Merge branch 'doc-sign-images-verify' into 'main'

Document commands to verify image signatures See merge request components/opentofu!149

Merge branch 'doc-sign-images-verify' into 'main'
9951ca1b · Timo Furrer · 929e8da8 · b383bafc · 9951ca1b · 9951ca1b
Commit 9951ca1b authored 7 months ago by Timo Furrer
--- a/.gitlab/README.md.template
+++ b/.gitlab/README.md.template
@@ -333,10 +333,23 @@ See https://github.com/distribution/distribution/issues/1201*
 Every released image is [signed](https://docs.gitlab.com/ee/ci/yaml/signing_examples.html)
 using [`sigstore/cosign`](https://github.com/sigstore/cosign).
-Check the following docs to learn more about verifying the signature:
+You can use the following command to verify the signatures:
- https://docs.sigstore.dev/cosign/verifying/verify/
+```shell
- https://docs.gitlab.com/ee/ci/yaml/signing_examples.html#verification
+VERSION=X.Y.Z # put a released components/opentofu version here
+IMAGE_REF=... # put a released components/opentofu image reference here
+cosign verify "${IMAGE_REF}" --certificate-identity="https://gitlab.com/components/opentofu//.gitlab-ci.yml@refs/tags/${VERSION}" --certificate-oidc-issuer="https://gitlab.com"
+```
+For example, for image ref `registry.gitlab.com/components/opentofu/gitlab-opentofu:0.34.0-opentofu1.6.0-alpine` and version `0.34.0`:
+```shell
+cosign verify "registry.gitlab.com/components/opentofu/gitlab-opentofu:0.34.0-opentofu1.6.0-alpine" \
+    --certificate-identity "https://gitlab.com/components/opentofu//.gitlab-ci.yml@refs/tags/0.34.0" \
+    --certificate-oidc-issuer "https://gitlab.com"
+```
+For self-managed mirrors the OIDC issuer must be changed, too.
 ### Using with Renovate

--- a/.gitlab/release-notes.md.template
+++ b/.gitlab/release-notes.md.template
@@ -43,7 +43,14 @@ And with the follow base OS images:
 - `alpine`, use `base_os: alpine` input to use it (default).
 - `debian`, use `base_os: debian` input to use it.
-The images have been signed with `cosign`.
+The images have been signed with `cosign` and can be verified with the following command:
+```shell
+cosign verify \
+  "$CI_REGISTRY_IMAGE/gitlab-opentofu:$CI_COMMIT_TAG-alpine" \
+  --certificate-identity "$CI_PROJECT_URL//.gitlab-ci.yml@refs/tags/$CI_COMMIT_TAG" \
+  --certificate-oidc-issuer "https://gitlab.com"
+```
 > **Note:**
 >

--- a/README.md
+++ b/README.md
@@ -352,10 +352,23 @@ See https://github.com/distribution/distribution/issues/1201*
 Every released image is [signed](https://docs.gitlab.com/ee/ci/yaml/signing_examples.html)
 using [`sigstore/cosign`](https://github.com/sigstore/cosign).
-Check the following docs to learn more about verifying the signature:
+You can use the following command to verify the signatures:
- https://docs.sigstore.dev/cosign/verifying/verify/
+```shell
- https://docs.gitlab.com/ee/ci/yaml/signing_examples.html#verification
+VERSION=X.Y.Z # put a released components/opentofu version here
+IMAGE_REF=... # put a released components/opentofu image reference here
+cosign verify "${IMAGE_REF}" --certificate-identity="https://gitlab.com/components/opentofu//.gitlab-ci.yml@refs/tags/${VERSION}" --certificate-oidc-issuer="https://gitlab.com"
+```
+For example, for image ref `registry.gitlab.com/components/opentofu/gitlab-opentofu:0.34.0-opentofu1.6.0-alpine` and version `0.34.0`:
+```shell
+cosign verify "registry.gitlab.com/components/opentofu/gitlab-opentofu:0.34.0-opentofu1.6.0-alpine" \
+    --certificate-identity "https://gitlab.com/components/opentofu//.gitlab-ci.yml@refs/tags/0.34.0" \
+    --certificate-oidc-issuer "https://gitlab.com"
+```
+For self-managed mirrors the OIDC issuer must be changed, too.
 ### Using with Renovate