[zh-cn] administer-cluster/verify-signed-artifacts.md

my-git9 · my-git9 · commit ece6fd901510 · 2023-05-15T22:09:13.000+08:00
Signed-off-by: xin.li &lt;xin.li@daocloud.io&gt;
diff --git a/content/zh-cn/docs/tasks/administer-cluster/verify-signed-artifacts.md b/content/zh-cn/docs/tasks/administer-cluster/verify-signed-artifacts.md
@@ -18,22 +18,18 @@ weight: 420
 ## {{% heading "prerequisites" %}}
 
 <!--
-These instructions are for Kubernetes {{< skew currentVersion >}}. If you want
-to check the integrity of components for a different version of Kubernetes,
-check the documentation for that Kubernetes release.
-
 You will need to have the following tools installed:
 
 - `cosign` ([install guide](https://docs.sigstore.dev/cosign/installation/))
 - `curl` (often provided by your operating system)
+- `jq` ([download jq](https://stedolan.github.io/jq/download/))
 -->
-这些说明适用于 Kubernetes {{< skew currentVersion >}}。
-如果你想要检查其他版本的 Kubernetes 组件的完整性，请查看对应 Kubernetes 版本的文档。
-
 你需要安装以下工具：
 
 - `cosign`（[安装指南](https://docs.sigstore.dev/cosign/installation/)）
 - `curl`（通常由你的操作系统提供）
+- `jq`（[下载 jq](https://stedlan.github.io/jq/download/)）
+
 
 <!-- 
 ## Verifying binary signatures
@@ -45,8 +41,9 @@ binary, retrieve it together with its signature and certificate:
 
 ## 验证二进制签名 {#verifying-binary-signatures}
 
-Kubernetes 发布过程使用 cosign 的无密钥签名对所有二进制工件（压缩包、SPDX 文件、 独立的二进制文件）签名。
-要验证一个特定的二进制文件，获取组件时要包含其签名和证书：
+Kubernetes 发布过程使用 cosign 的无密钥签名对所有二进制工件（压缩包、
+SPDX 文件、 独立的二进制文件）签名。要验证一个特定的二进制文件，
+获取组件时要包含其签名和证书：
 
 ```bash
 URL=https://dl.k8s.io/release/v{{< skew currentPatchVersion >}}/bin/linux/amd64
@@ -64,26 +61,37 @@ done
 ```
 
 <!--
-Then verify the blob by using `cosign`:
-
-cosign v1.9.0 is required to be able to use the `--certificate` flag. Please use
-`--cert` for older versions of cosign.
+Then verify the blob by using `cosign verify-blob`:
 -->
-然后使用 `cosign` 验证二进制文件：
+然后使用 `cosign verify-blob` 验证二进制文件：
 
 ```shell
-cosign verify-blob "$BINARY" --signature "$BINARY".sig --certificate "$BINARY".cert
+cosign verify-blob "$BINARY" \
+  --signature "$BINARY".sig \
+  --certificate "$BINARY".cert \
+  --certificate-identity krel-staging@k8s-releng-prod.iam.gserviceaccount.com \
+  --certificate-oidc-issuer https://accounts.google.com
 ```
 
-cosign 自 v1.9.0 版本开始才能使用 `--certificate` 标志，旧版本的 cosign 请使用 `--cert`。
-
 {{< note >}}
 <!-- 
-To learn more about keyless signing, please refer to [Keyless
-Signatures](https://github.com/sigstore/cosign/blob/main/KEYLESS.md#keyless-signatures).
+Cosign 2.0 requires the `--certificate-identity` and `--certificate-oidc-issuer` options.
+
+To learn more about keyless signing, please refer to [Keyless Signatures](https://docs.sigstore.dev/cosign/keyless).
+
+Previous versions of Cosign required that you set `COSIGN_EXPERIMENTAL=1`.
+
+For additional information, plase refer to the [sigstore Blog](https://blog.sigstore.dev/cosign-2-0-released/)
 -->
+Cosign 2.0 需要指定 `--certificate-identity` 和 `--certificate-oidc-issuer` 选项。
+
 想要进一步了解无密钥签名，请参考
 [Keyless Signatures](https://github.com/sigstore/cosign/blob/main/KEYLESS.md#keyless-signatures)。
+
+Cosign 的早期版本还需要设置 `COSIGN_EXPERIMENTAL=1`。
+
+如需更多信息，请参考
+[sigstore Blog](https://blog.sigstore.dev/cosign-2-0-released/)
 {{< /note >}}
 
 <!--
@@ -92,7 +100,7 @@ Signatures](https://github.com/sigstore/cosign/blob/main/KEYLESS.md#keyless-sign
 For a complete list of images that are signed please refer
 to [Releases](/releases/download/).
 
