Verifying CloudBees CD/RO Helm charts

2 minute readReference

As of v10.10, CloudBees CD/RO’s Helm charts are signed to allow you to verify their origin and authenticity. Verifying the origin and authenticity of Helm charts is an optional step in the installation process. However, it is suggested to help prevent you from installing possibly malicious Helm charts.

To verify the CloudBees CD/RO Helm charts, you must download Cosign verification software. Cosign is a component of the Sigstore solution, a collection of projects designed to make software signatures easier. For the following task, cosign verify is used.

To verify the authenticity of CloudBees CD/RO Helm charts:

  1. To verify the Helm chart against the CloudBees public key, run:

    cosign verify --key https://cdn.cloudbees.com/keyring/cloudbees.pub helm.cloudbees.com/<product-Helm-repo>:<image-tag>
  2. (OPTIONAL) The previous step used:

    • cosign verify --key https://cdn.cloudbees.com/keyring/cloudbees.pub

      Alternatively, you can use a local copy of cloudbees.pub:

    • cosign verify --key path/to/local/cloudbees.pub

      To save a local copy of cloudbees.pub, run:

      wget https://cdn.cloudbees.com/keyring/cloudbees.pub

Confirming and troubleshooting Helm chart verification

This section describes positive and negative examples of Helm chart verification.

The following is a positive example of cosign verify used to verify the CloudBees public key against the cloudbees-flow Helm chart for tag 2.19.0:

cosign verify --key https://cdn.cloudbees.com/keyring/cloudbees.pub helm.cloudbees.com/cloudbees-flow:2.19.0 Verification for helm.cloudbees.com/cloudbees-flow:2.19.0 -- The following checks were performed on each of these signatures: - The cosign claims were validated - The signatures were verified against the specified public key [{"critical":{"identity":{"docker-reference":"helm-internal.artifacts.cloudbees.com/cloudbees-flow"},"image":{"docker-manifest-digest":"sha256:356f0687b5bbb5a9aba9830849f25b25498de438105dd0d2cd4d724fbd31ba56"},"type":"cosign container image signature"},"optional":null}]

The following is a negative example of cosign verify unable to verify the key against the signature because the Helm chart is not signed:

cosign verify --key https://cdn.cloudbees.com/keyring/cloudbees.pub helm.cloudbees.com/cloudbees-flow:2.19.0 Error: no matching signatures:

The following is a negative example of cosign verify unable to verify the key against the signature:

cosign verify --key cosign.pub helm.cloudbees.com/cloudbees-flow:2.19.0 Error: no matching signatures: invalid signature when validating ASN.1 encoded signature main.go:62: error during command execution: no matching signatures: invalid signature when validating ASN.1 encoded signature

This is typically caused by an incorrect public key path or URL being passed to cosign verify. In this example, the cosign.pub key was used instead of cloudbees.pub or https://cdn.cloudbees.com/keyring/cloudbees.pub.

The following is a negative example of cosign verify unable to locate the specified Helm chart:

cosign verify --key cosign.pub helm.cloudbees.com/cloudbees-flow:2.19.1 Error: entity not found in registry main.go:62: error during command execution: entity not found in registry

This is typically caused by an incorrect Helm chart repo URL or tag being passed. In this example, the chart tag 2.19.1 does not exist for cloudbees-flow.

If the chart you are trying to verify is not validated as authentic, and you have confirmed you are using the correct key, repo URL, and chart tag, please contact CloudBees Support.