argocd:v2.11.3 | jq 37 ``` 38 The command should output the following if the container image was correctly verified: 39 ```bash 40 The following checks were performed on each of these signatures: 41 - The cosign claims were validated 42 - Existence of the claims in the transparency log was verified offline 43 - Any certificates were verified against the Fulcio roots. 44 [ 45 { 46 "critical": { 47 "identity": { 48 "docker-reference": "quay.io/argoproj/argo-cd" 49 }, 50 "image": { 51 "docker-manifest-digest": "sha256:63dc60481b1b2abf271e1f2b866be8a92962b0e53aaa728902caa8ac8d235277" 52 }, 53 "type": "cosign container image signature" 54 }, 55 "optional": { 56 "1.3.6.1.4.1.57264.1.1": "https://token.actions.githubusercontent.com", 57 "1.3.6.1.4.1.57264.1.2": "push", 58 "1.3.6.1.4.1.57264.1.3": "a6ec84da0eaa519cbd91a8f016cf4050c03323b2", 59 "1.3.6.1.4.1.57264.1.4": "Publish ArgoCD Release", 60 "1.3.6.1.4.1.57264.1.5": "argoproj/argo-cd", 61 "1.3.6.1.4.1.57264.1.6": "refs/tags/<version>", 62 ... 63 ``` 64 65 *** 66 ## Verification of container image with SLSA attestations 67 68 A [SLSA](https://slsa.dev/) Level 3 provenance is generated using [slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator). 69 70 The following command will verify the signature of an attestation and how it was issued. It will contain the payloadType, payload, and signature. 71 72 Run the following command as per the [slsa-verifier documentation](https://github.com/slsa-framework/slsa-verifier/tree/main#containers): 73 74 ```bash 75 # Get the immutable container image to prevent TOCTOU attacks https://github.com/slsa-framework/slsa-verifier#toctou-attacks 76 IMAGE=quay.io/argoproj/argocd:v2.7.0 77 IMAGE="${IMAGE}@"$(crane digest "${IMAGE}") 78 # Verify provenance, including the tag to prevent rollback attacks. 79 slsa-verifier verify-image "$IMAGE" \ 80 --source-uri github.com/argoproj/argo-cd \ 81 --source-tag v2.7.0 82 ``` 83 84 If you only want to verify up to the major or minor version of the source repository tag (instead of the full tag), use the `--source-versioned-tag` which performs semantic versioning verification: 85 86 ```shell 87 slsa-verifier verify-image "$IMAGE" \ 88 --source-uri github.com/argoproj/argo-cd \ 89 --source-versioned-tag v2 # Note: May use v2.7 for minor version verification. 90 ``` 91 92 The attestation payload contains a non-forgeable provenance which is base64 encoded and can be viewed by passing the `--print-provenance` option to the commands above: 93 94 ```bash 95 slsa-verifier verify-image "$IMAGE" \ 96 --source-uri github.com/argoproj/argo-cd \ 97 --source-tag v2.7.0 \ 98 --print-provenance | jq 99 ``` 100 101 If you prefer using cosign, follow these [instructions](https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#cosign). 102 103 !!! tip 104 `cosign` or `slsa-verifier` can both be used to verify image attestations. 105 Check the documentation of each binary for detailed instructions. 106 107 *** 108 109 ## Verification of CLI artifacts with SLSA attestations 110 111 A single attestation (`argocd-cli.intoto.jsonl`) from each release is provided. This can be used with [slsa-verifier](https://github.com/slsa-framework/slsa-verifier#verification-for-github-builders) to verify that a CLI binary was generated using Argo CD workflows on GitHub and ensures it was cryptographically signed. 112 113 ```bash 114 slsa-verifier verify-artifact argocd-linux-amd64 \ 115 --provenance-path argocd-cli.intoto.jsonl \ 116 --source-uri github.com/argoproj/argo-cd \ 117 --source-tag v2.7.0 118 ``` 119 120 If you only want to verify up to the major or minor verion of the source repository tag (instead of the full tag), use the `--source-versioned-tag` which performs semantic versioning verification: 121 122 ```shell 123 slsa-verifier verify-artifact argocd-linux-amd64 \ 124 --provenance-path argocd-cli.intoto.jsonl \ 125 --source-uri github.com/argoproj/argo-cd \ 126 --source-versioned-tag v2 # Note: May use v2.7 for minor version verification. 127 ``` 128 129 The payload is a non-forgeable provenance which is base64 encoded and can be viewed by passing the `--print-provenance` option to the commands above: 130 131 ```bash 132 slsa-verifier verify-artifact argocd-linux-amd64 \ 133 --provenance-path argocd-cli.intoto.jsonl \ 134 --source-uri github.com/argoproj/argo-cd \ 135 --source-tag v2.7.0 \ 136 --print-provenance | jq 137 ``` 138 139 ## Verification of Sbom 140 141 A single attestation (`argocd-sbom.intoto.jsonl`) from each release is provided along with the sbom (`sbom.tar.gz`). This can be used with [slsa-verifier](https://github.com/slsa-framework/slsa-verifier#verification-for-github-builders) to verify that the SBOM was generated using Argo CD workflows on GitHub and ensures it was cryptographically signed. 142 143 ```bash 144 slsa-verifier verify-artifact sbom.tar.gz \ 145 --provenance-path argocd-sbom.intoto.jsonl \ 146 --source-uri github.com/argoproj/argo-cd \ 147 --source-tag v2.7.0 148 ``` 149 150 *** 151 ## Verification on Kubernetes 152 153 ### Policy controllers 154 !!! note 155 We encourage all users to verify signatures and provenances with your admission/policy controller of choice. Doing so will verify that an image was built by us before it's deployed on your Kubernetes cluster. 156 157 Cosign signatures and SLSA provenances are compatible with several types of admission controllers. Please see the [cosign documentation](https://docs.sigstore.dev/cosign/overview/#kubernetes-integrations) and [slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#verification) for supported controllers.