Skip to content
Snippets Groups Projects
Unverified Commit b383bafc authored by Timo Furrer's avatar Timo Furrer
Browse files

Document commands to verify image signatures

parent 929e8da8
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
.gitlab/README.md.template
+ 16
3
View file @ b383bafc
......@@ -333,10 +333,23 @@ See https://github.com/distribution/distribution/issues/1201*
Every released image is [signed](https://docs.gitlab.com/ee/ci/yaml/signing_examples.html)
using [`sigstore/cosign`](https://github.com/sigstore/cosign).
Check the following docs to learn more about verifying the signature:
You can use the following command to verify the signatures:
- https://docs.sigstore.dev/cosign/verifying/verify/
- https://docs.gitlab.com/ee/ci/yaml/signing_examples.html#verification
```shell
VERSION=X.Y.Z # put a released components/opentofu version here
IMAGE_REF=... # put a released components/opentofu image reference here
cosign verify "${IMAGE_REF}" --certificate-identity="https://gitlab.com/components/opentofu//.gitlab-ci.yml@refs/tags/${VERSION}" --certificate-oidc-issuer="https://gitlab.com"
```
For example, for image ref `registry.gitlab.com/components/opentofu/gitlab-opentofu:0.34.0-opentofu1.6.0-alpine` and version `0.34.0`:
```shell
cosign verify "registry.gitlab.com/components/opentofu/gitlab-opentofu:0.34.0-opentofu1.6.0-alpine" \
--certificate-identity "https://gitlab.com/components/opentofu//.gitlab-ci.yml@refs/tags/0.34.0" \
--certificate-oidc-issuer "https://gitlab.com"
```
For self-managed mirrors the OIDC issuer must be changed, too.
### Using with Renovate
......
.gitlab/release-notes.md.template
+ 8
1
View file @ b383bafc
......@@ -43,7 +43,14 @@ And with the follow base OS images:
- `alpine`, use `base_os: alpine` input to use it (default).
- `debian`, use `base_os: debian` input to use it.
The images have been signed with `cosign`.
The images have been signed with `cosign` and can be verified with the following command:
```shell
cosign verify \
"$CI_REGISTRY_IMAGE/gitlab-opentofu:$CI_COMMIT_TAG-alpine" \
--certificate-identity "$CI_PROJECT_URL//.gitlab-ci.yml@refs/tags/$CI_COMMIT_TAG" \
--certificate-oidc-issuer "https://gitlab.com"
```
> **Note:**
>
......
README.md
+ 16
3
View file @ b383bafc
......@@ -352,10 +352,23 @@ See https://github.com/distribution/distribution/issues/1201*
Every released image is [signed](https://docs.gitlab.com/ee/ci/yaml/signing_examples.html)
using [`sigstore/cosign`](https://github.com/sigstore/cosign).
Check the following docs to learn more about verifying the signature:
You can use the following command to verify the signatures:
- https://docs.sigstore.dev/cosign/verifying/verify/
- https://docs.gitlab.com/ee/ci/yaml/signing_examples.html#verification
```shell
VERSION=X.Y.Z # put a released components/opentofu version here
IMAGE_REF=... # put a released components/opentofu image reference here
cosign verify "${IMAGE_REF}" --certificate-identity="https://gitlab.com/components/opentofu//.gitlab-ci.yml@refs/tags/${VERSION}" --certificate-oidc-issuer="https://gitlab.com"
```
For example, for image ref `registry.gitlab.com/components/opentofu/gitlab-opentofu:0.34.0-opentofu1.6.0-alpine` and version `0.34.0`:
```shell
cosign verify "registry.gitlab.com/components/opentofu/gitlab-opentofu:0.34.0-opentofu1.6.0-alpine" \
--certificate-identity "https://gitlab.com/components/opentofu//.gitlab-ci.yml@refs/tags/0.34.0" \
--certificate-oidc-issuer "https://gitlab.com"
```
For self-managed mirrors the OIDC issuer must be changed, too.
### Using with Renovate
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment