github.com/cilium/cilium@v1.16.2/Documentation/configuration/verify-image-signatures.rst

github.com/cilium/cilium@v1.16.2/Documentation/configuration/verify-image-signatures.rst (about)

     1  .. only:: not (epub or latex or html)
     2  
     3      WARNING: You are looking at unreleased Cilium documentation.
     4      Please use the official rendered version released here:
     5      https://docs.cilium.io
     6  
     7  .. _verify_image_signatures:
     8  
     9  **************************
    10  Verifying Image Signatures
    11  **************************
    12  
    13  Prerequisites
    14  =============
    15  
    16  You will need to `install cosign`_.
    17  
    18  .. _`install cosign`: https://docs.sigstore.dev/cosign/installation/
    19  
    20  Verify Signed Container Images
    21  ==============================
    22  
    23  Since version 1.13, all Cilium container images are signed using cosign.
    24  
    25  Let's verify a Cilium image's signature using the ``cosign verify`` command:
    26  
    27  .. code-block:: shell-session
    28  
    29      $ TAG=v1.13.0
    30      $ cosign verify --certificate-github-workflow-repository cilium/cilium \
    31      --certificate-oidc-issuer https://token.actions.githubusercontent.com \
    32      --certificate-github-workflow-name "Image Release Build" \
    33      --certificate-github-workflow-ref refs/tags/${TAG} \
    34      --certificate-identity "https://github.com/cilium/cilium/.github/workflows/build-images-releases.yaml@refs/tags/${TAG}" \
    35      "quay.io/cilium/cilium:${TAG}" | jq
    36      
    37  
    38  .. note::
    39  
    40      ``cosign`` is used to verify images signed in ``KEYLESS`` mode. To learn
    41      more about keyless signing, please refer to `Keyless Signatures`_.
    42      
    43      ``--certificate-github-workflow-name string`` contains the workflow claim 
    44      from the GitHub OIDC Identity token that contains the name of the executed 
    45      workflow. For the names of workflows used to build Cilium images, see the 
    46      ``build-images`` workflows under `Cilium workflows`_.
    47      
    48      ``--certificate-github-workflow-ref string`` contains the ref claim from 
    49      the GitHub OIDC Identity token that contains the git ref that the workflow 
    50      run was based upon.
    51  
    52      ``--certificate-identity`` is used to verify the identity of the certificate
    53      from the Github build images release workflow.
    54      
    55  
    56  .. _`Keyless Signatures`: https://docs.sigstore.dev/cosign/overview/#keyless-signing-of-a-container
    57  .. _`Cilium workflows`: https://github.com/cilium/cilium/tree/main/.github/workflows