diff --git a/docs/getting-started/signature-verification.md b/docs/getting-started/signature-verification.md new file mode 100644 index 000000000000..1443b4586c6f --- /dev/null +++ b/docs/getting-started/signature-verification.md @@ -0,0 +1,99 @@ +# Signature Verification + +## Verifying a Cosign signature +All binaries and container images are signed by [Cosign](https://github.com/sigstore/cosign). + +You need the following tool: + +- [Cosign](https://docs.sigstore.dev/cosign/installation/) + +### Verifying signed container images +1. Use the following command for keyless [verification](https://docs.sigstore.dev/cosign/verify/): + ```shell + cosign verify aquasec/trivy: \ + --certificate-identity-regexp 'https://github\.com/aquasecurity/trivy/\.github/workflows/.+' \ + --certificate-oidc-issuer "https://token.actions.githubusercontent.com" + ``` + +2. You should get the following output + ```shell + Verification for index.docker.io/aquasec/trivy:latest -- + The following checks were performed on each of these signatures: + - The cosign claims were validated + - Existence of the claims in the transparency log was verified offline + - The code-signing certificate was verified using trusted certificate authority certificates + + .... + ``` + +### Verifying signed binaries + +1. Download the required tarball, associated signature and certificate files +2. Use the following command for keyless verification: + ```shell + cosign verify-blob \ + --certificate \ + --signature \ + --certificate-identity-regexp 'https://github\.com/aquasecurity/trivy/\.github/workflows/.+' \ + --certificate-oidc-issuer "https://token.actions.githubusercontent.com" + ``` +3. You should get the following output + ``` + Verified OK + ``` + +For example: + +```shell +$ wget "https://github.com/aquasecurity/trivy/releases/download/v0.45.0/trivy_0.45.0_Linux-32bit.tar.gz" +$ wget "https://github.com/aquasecurity/trivy/releases/download/v0.45.0/trivy_0.45.0_Linux-32bit.tar.gz.pem" +$ wget "https://github.com/aquasecurity/trivy/releases/download/v0.45.0/trivy_0.45.0_Linux-32bit.tar.gz.sig" +$ cosign verify-blob trivy_0.45.0_Linux-32bit.tar.gz \ + --certificate trivy_0.45.0_Linux-32bit.tar.gz.pem \ + --signature trivy_0.45.0_Linux-32bit.tar.gz.sig \ + --certificate-identity-regexp 'https://github\.com/aquasecurity/trivy/\.github/workflows/.+' \ + --certificate-oidc-issuer "https://token.actions.githubusercontent.com" + +Vetified OK +``` + +## Verifying a GPG signature + +RPM and Deb packages are also signed by GPG. + +### Verifying RPM + +The public key downloaded [here](https://aquasecurity.github.io/trivy-repo/rpm/public.key). + +1. Download the public key + ```shell + curl https://aquasecurity.github.io/trivy-repo/rpm/public.key \ + --output pub.key + ``` +2. Import the key + ```shell + rpm --import pub.key + ``` +3. Verify that the key has been imported + ```shell + rpm -q --queryformat "%{SUMMARY}\n" $(rpm -q gpg-pubkey) + ``` + You should get the following output + ```shell + gpg(trivy) + ``` + +4. Download the required binary + ```shell + curl -L https://github.com/aquasecurity/trivy/releases/download//.rpm \ + --output trivy.rpm + ``` +5. Check the binary with the following command + ```shell + rpm -K trivy.rpm + ``` + You should get the following output + ```shell + trivy.rpm: digests signatures OK + ``` + diff --git a/mkdocs.yml b/mkdocs.yml index 334ea52a4d70..c3e84f5f9162 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -10,6 +10,7 @@ nav: - Getting Started: - Overview: index.md - Installation: getting-started/installation.md + - Signature Verification: getting-started/signature-verification.md - FAQ: getting-started/faq.md - Tutorials: - Overview: tutorials/overview.md