Merge pull request #42996 from saschagrunert/sbom-verification

k8s-ci-robot · web-flow · commit 263b518e32de · 2023-09-12T16:56:11.000-07:00
Add SBOM verification to docs
diff --git a/content/en/docs/tasks/administer-cluster/verify-signed-artifacts.md b/content/en/docs/tasks/administer-cluster/verify-signed-artifacts.md
@@ -116,3 +116,32 @@ Here are some helpful resources to get started with `policy-controller`:
 
 - [Installation](https://github.com/sigstore/helm-charts/tree/main/charts/policy-controller)
 - [Configuration Options](https://github.com/sigstore/policy-controller/tree/main/config)
+
+## Verify the Software Bill Of Materials
+
+You can verify the Kubernetes Software Bill of Materials (SBOM) by using the
+sigstore certificate and signature, or the corresponding SHA files:
+
+```shell
+# Retrieve the latest available Kubernetes release version
+VERSION=$(curl -Ls https://dl.k8s.io/release/stable.txt)
+
+# Verify the SHA512 sum
+curl -Ls "https://sbom.k8s.io/$VERSION/release" -o "$VERSION.spdx"
+echo "$(curl -Ls "https://sbom.k8s.io/$VERSION/release.sha512") $VERSION.spdx" | sha512sum --check
+
+# Verify the SHA256 sum
+echo "$(curl -Ls "https://sbom.k8s.io/$VERSION/release.sha256") $VERSION.spdx" | sha256sum --check
+
+# Retrieve sigstore signature and certificate
+curl -Ls "https://sbom.k8s.io/$VERSION/release.sig" -o "$VERSION.spdx.sig"
+curl -Ls "https://sbom.k8s.io/$VERSION/release.cert" -o "$VERSION.spdx.cert"
+
+# Verify the sigstore signature
+cosign verify-blob \
+    --certificate "$VERSION.spdx.cert" \
+    --signature "$VERSION.spdx.sig" \
+    --certificate-identity krel-staging@k8s-releng-prod.iam.gserviceaccount.com \
+    --certificate-oidc-issuer https://accounts.google.com \
+    "$VERSION.spdx"
+```
