search

kubearmor / kubearmor-client

KubeArmor cli tool aka kArmor :robot:
Apache License 2.0
34 stars 82 forks source link

add instructions to verify the tarballs using cosign #406

Closed kranurag7 closed 5 months ago

kranurag7 commented 6 months ago

We sign our binary using cosign and the verification instructions are not documented anywhere. This issue tracks documenting instructions to verify the binary that binary.

Below are the instructions to verify the binary using cosign for v1.1.o

release of karmor. 

$ curl -LO https://github.com/kubearmor/kubearmor-client/releases/download/v1.1.0/karmor_1.1.0_linux_amd64.tar.gz
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:--  0:00:03 --:--:--     0
100 21.7M  100 21.7M    0     0   956k      0  0:00:23  0:00:23 --:--:-- 1245k

$ curl -LO https://github.com/kubearmor/kubearmor-client/releases/download/v1.1.0/karmor_1.1.0_linux_amd64.tar.gz.cert
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:--  0:00:03 --:--:--     0
100  3264  100  3264    0     0    617      0  0:00:05  0:00:05 --:--:--  2710

$ curl -LO https://github.com/kubearmor/kubearmor-client/releases/download/v1.1.0/karmor_1.1.0_linux_amd64.tar.gz.sig
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100    96  100    96    0     0     34      0  0:00:02  0:00:02 --:--:--   151

$ cosign verify-blob karmor_1.1.0_linux_amd64.tar.gz --certificate-identity=https://github.com/kubearmor/kubearmor-client/.github/workflows/release.yml@refs/tags/v1.1.0 --certificate-oidc-issuer=https://token.actions.githubusercontent.com --signature karmor_1.1.0_linux_amd64.tar.gz.sig --certificate karmor_1.1.0_linux_amd64.tar.gz.cert
Verified OK
rod4n4m1 commented 6 months ago

I can help with this one, please assign to me.

rod4n4m1 commented 5 months ago

@kranurag7 I bumped the PR #409 for this issue. Please check it.

kranurag7 commented 5 months ago

completed via https://github.com/kubearmor/kubearmor-client/pull/409