Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Signature verification added, release notes automated #1463

Merged
merged 1 commit into from
Jan 25, 2024
Merged

Signature verification added, release notes automated #1463

merged 1 commit into from
Jan 25, 2024

Conversation

rcmadhankumar
Copy link
Contributor

What this PR does / why we need it:

Added signature verification for Kapp-controller's release artifacts.

Which issue(s) this PR fixes:

Fixes #1341 #1343

Does this PR introduce a user-facing change?

Additional Notes for your reviewer:

Sample release notes:

Installation and signature verification

Installation of kctrl

By downloading binary from the release

For instance, if you are using Linux on an AMD64 architecture:

# Download the binary
curl -LO https://github.com/carvel-dev/kapp-controller/releases/download/v0.46.5-releasetest5/kctrl-linux-amd64
# Move the binary in to your PATH
mv kctrl-linux-amd64 /usr/local/bin/kctrl
# Make the binary executable
chmod +x /usr/local/bin/kctrl

Via Homebrew (macOS or Linux)

$ brew tap carvel-dev/carvel
$ brew install kctrl
$ kctrl version

Verify checksums file signature

Install cosign on your system https://docs.sigstore.dev/system_config/installation/

The checksums file provided within the artifacts attached to this release is signed using Cosign with GitHub OIDC. To validate the signature of this file, run the following commands:

# Download the checksums file, certificate, and signature
curl -LO https://github.com/carvel-dev/kapp-controller/releases/download/v0.46.5-releasetest5/checksums.txt
curl -LO https://github.com/carvel-dev/kapp-controller/releases/download/v0.46.5-releasetest5/checksums.txt.pem
curl -LO https://github.com/carvel-dev/kapp-controller/releases/download/v0.46.5-releasetest5/checksums.txt.sig

### Verify the checksums file
cosign verify-blob checksums.txt --certificate checksums.txt.pem --signature checksums.txt.sig --certificate-identity-regexp=https://github.com/carvel-dev --certificate-oidc-issuer=https://token.actions.githubusercontent.com

Verify binary integrity

To verify the integrity of the downloaded binary, you can utilize the checksums file after having validated its signature. For instance, if you are using Linux on an AMD64 architecture:

# Verify the binary using the checksums file
sha256sum -c checksums.txt --ignore-missing

Installation of kapp-controller

kapp-controller can be installed by using kapp

kapp deploy -a kc -f https://github.com/carvel-dev/kapp-controller/releases/v0.46.5-releasetest5/download/release.yml

or by using kubectl

kubectl deploy -f https://github.com/carvel-dev/kapp-controller/releases/v0.46.5-releasetest5/download/release.yml

Container Images

Kapp-controller and Kapp-controller-package-bundle images are available in Github Container Registry.

OCI Image URLs

  • ghcr.io/carvel-dev/kapp-controller@sha256:16d920b463f20a5529a2b5a245e18c7d0954070d84c8013e1793fdcfc43439bb
  • ghcr.io/carvel-dev/kapp-controller-package-bundle@sha256:6a8b958151ef55ca2ad7776bcc6dc186296a7a18b6ee34aa8b2437ff0293344b

Verify container image signature

The container images are signed using Cosign with GitHub OIDC. To validate the signature of OCI images, run the following commands:

# Verifying kapp-controller image
cosign verify ghcr.io/carvel-dev/kapp-controller@sha256:16d920b463f20a5529a2b5a245e18c7d0954070d84c8013e1793fdcfc43439bb --certificate-identity-regexp=https://github.com/carvel-dev --certificate-oidc-issuer=https://token.actions.githubusercontent.com -o text

# Verifying kapp-controller-package-bundle image
cosign verify ghcr.io/carvel-dev/kapp-controller-package-bundle@sha256:6a8b958151ef55ca2ad7776bcc6dc186296a7a18b6ee34aa8b2437ff0293344b --certificate-identity-regexp=https://github.com/carvel-dev --certificate-oidc-issuer=https://token.actions.githubusercontent.com -o text

📂 Files Checksum

3975ef6b9c509806296f28ac8dd3b5cbc8cbe5a7822e4d9327ad7f6738e341c8  ./release.yml
022cc7deb1d3ca7eeede9061f7852479b0908d70e2dc7c5410790f763969b66d  ./kctrl-darwin-amd64
c45df4a8e6d72a7a42183247b5cc5472bf5b6a1cbec20067c27a22a8196a51e3  ./kctrl-darwin-arm64
cf6fcb0b71f2ffe90ccd5846edea250aa418ce06c2155c81295b9f8100292bdf  ./kctrl-linux-amd64
92479ccc6fe1ecda2996b53d584eacdefc9d35889a6c6136aad11f02c3952d47  ./kctrl-linux-arm64
651292b3efd1003a706b60fd4e517d422692b520001078be3abcca0d824d8b7d  ./kctrl-windows-amd64.exe
fadd1d9da2d8dcd39a1bff1e8ee3b983f53a85488521cdfb634f3d8d2d3552a4  ./package.yml
7a6aa35600459a1797a6f0564ae89954e6da035fe54e19b72c573f5b31938a8c  ./package-metadata.yml
Review Checklist:
  • Follows the developer guidelines
  • Relevant tests are added or updated
  • Relevant docs in this repo added or updated
  • Relevant carvel.dev docs added or updated in a separate PR and there's
    a link to that PR
  • Code is at least as readable and maintainable as it was before this
    change

Additional documentation e.g., Proposal, usage docs, etc.:

Proposal: https://github.com/carvel-dev/carvel/tree/develop/proposals/carvel/002-artifact-signatures

@rcmadhankumar
Signature verification added, release notes automated
141a703 
Signed-off-by: rcmadhankumar <rcmadhankumar@gmail.com>
@rcmadhankumar rcmadhankumar merged commit 2ebe1ba into develop Jan 25, 2024
11 checks passed
@rcmadhankumar rcmadhankumar linked an issue Jan 29, 2024 that may be closed by this pull request
Sign kctrl binaries while releasing them #1343
Closed
@rcmadhankumar rcmadhankumar mentioned this pull request Jan 29, 2024
Closed
5 tasks
@praveenrewar praveenrewar deleted the add-signature branch April 29, 2024 21:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@praveenrewar praveenrewar praveenrewar approved these changes

@100mik 100mik Awaiting requested review from 100mik

Assignees
No one assigned
Labels
None yet
Projects
Carvel
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Sign kctrl binaries while releasing them Sign kapp-controller container images while publishing them
2 participants
@rcmadhankumar @praveenrewar