As of v10.9, the CloudBees CD/RO server installation binaries are signed to allow you to verify their origin and authenticity. Verifying the origin and authenticity of binaries is an optional step in the installation process. It can help ensure that you are not the victim of an attack. Signature files are available on the downloads page for each release.
To verify the CloudBees CD/RO installation binaries, you must download Cosign verification software. Cosign is a component of the Sigstore solution, a collection of projects designed to make software signatures easier.
To verify the authenticity of CloudBees CD/RO server installation binaries:
Run the following command to download the public key:
Run the following command to verify the downloaded binaries:
$ cosign verify-blob \ --signature signatureUrl/downloadedBinary.sig \ --key cloudbees.pub \ downloadedBinary Verified OK
You can also run the following command to reference the key URL directly:
$ cosign-linux-amd64 verify-blob \ --signature signatureUrl/downloadedBinary.sig \ --key https://cdn.cloudbees.com/keyring/cloudbees.pub \ downloadedBinary Verified OK
Cosign must be able to access the file to verify the images or the verification fails. Below is an example of failed validation.
$ cosign verify-blob \ --signature https://downloads.cloudbees.com/cloudbees-cd/Release_10.7/10.7.0.156326/linux/CloudBeesFlow-x64-10.7.0.156326.sig \ --key https://cdn.cloudbees.com/keyring/cloudbees.pub \ CloudBeesFlowAgent-x64-10.7.0.156326 Error: verifying blob [CloudBeesFlowAgent-x64-10.7.0.156326]: invalid signature when validating ASN.1 encoded signature main.go:62: error during command execution: verifying blob [CloudBeesFlowAgent-x64-10.7.0.156326]: invalid signature when validating ASN.1 encoded signature