Skip to content
Snippets Groups Projects
Commit 9951ca1b authored by Timo Furrer's avatar Timo Furrer
Browse files

Merge branch 'doc-sign-images-verify' into 'main'

Document commands to verify image signatures

See merge request components/opentofu!149
parents 929e8da8 b383bafc
No related branches found
No related tags found
No related merge requests found
......@@ -333,10 +333,23 @@ See https://github.com/distribution/distribution/issues/1201*
Every released image is [signed](https://docs.gitlab.com/ee/ci/yaml/signing_examples.html)
using [`sigstore/cosign`](https://github.com/sigstore/cosign).
Check the following docs to learn more about verifying the signature:
You can use the following command to verify the signatures:
- https://docs.sigstore.dev/cosign/verifying/verify/
- https://docs.gitlab.com/ee/ci/yaml/signing_examples.html#verification
```shell
VERSION=X.Y.Z # put a released components/opentofu version here
IMAGE_REF=... # put a released components/opentofu image reference here
cosign verify "${IMAGE_REF}" --certificate-identity="https://gitlab.com/components/opentofu//.gitlab-ci.yml@refs/tags/${VERSION}" --certificate-oidc-issuer="https://gitlab.com"
```
For example, for image ref `registry.gitlab.com/components/opentofu/gitlab-opentofu:0.34.0-opentofu1.6.0-alpine` and version `0.34.0`:
```shell
cosign verify "registry.gitlab.com/components/opentofu/gitlab-opentofu:0.34.0-opentofu1.6.0-alpine" \
--certificate-identity "https://gitlab.com/components/opentofu//.gitlab-ci.yml@refs/tags/0.34.0" \
--certificate-oidc-issuer "https://gitlab.com"
```
For self-managed mirrors the OIDC issuer must be changed, too.
### Using with Renovate
......
......@@ -43,7 +43,14 @@ And with the follow base OS images:
- `alpine`, use `base_os: alpine` input to use it (default).
- `debian`, use `base_os: debian` input to use it.
The images have been signed with `cosign`.
The images have been signed with `cosign` and can be verified with the following command:
```shell
cosign verify \
"$CI_REGISTRY_IMAGE/gitlab-opentofu:$CI_COMMIT_TAG-alpine" \
--certificate-identity "$CI_PROJECT_URL//.gitlab-ci.yml@refs/tags/$CI_COMMIT_TAG" \
--certificate-oidc-issuer "https://gitlab.com"
```
> **Note:**
>
......
......@@ -352,10 +352,23 @@ See https://github.com/distribution/distribution/issues/1201*
Every released image is [signed](https://docs.gitlab.com/ee/ci/yaml/signing_examples.html)
using [`sigstore/cosign`](https://github.com/sigstore/cosign).
Check the following docs to learn more about verifying the signature:
You can use the following command to verify the signatures:
- https://docs.sigstore.dev/cosign/verifying/verify/
- https://docs.gitlab.com/ee/ci/yaml/signing_examples.html#verification
```shell
VERSION=X.Y.Z # put a released components/opentofu version here
IMAGE_REF=... # put a released components/opentofu image reference here
cosign verify "${IMAGE_REF}" --certificate-identity="https://gitlab.com/components/opentofu//.gitlab-ci.yml@refs/tags/${VERSION}" --certificate-oidc-issuer="https://gitlab.com"
```
For example, for image ref `registry.gitlab.com/components/opentofu/gitlab-opentofu:0.34.0-opentofu1.6.0-alpine` and version `0.34.0`:
```shell
cosign verify "registry.gitlab.com/components/opentofu/gitlab-opentofu:0.34.0-opentofu1.6.0-alpine" \
--certificate-identity "https://gitlab.com/components/opentofu//.gitlab-ci.yml@refs/tags/0.34.0" \
--certificate-oidc-issuer "https://gitlab.com"
```
For self-managed mirrors the OIDC issuer must be changed, too.
### Using with Renovate
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment