github.com/ishita82/trivy-gitaction@v0.0.0-20240206054925-e937cc05f8e3/docs/getting-started/signature-verification.md (about) 1 # Signature Verification 2 3 ## Verifying a Cosign signature 4 All binaries and container images are signed by [Cosign](https://github.com/sigstore/cosign). 5 6 You need the following tool: 7 8 - [Cosign](https://docs.sigstore.dev/cosign/installation/) 9 10 ### Verifying signed container images 11 1. Use the following command for keyless [verification](https://docs.sigstore.dev/cosign/verify/): 12 ```shell 13 cosign verify aquasec/trivy:<version> \ 14 --certificate-identity-regexp 'https://github\.com/aquasecurity/trivy/\.github/workflows/.+' \ 15 --certificate-oidc-issuer "https://token.actions.githubusercontent.com" 16 ``` 17 18 2. You should get the following output 19 ```shell 20 Verification for index.docker.io/aquasec/trivy:latest -- 21 The following checks were performed on each of these signatures: 22 - The cosign claims were validated 23 - Existence of the claims in the transparency log was verified offline 24 - The code-signing certificate was verified using trusted certificate authority certificates 25 26 .... 27 ``` 28 29 ### Verifying signed binaries 30 31 1. Download the required tarball, associated signature and certificate files 32 2. Use the following command for keyless verification: 33 ```shell 34 cosign verify-blob <path to binray> \ 35 --certificate <path to cert> \ 36 --signature <path to sig> \ 37 --certificate-identity-regexp 'https://github\.com/aquasecurity/trivy/\.github/workflows/.+' \ 38 --certificate-oidc-issuer "https://token.actions.githubusercontent.com" 39 ``` 40 3. You should get the following output 41 ``` 42 Verified OK 43 ``` 44 45 For example: 46 47 ```shell 48 $ wget "https://github.com/aquasecurity/trivy/releases/download/v0.45.0/trivy_0.45.0_Linux-32bit.tar.gz" 49 $ wget "https://github.com/aquasecurity/trivy/releases/download/v0.45.0/trivy_0.45.0_Linux-32bit.tar.gz.pem" 50 $ wget "https://github.com/aquasecurity/trivy/releases/download/v0.45.0/trivy_0.45.0_Linux-32bit.tar.gz.sig" 51 $ cosign verify-blob trivy_0.45.0_Linux-32bit.tar.gz \ 52 --certificate trivy_0.45.0_Linux-32bit.tar.gz.pem \ 53 --signature trivy_0.45.0_Linux-32bit.tar.gz.sig \ 54 --certificate-identity-regexp 'https://github\.com/aquasecurity/trivy/\.github/workflows/.+' \ 55 --certificate-oidc-issuer "https://token.actions.githubusercontent.com" 56 57 Vetified OK 58 ``` 59 60 ## Verifying a GPG signature 61 62 RPM and Deb packages are also signed by GPG. 63 64 ### Verifying RPM 65 66 The public key downloaded [here](https://aquasecurity.github.io/trivy-repo/rpm/public.key). 67 68 1. Download the public key 69 ```shell 70 curl https://aquasecurity.github.io/trivy-repo/rpm/public.key \ 71 --output pub.key 72 ``` 73 2. Import the key 74 ```shell 75 rpm --import pub.key 76 ``` 77 3. Verify that the key has been imported 78 ```shell 79 rpm -q --queryformat "%{SUMMARY}\n" $(rpm -q gpg-pubkey) 80 ``` 81 You should get the following output 82 ```shell 83 gpg(trivy) 84 ``` 85 86 4. Download the required binary 87 ```shell 88 curl -L https://github.com/aquasecurity/trivy/releases/download/<version>/<file name>.rpm \ 89 --output trivy.rpm 90 ``` 91 5. Check the binary with the following command 92 ```shell 93 rpm -K trivy.rpm 94 ``` 95 You should get the following output 96 ```shell 97 trivy.rpm: digests signatures OK 98 ``` 99