Skip to content

Verifying Artifacts

Note

Examples taking from PR. Therefore identity will alternate for releases.

Container images

Checking signatures

cosign verify --certificate-identity="https://github.com/opendefensecloud/artifact-conduit/.github/workflows/docker.yaml@refs/tags/v0.1.4" --certificate-oidc-issuer="https://token.actions.githubusercontent.com" ghcr.io/opendefensecloud/arc-controller-manager:v0.1.4

Checking attestations

# CycloneDX BOM/SBOM
cosign verify-attestation \
  --certificate-identity https://github.com/opendefensecloud/artifact-conduit/.github/workflows/docker.yaml@refs/tags/v0.1.4 \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  --new-bundle-format \
  --type=https://cyclonedx.org/bom \
  ghcr.io/opendefensecloud/arc-controller-manager:v0.1.4 | jq -r '.payload | @base64d | fromjson'
# SLSA provenance
cosign verify-attestation \
  --certificate-identity https://github.com/opendefensecloud/artifact-conduit/.github/workflows/docker.yaml@refs/tags/v0.1.4 \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  --new-bundle-format \
  --type=https://slsa.dev/provenance/v1 \
  ghcr.io/opendefensecloud/arc-controller-manager:v0.1.4 | jq -r '.payload | @base64d | fromjson'

Helm charts

Note

The signatures are expected to work with flux as illustrated here.

cosign verify --certificate-identity="https://github.com/opendefensecloud/artifact-conduit/.github/workflows/helm-publish.yaml@refs/tags/v0.1.4" --certificate-oidc-issuer="https://token.actions.githubusercontent.com" ghcr.io/opendefensecloud/charts/arc:0.1.4