From b383bafc75a38fa10af385f10c291431c71bd636 Mon Sep 17 00:00:00 2001
From: Timo Furrer <tfurrer@gitlab.com>
Date: Tue, 29 Oct 2024 10:51:19 +0100
Subject: [PATCH] Document commands to verify image signatures
---
.gitlab/README.md.template | 19 ++++++++++++++++---
.gitlab/release-notes.md.template | 9 ++++++++-
README.md | 19 ++++++++++++++++---
3 files changed, 40 insertions(+), 7 deletions(-)
diff --git a/.gitlab/README.md.template b/.gitlab/README.md.template
index 7a09bf9..2bc45df 100644
--- a/.gitlab/README.md.template
+++ b/.gitlab/README.md.template
@@ -333,10 +333,23 @@ See https://github.com/distribution/distribution/issues/1201*
Every released image is [signed](https://docs.gitlab.com/ee/ci/yaml/signing_examples.html)
using [`sigstore/cosign`](https://github.com/sigstore/cosign).
-Check the following docs to learn more about verifying the signature:
+You can use the following command to verify the signatures:
-- https://docs.sigstore.dev/cosign/verifying/verify/
-- https://docs.gitlab.com/ee/ci/yaml/signing_examples.html#verification
+```shell
+VERSION=X.Y.Z # put a released components/opentofu version here
+IMAGE_REF=... # put a released components/opentofu image reference here
+cosign verify "${IMAGE_REF}" --certificate-identity="https://gitlab.com/components/opentofu//.gitlab-ci.yml@refs/tags/${VERSION}" --certificate-oidc-issuer="https://gitlab.com"
+```
+
+For example, for image ref `registry.gitlab.com/components/opentofu/gitlab-opentofu:0.34.0-opentofu1.6.0-alpine` and version `0.34.0`:
+
+```shell
+cosign verify "registry.gitlab.com/components/opentofu/gitlab-opentofu:0.34.0-opentofu1.6.0-alpine" \
+ --certificate-identity "https://gitlab.com/components/opentofu//.gitlab-ci.yml@refs/tags/0.34.0" \
+ --certificate-oidc-issuer "https://gitlab.com"
+```
+
+For self-managed mirrors the OIDC issuer must be changed, too.
### Using with Renovate
diff --git a/.gitlab/release-notes.md.template b/.gitlab/release-notes.md.template
index 40dedc6..6a3da5b 100644
--- a/.gitlab/release-notes.md.template
+++ b/.gitlab/release-notes.md.template
@@ -43,7 +43,14 @@ And with the follow base OS images:
- `alpine`, use `base_os: alpine` input to use it (default).
- `debian`, use `base_os: debian` input to use it.
-The images have been signed with `cosign`.
+The images have been signed with `cosign` and can be verified with the following command:
+
+```shell
+cosign verify \
+ "$CI_REGISTRY_IMAGE/gitlab-opentofu:$CI_COMMIT_TAG-alpine" \
+ --certificate-identity "$CI_PROJECT_URL//.gitlab-ci.yml@refs/tags/$CI_COMMIT_TAG" \
+ --certificate-oidc-issuer "https://gitlab.com"
+```
> **Note:**
>
diff --git a/README.md b/README.md
index 0402b3c..754a0b8 100644
--- a/README.md
+++ b/README.md
@@ -352,10 +352,23 @@ See https://github.com/distribution/distribution/issues/1201*
Every released image is [signed](https://docs.gitlab.com/ee/ci/yaml/signing_examples.html)
using [`sigstore/cosign`](https://github.com/sigstore/cosign).
-Check the following docs to learn more about verifying the signature:
+You can use the following command to verify the signatures:
-- https://docs.sigstore.dev/cosign/verifying/verify/
-- https://docs.gitlab.com/ee/ci/yaml/signing_examples.html#verification
+```shell
+VERSION=X.Y.Z # put a released components/opentofu version here
+IMAGE_REF=... # put a released components/opentofu image reference here
+cosign verify "${IMAGE_REF}" --certificate-identity="https://gitlab.com/components/opentofu//.gitlab-ci.yml@refs/tags/${VERSION}" --certificate-oidc-issuer="https://gitlab.com"
+```
+
+For example, for image ref `registry.gitlab.com/components/opentofu/gitlab-opentofu:0.34.0-opentofu1.6.0-alpine` and version `0.34.0`:
+
+```shell
+cosign verify "registry.gitlab.com/components/opentofu/gitlab-opentofu:0.34.0-opentofu1.6.0-alpine" \
+ --certificate-identity "https://gitlab.com/components/opentofu//.gitlab-ci.yml@refs/tags/0.34.0" \
+ --certificate-oidc-issuer "https://gitlab.com"
+```
+
+For self-managed mirrors the OIDC issuer must be changed, too.
### Using with Renovate
--
GitLab