-Let's pick one image from this list and verify its signature using
+Pick one image from this list and verify its signature using
 the `cosign verify` command:
 -->
 ## 验证镜像签名 {#verifying-image-signatures}
@@ -102,60 +110,64 @@ the `cosign verify` command:
 从这个列表中选择一个镜像，并使用 `cosign verify` 命令来验证它的签名：
 
 ```shell
-COSIGN_EXPERIMENTAL=1 cosign verify registry.k8s.io/kube-apiserver-amd64:v{{< skew currentPatchVersion >}}
+cosign verify registry.k8s.io/kube-apiserver-amd64:v{{< skew currentPatchVersion >}} \
+  --certificate-identity krel-trust@k8s-releng-prod.iam.gserviceaccount.com \
+  --certificate-oidc-issuer https://accounts.google.com \
+  | jq .
 ```
 
-{{< note >}}
-<!--
-`COSIGN_EXPERIMENTAL=1` is used to allow verification of images signed
-in `KEYLESS` mode. To learn more about keyless signing, please refer to
-[Keyless Signatures](https://github.com/sigstore/cosign/blob/main/KEYLESS.md#keyless-signatures).
--->
-`COSIGN_EXPERIMENTAL=1` 用于对以 `KEYLESS` 模式签名的镜像进行验证。想要进一步了解 `KEYLESS`，请参考
-[Keyless Signatures](https://github.com/sigstore/cosign/blob/main/KEYLESS.md#keyless-signatures)。
-{{< /note >}}
-
 <!--
 ### Verifying images for all control plane components
 
-To verify all signed control plane images, please run this command:
+To verify all signed control plane images for the latest stable version
+(v{{< skew currentPatchVersion >}}), please run the following commands:
 -->
 ### 验证所有控制平面组件镜像  {#verifying-images-for-all-control-plane-components}
 
-验证所有已签名的控制平面组件镜像，请运行以下命令：
+验证最新稳定版（v{{< skew currentPatchVersion >}}）所有已签名的控制平面组件镜像，
+请运行以下命令：
 
 ```shell
-curl -Ls "https://sbom.k8s.io/$(curl -Ls https://dl.k8s.io/release/stable.txt)/release" | grep "SPDXID: SPDXRef-Package-registry.k8s.io" |  grep -v sha256 | cut -d- -f3- | sed 's/-/\//' | sed 's/-v1/:v1/' > images.txt
+curl -Ls "https://sbom.k8s.io/$(curl -Ls https://dl.k8s.io/release/stable.txt)/release" \
+  | grep "SPDXID: SPDXRef-Package-registry.k8s.io" \
+  | grep -v sha256 | cut -d- -f3- | sed 's/-/\//' | sed 's/-v1/:v1/' \
+  | sort > images.txt
 input=images.txt
 while IFS= read -r image
 do
-  COSIGN_EXPERIMENTAL=1 cosign verify "$image"
+  cosign verify "$image" \
+    --certificate-identity krel-trust@k8s-releng-prod.iam.gserviceaccount.com \
+    --certificate-oidc-issuer https://accounts.google.com \
+    | jq .
 done < "$input"
 ```
 
 <!--
-Once you have verified an image, specify that image by its digest in your Pod
-manifests as per this
-example: `registry-url/image-name@sha256:45b23dee08af5e43a7fea6c4cf9c25ccf269ee113168c19722f87876677c5cb2`.
+Once you have verified an image, you can specify that image by its digest in your Pod
+manifests as per this example:
 
 For more information, please refer
-to [Image Pull Policy](/docs/concepts/containers/images/#image-pull-policy)
+to the [Image Pull Policy](/docs/concepts/containers/images/#image-pull-policy)
 section.
 -->
 当你完成某个镜像的验证时，可以在你的 Pod 清单通过摘要值来指定该镜像，例如：
-`registry-url/image-name@sha256:45b23dee08af5e43a7fea6c4cf9c25ccf269ee113168c19722f87876677c5cb2`。
+
+```console
+registry-url/image-name@sha256:45b23dee08af5e43a7fea6c4cf9c25ccf269ee113168c19722f87876677c5cb2
+```
 
 要了解更多信息，请参考[镜像拉取策略](/zh-cn/docs/concepts/containers/images/#image-pull-policy)章节。
 
 <!--
 ## Verifying Image Signatures with Admission Controller
 
-For non-control plane images (
-e.g. [conformance image](https://github.com/kubernetes/kubernetes/blob/master/test/conformance/image/README.md))
-, signatures can also be verified at deploy time using
+For non-control plane images (for example
+[conformance image](https://github.com/kubernetes/kubernetes/blob/master/test/conformance/image/README.md)),
+signatures can also be verified at deploy time using
 [sigstore policy-controller](https://docs.sigstore.dev/policy-controller/overview)
-admission controller. To get started with `policy-controller` here are a few helpful
-resources:
+admission controller. 
+
+Here are some helpful resources to get started with `policy-controller`:
 
 * [Installation](https://github.com/sigstore/helm-charts/tree/main/charts/policy-controller)
 * [Configuration Options](https://github.com/sigstore/policy-controller/tree/main/config)
@@ -166,7 +178,7 @@ resources:
 （例如 [conformance 镜像](https://github.com/kubernetes/kubernetes/blob/master/test/conformance/image/README.md)），
 也可以在部署时使用
 [sigstore policy-controller](https://docs.sigstore.dev/policy-controller/overview)
-控制器验证其签名。如要使用 `policy-controller`，下面是一些有帮助的资源：
+控制器验证其签名。以下是一些有助于你开始使用 `policy-controller` 的资源：
 
 - [安装](https://github.com/sigstore/helm-charts/tree/main/charts/policy-controller)
 - [配置选项](https://github.com/sigstore/policy-controller/tree/main/config)
