Skip to content

Commit 7760feb

Browse files
knative-prow-robotevankanderson
knative-prow-robot
and
evankanderson
authored
Link to supply-chain details rather than including inline. (#6200)
Co-authored-by: Evan Anderson <[email protected]>
1 parent d6ea0fe commit 7760feb

File tree

2 files changed

+8
-22
lines changed

2 files changed

+8
-22
lines changed

docs/reference/security/verifying-images.md

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -25,7 +25,12 @@ cosign verify-attestation \
2525
$IMAGE
2626
```
2727

28-
Note that the in-toto document is base64 encoded in the `.payload` attribute
28+
!!! note
29+
Knative images are signed in `KEYLESS` mode. To learn more about keyless signing, please refer to
30+
[Keyless Signatures](https://github.com/sigstore/cosign/blob/main/KEYLESS.md#keyless-signatures)
31+
Our signing identity(Subject) for our releases is `[email protected]` and the Issuer is `https://accounts.google.com`
32+
33+
The in-toto document is base64 encoded in the `.payload` attribute
2934
of the attestation; you can use `jq` to extract this with the following
3035
invocation:
3136

docs/snippets/security-prereqs-images.md

Lines changed: 2 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -1,21 +1,2 @@
1-
## Verifying image signatures
2-
3-
Knative releases from 1.9 onwards are signed with [cosign](https://docs.sigstore.dev/quickstart/quickstart-cosign/).
4-
5-
1. Install [cosign](https://docs.sigstore.dev/cosign/system_config/installation/) and [jq](https://stedolan.github.io/jq/).
6-
7-
1. Extract the images from a manifeset and verify the signatures.
8-
9-
```bash
10-
curl -sSL {{ artifact(repo="serving",file="serving-core.yaml") }} \
11-
| grep 'gcr.io/' | awk '{print $2}' | sort | uniq \
12-
| xargs -n 1 \
13-
cosign verify -o text \
14-
--certificate-identity=signer@knative-releases.iam.gserviceaccount.com \
15-
--certificate-oidc-issuer=https://accounts.google.com
16-
```
17-
18-
!!! note
19-
Knative images are signed in `KEYLESS` mode. To learn more about keyless signing, please refer to
20-
[Keyless Signatures](https://github.com/sigstore/cosign/blob/main/KEYLESS.md#keyless-signatures)
21-
Our signing identity(Subject) for our releases is `[email protected]` and the Issuer is `https://accounts.google.com`
1+
Optionally, you may choose to [verify the images before installing](/docs/reference/security/verifying-images.md).
2+
You may also need the image verification information if your cluster is configured to verify image signatures during pod execution.

0 commit comments

Comments
 (0)