As of v10.10, CloudBees CD/RO’s Helm charts are signed to allow you to verify their origin and authenticity. Verifying the origin and authenticity of Helm charts is an optional step in the installation process. However, it is suggested to help prevent you from installing possibly malicious Helm charts.
To verify the CloudBees CD/RO Helm charts, you must download Cosign verification software.
Cosign is a component of the Sigstore solution, a collection of projects designed to make software signatures easier. For the following task, cosign verify is used.
|
To verify the authenticity of CloudBees CD/RO Helm charts:
-
To verify the Helm chart against the CloudBees public key, run:
cosign verify --key https://cdn.cloudbees.com/keyring/cloudbees.pub helm.cloudbees.com/<product-Helm-repo>:<image-tag>
-
(OPTIONAL) The previous step used:
-
cosign verify --key https://cdn.cloudbees.com/keyring/cloudbees.pub
Alternatively, you can use a local copy of
cloudbees.pub
: -
cosign verify --key path/to/local/cloudbees.pub
To save a local copy of
cloudbees.pub
, run:wget https://cdn.cloudbees.com/keyring/cloudbees.pub
-
Confirming and troubleshooting Helm chart verification
This section describes positive and negative examples of Helm chart verification.
The following is a positive example of cosign verify
used to verify the CloudBees public key against the cloudbees-flow
Helm chart for tag 2.19.0
:
cosign verify --key https://cdn.cloudbees.com/keyring/cloudbees.pub helm.cloudbees.com/cloudbees-flow:2.19.0 Verification for helm.cloudbees.com/cloudbees-flow:2.19.0 -- The following checks were performed on each of these signatures: - The cosign claims were validated - The signatures were verified against the specified public key [{"critical":{"identity":{"docker-reference":"helm-internal.artifacts.cloudbees.com/cloudbees-flow"},"image":{"docker-manifest-digest":"sha256:356f0687b5bbb5a9aba9830849f25b25498de438105dd0d2cd4d724fbd31ba56"},"type":"cosign container image signature"},"optional":null}]
The following is a negative example of cosign verify
unable to verify the key against the signature because the Helm chart is not signed:
cosign verify --key https://cdn.cloudbees.com/keyring/cloudbees.pub helm.cloudbees.com/cloudbees-flow:2.19.0 Error: no matching signatures:
The following is a negative example of cosign verify
unable to verify the key against the signature:
cosign verify --key cosign.pub helm.cloudbees.com/cloudbees-flow:2.19.0 Error: no matching signatures: invalid signature when validating ASN.1 encoded signature main.go:62: error during command execution: no matching signatures: invalid signature when validating ASN.1 encoded signature
This is typically caused by an incorrect public key path or URL being passed to cosign verify
. In this example, the cosign.pub
key was used instead of cloudbees.pub
or https://cdn.cloudbees.com/keyring/cloudbees.pub
.
The following is a negative example of cosign verify
unable to locate the specified Helm chart:
cosign verify --key cosign.pub helm.cloudbees.com/cloudbees-flow:2.19.1 Error: entity not found in registry main.go:62: error during command execution: entity not found in registry
This is typically caused by an incorrect Helm chart repo URL or tag being passed. In this example, the chart tag 2.19.1
does not exist for cloudbees-flow
.
If the chart you are trying to verify is not validated as authentic, and you have confirmed you are using the correct key, repo URL, and chart tag, please contact CloudBees Support. |