chainguard-dev / apko

Build OCI images from APK packages directly without Dockerfile

Home Page:https://apko.dev

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Verify source code with cosign

kpcyrd opened this issue · comments

Hello!

cosign was brought up in the Arch Linux packaging channel and I was wondering if apko could be a good example package to document how to integrate cosign into a PKGBUILD.

Specifically, after downloading the source code from this url:

https://github.com/chainguard-dev/apko/archive/refs/tags/v0.14.1.tar.gz

How would I use cosign to authenticate this source code? Do I need to access a git object instead?

I noticed there are .sig and .crt files attached to the release, but they are all architecture specific (and same for the content of checksums.txt).

Input very welcome, thanks! :)

We have some good docs here: https://edu.chainguard.dev/open-source/sigstore/cosign/how-to-verify-file-signatures-with-cosign/

~ on ☁️  krish.jain@chainguard.dev 
❯ cosign verify-blob \
  --signature https://github.com/chainguard-dev/apko/releases/download/v0.14.7/apko_0.14.7_linux_amd64.tar.gz.sig \
  --certificate https://github.com/chainguard-dev/apko/releases/download/v0.14.7/apko_0.14.7_linux_amd64.tar.gz.crt \
  --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
  --certificate-identity "https://github.com/chainguard-dev/apko/.github/workflows/release.yaml@refs/tags/v0.14.7" \
  https://github.com/chainguard-dev/apko/releases/download/v0.14.7/apko_0.14.7_linux_amd64.tar.gz
Verified OK

If you encounter any issues related to architecture-specific signatures and certificates, make sure that you are using the correct set of files for your specific architecture.

Feel free to reach out if this is still a problem.

https://github.com/chainguard-dev/apko/archive/refs/tags/v0.14.1.tar.gz is an automatically (on the fly) generated export tarball by github of the git tag.

It is not an artifact uploaded by our release workflows that signs binary artifacts using cosign.

Some commits and tags are at times signed with gitsign / cosign, however many commits are signed with ssh/gpg signatures instead.