From 98dad450154cc00826f75678b649131abb02ddf2 Mon Sep 17 00:00:00 2001 From: Andrew Suderman Date: Wed, 16 Feb 2022 14:32:40 -0700 Subject: [PATCH] Document cosign, and add to release notes (#264) --- .goreleaser.yml | 10 ++++++++++ docs/installation.md | 17 +++++++++++++++++ 2 files changed, 27 insertions(+) diff --git a/.goreleaser.yml b/.goreleaser.yml index 87119586..6335c5d7 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -10,6 +10,16 @@ brews: system "#{bin}/pluto version" release: prerelease: auto + footer: | + You can verify the signatures of both the checksums.txt file and the published docker images using [cosign](https://github.com/sigstore/cosign). + + ``` + cosign verify-blob checksums.txt --signature=checksums.txt.sig --key https://artifacts.fairwinds.com/cosign.pub + ``` + + ``` + cosign verify us-docker.pkg.dev/fairwinds-ops/oss/pluto:v5 --key https://artifacts.fairwinds.com/cosign.pub + ``` builds: - ldflags: - -X main.version={{.Version}} -X main.commit={{.Commit}} -s -w diff --git a/docs/installation.md b/docs/installation.md index e0fa2039..989af097 100644 --- a/docs/installation.md +++ b/docs/installation.md @@ -32,3 +32,20 @@ Note: This is not maintained by Fairwinds, but should stay up to date with futur ``` scoop install pluto ``` + +# Verify Artifacts + +Fairwinds signs the Pluto docker image and the checksums file with [cosign](https://github.com/sigstore/cosign). Our public key is available at https://artifacts.fairwinds.com/cosign.pub + +You can verify the checksums file from the [releases](https://github.com/FairwindsOps/pluto/releases) page with the following command: + +``` +cosign verify-blob checksums.txt --signature=checksums.txt.sig --key https://artifacts.fairwinds.com/cosign.pub +``` + +Verifying docker images is even easier: + +``` +cosign verify us-docker.pkg.dev/fairwinds-ops/oss/pluto:v5 --key https://artifacts.fairwinds.com/cosign.pub +``` +