Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

docs: add 'Signature Verification' guide #4731

Merged
merged 3 commits into from
Sep 12, 2023
Merged

docs: add 'Signature Verification' guide #4731

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
f396439
add 'Signature Verification' guide
nikpivkin Jun 28, 2023
94b854b
add gpg signature verification doc
nikpivkin Jun 29, 2023
25892cb
Merge branch 'main' into docs-signature-verification
knqyf263 Sep 12, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
85 changes: 85 additions & 0 deletions docs/getting-started/signature-verification.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,85 @@
# Signature Verification

## Verifying a Cosign signature
All binaries and container images are signed by [Cosign](https://github.com/sigstore/cosign).

You need the following tools:

- [Cosign](https://docs.sigstore.dev/cosign/installation/)
- [jq](https://jqlang.github.io/jq/download/)

### Verifying signed container images
1. Use the following command for keyless [verification](https://docs.sigstore.dev/cosign/verify/):
```shell
cosign verify aquasec/trivy:<version> \
--certificate-identity-regexp 'https://github\.com/aquasecurity/trivy/\.github/workflows/.+' \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
| jq .
```
2. You should get the following output
```shell
Verification for index.docker.io/aquasec/trivy:latest --
The following checks were performed on each of these signatures:
- The cosign claims were validated
- Existence of the claims in the transparency log was verified offline
- The code-signing certificate was verified using trusted certificate authority certificates

....
```

### Verifying signed binaries

1. Download the required binary and associated signature and certificate files
2. Use the following command for keyless verification:
```shell
cosign verify-blob <path to binray> \
--certificate <path to cert> \
--signature $(cat <path to sig>) \
--certificate-identity-regexp 'https://github\.com/aquasecurity/trivy/\.github/workflows/.+' \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com"
```
3. You should get the following output
```
Verified OK
```

## Verifying a GPG signature

RPM and Deb packages are also signed by GPG.

### Verifying RPM

The public key downloaded [here](https://aquasecurity.github.io/trivy-repo/rpm/public.key).

1. Download the public key
```shell
curl https://aquasecurity.github.io/trivy-repo/rpm/public.key \
--output pub.key
```
2. Import the key
```shell
rpm --import pub.key
```
3. Verify that the key has been imported
```shell
rpm -q --queryformat "%{SUMMARY}\n" $(rpm -q gpg-pubkey)
```
You should get the following output
```shell
gpg(trivy)
```

4. Download the required binary
```shell
curl -L https://github.com/aquasecurity/trivy/releases/download/<version>/<file name>.rpm \
--output trivy.rpm
```
5. Check the binary with the following command
```shell
rpm -K trivy.rpm
```
You should get the following output
```shell
trivy.rpm: digests signatures OK
```

1 change: 1 addition & 0 deletions mkdocs.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ nav:
- Getting Started:
- Overview: index.md
- Installation: getting-started/installation.md
- Signature Verification: getting-started/signature-verification.md
- Scanning coverage: getting-started/coverage.md
- FAQ: getting-started/faq.md
- Tutorials:
Expand Down