Document cosign, and add to release notes (#264)

FairwindsOps · Feb 16, 2022 · 98dad45 · 98dad45
1 parent 06f381c
commit 98dad45
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 0 deletions.
diff --git a/.goreleaser.yml b/.goreleaser.yml
@@ -10,6 +10,16 @@ brews:
       system "#{bin}/pluto version"
 release:
   prerelease: auto
+  footer: |
+    You can verify the signatures of both the checksums.txt file and the published docker images using [cosign](https://github.com/sigstore/cosign).
+
+    ```
+    cosign verify-blob checksums.txt --signature=checksums.txt.sig  --key https://artifacts.fairwinds.com/cosign.pub
+    ```
+
+    ```
+    cosign verify us-docker.pkg.dev/fairwinds-ops/oss/pluto:v5 --key https://artifacts.fairwinds.com/cosign.pub
+    ```
 builds:
   - ldflags:
       - -X main.version={{.Version}} -X main.commit={{.Commit}} -s -w

diff --git a/docs/installation.md b/docs/installation.md
@@ -32,3 +32,20 @@ Note: This is not maintained by Fairwinds, but should stay up to date with futur
 ```
 scoop install pluto
 ```
+
+# Verify Artifacts
+
+Fairwinds signs the Pluto docker image and the checksums file with [cosign](https://github.com/sigstore/cosign). Our public key is available at https://artifacts.fairwinds.com/cosign.pub
+
+You can verify the checksums file from the [releases](https://github.com/FairwindsOps/pluto/releases) page with the following command:
+
+```
+cosign verify-blob checksums.txt --signature=checksums.txt.sig  --key https://artifacts.fairwinds.com/cosign.pub
+```
+
+Verifying docker images is even easier:
+
+```
+cosign verify us-docker.pkg.dev/fairwinds-ops/oss/pluto:v5 --key https://artifacts.fairwinds.com/cosign.pub
+```
+