Skip to content

Commit

Permalink
Merge pull request #611 from dgiebert/main
Browse files Browse the repository at this point in the history
Update docs to use cosign v2
  • Loading branch information
flavio authored Sep 26, 2023
2 parents 18bbef8 + d1171ba commit 04feb90
Showing 1 changed file with 6 additions and 3 deletions.
9 changes: 6 additions & 3 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -297,19 +297,22 @@ Then start a new shell or run `source ~/.zshrc` once.

## Verify kwctl binaries

kwctl binaries are signed using [Sigstore](https://docs.sigstore.dev/cosign/working_with_blobs/#signing-blobs-as-files).
kwctl binaries are signed using [Sigstore's blog signing](https://docs.sigstore.dev/signing/signing_with_blobs/).
When you download a [kwctl release](https://github.com/kubewarden/kwctl/releases/) each zip file contains two
files that can be used for verification: `kwctl.sig` and `kwctl.pem`.

In order to verify kwctl you need cosign installed, and then execute the following command:

```
COSIGN_EXPERIMENTAL=1 cosign verify-blob --signature kwctl-linux-x86_64.sig --cert kwctl-linux-x86_64.pem kwctl-linux-x86_64
cosign verify-blob \
--signature kwctl-linux-x86_64.sig \
--cert kwctl-linux-x86_64.pem kwctl-linux-x86_64
--certificate-identity-regexp 'https://github.com/kubewarden/*' \
--certificate-oidc-issuer https://token.actions.githubusercontent.com
```

The output should be:

```
tlog entry verified with uuid: 7e5a4fac8f45cdddeafd6901af566b9576be307a06caa3fbc45f91da102214e0 index: 2435066
Verified OK
```

0 comments on commit 04feb90

Please sign in to comment.