From 2a239b1b490b743a3b45ed85c805ead0b8a1ec81 Mon Sep 17 00:00:00 2001 From: Ahmed ElFakharany Date: Sat, 26 Aug 2023 15:03:25 +0200 Subject: [PATCH 1/4] Update index.md Cosign needs the `sha256:` prefix for signing the chart. Signed-off-by: Ahmed ElFakharany --- .../2022-11-11-prove-the-authenticity-of-helm-charts/index.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/en/blog/2022-11-11-prove-the-authenticity-of-helm-charts/index.md b/content/en/blog/2022-11-11-prove-the-authenticity-of-helm-charts/index.md index 06e8c4b99..8e72bae76 100644 --- a/content/en/blog/2022-11-11-prove-the-authenticity-of-helm-charts/index.md +++ b/content/en/blog/2022-11-11-prove-the-authenticity-of-helm-charts/index.md @@ -247,13 +247,13 @@ This command will generate two files, a `cosign.pub` which is a publickey and `c Now, let's sign the image with the private key: ```shell -cosign sign --key cosign.key ghcr.io/$USER/nginx@21f92cbd63ab495d8fc44d54dabc4815c88d37697b3f8b757ca8e51ef178a2e7 +cosign sign --key cosign.key ghcr.io/$USER/nginx@sha256:21f92cbd63ab495d8fc44d54dabc4815c88d37697b3f8b757ca8e51ef178a2e7 ``` Cool! Now we have signed the image with the private key. Let's check the signature: ```shell -cosign verify --key cosign.key ghcr.io/$USER/nginx@21f92cbd63ab495d8fc44d54dabc4815c88d37697b3f8b757ca8e51ef178a2e7 +cosign verify --key cosign.key ghcr.io/$USER/nginx@sha256:21f92cbd63ab495d8fc44d54dabc4815c88d37697b3f8b757ca8e51ef178a2e7 ``` Yay! It's verified. But in order to make the public key accessible by Flux, we need to create a Kubernetes secret to store the public key: From 3078d5742a8aadfa93620791bcf87964fd7fb7fb Mon Sep 17 00:00:00 2001 From: Ahmed Elfakharany Date: Sat, 26 Aug 2023 15:12:55 +0200 Subject: [PATCH 2/4] Cosign verification uses the public key not the private one --- .../2022-11-11-prove-the-authenticity-of-helm-charts/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/blog/2022-11-11-prove-the-authenticity-of-helm-charts/index.md b/content/en/blog/2022-11-11-prove-the-authenticity-of-helm-charts/index.md index 8e72bae76..46e51d94e 100644 --- a/content/en/blog/2022-11-11-prove-the-authenticity-of-helm-charts/index.md +++ b/content/en/blog/2022-11-11-prove-the-authenticity-of-helm-charts/index.md @@ -253,7 +253,7 @@ cosign sign --key cosign.key ghcr.io/$USER/nginx@sha256:21f92cbd63ab495d8fc44d54 Cool! Now we have signed the image with the private key. Let's check the signature: ```shell -cosign verify --key cosign.key ghcr.io/$USER/nginx@sha256:21f92cbd63ab495d8fc44d54dabc4815c88d37697b3f8b757ca8e51ef178a2e7 +cosign verify --key cosign.pub ghcr.io/$USER/nginx@21f92cbd63ab495d8fc44d54dabc4815c88d37697b3f8b757ca8e51ef178a2e7 ``` Yay! It's verified. But in order to make the public key accessible by Flux, we need to create a Kubernetes secret to store the public key: From fc38c1926c00911be7b7b88c1d62a826f00bb884 Mon Sep 17 00:00:00 2001 From: Ahmed ElFakharany Date: Sat, 26 Aug 2023 15:03:25 +0200 Subject: [PATCH 3/4] Update index.md Cosign needs the `sha256:` prefix for signing the chart. Also the verification is done with the public key not the private one Signed-off-by: Ahmed ElFakharany --- .../2022-11-11-prove-the-authenticity-of-helm-charts/index.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/content/en/blog/2022-11-11-prove-the-authenticity-of-helm-charts/index.md b/content/en/blog/2022-11-11-prove-the-authenticity-of-helm-charts/index.md index 46e51d94e..573bdf573 100644 --- a/content/en/blog/2022-11-11-prove-the-authenticity-of-helm-charts/index.md +++ b/content/en/blog/2022-11-11-prove-the-authenticity-of-helm-charts/index.md @@ -253,7 +253,11 @@ cosign sign --key cosign.key ghcr.io/$USER/nginx@sha256:21f92cbd63ab495d8fc44d54 Cool! Now we have signed the image with the private key. Let's check the signature: ```shell +<<<<<<< HEAD cosign verify --key cosign.pub ghcr.io/$USER/nginx@21f92cbd63ab495d8fc44d54dabc4815c88d37697b3f8b757ca8e51ef178a2e7 +======= +cosign verify --key cosign.key ghcr.io/$USER/nginx@sha256:21f92cbd63ab495d8fc44d54dabc4815c88d37697b3f8b757ca8e51ef178a2e7 +>>>>>>> 2a239b1 (Update index.md) ``` Yay! It's verified. But in order to make the public key accessible by Flux, we need to create a Kubernetes secret to store the public key: From 26fa89d8fa53e29efd7f309009cbacb9953dc138 Mon Sep 17 00:00:00 2001 From: Ahmed Elfakharany Date: Sat, 26 Aug 2023 15:16:32 +0200 Subject: [PATCH 4/4] Cosign verification should be done using the public key not the private one. --- .../2022-11-11-prove-the-authenticity-of-helm-charts/index.md | 4 ---- 1 file changed, 4 deletions(-) diff --git a/content/en/blog/2022-11-11-prove-the-authenticity-of-helm-charts/index.md b/content/en/blog/2022-11-11-prove-the-authenticity-of-helm-charts/index.md index 573bdf573..8e72bae76 100644 --- a/content/en/blog/2022-11-11-prove-the-authenticity-of-helm-charts/index.md +++ b/content/en/blog/2022-11-11-prove-the-authenticity-of-helm-charts/index.md @@ -253,11 +253,7 @@ cosign sign --key cosign.key ghcr.io/$USER/nginx@sha256:21f92cbd63ab495d8fc44d54 Cool! Now we have signed the image with the private key. Let's check the signature: ```shell -<<<<<<< HEAD -cosign verify --key cosign.pub ghcr.io/$USER/nginx@21f92cbd63ab495d8fc44d54dabc4815c88d37697b3f8b757ca8e51ef178a2e7 -======= cosign verify --key cosign.key ghcr.io/$USER/nginx@sha256:21f92cbd63ab495d8fc44d54dabc4815c88d37697b3f8b757ca8e51ef178a2e7 ->>>>>>> 2a239b1 (Update index.md) ``` Yay! It's verified. But in order to make the public key accessible by Flux, we need to create a Kubernetes secret to store the public key: