diff --git a/docs/introduction/cosign-verify.rst b/docs/introduction/cosign-verify.rst index ef13d168c2f89478ab540ba4024ccbe80dd16abb..48c1401261032f9f08aeb6f48c4b67d09a5d8f08 100644 --- a/docs/introduction/cosign-verify.rst +++ b/docs/introduction/cosign-verify.rst @@ -18,14 +18,14 @@ Obtaining the Public Key ------------------------ To verify a signed Docker image, you need the public key that corresponds to the private key used for signing. The pem certificate is available at -https://storage.googleapis.com/nl-prod-sign-keyring/nl-prod-docker-sign-key.pem +https://keyserver.nomadic-labs.com/cosign/nl-prod-docker-sign-key.pem Saving the public key: .. code-block:: bash # Save the public key to a file (e.g., octez.pub) - curl -O https://storage.googleapis.com/nl-prod-sign-keyring/nl-prod-docker-sign-key.pem octez.pub + curl -o octez.pub https://keyserver.nomadic-labs.com/cosign/nl-prod-docker-sign-key.pem Verifying the Docker Image -------------------------- @@ -39,14 +39,61 @@ To verify the Octez Docker image, follow these steps: 2. **Use Cosign to Verify the Image**: + Replace the image name with the name of your Docker image and tag with the + specific tag ( for example ``tezos/tezos:22.0`` ) + .. code-block:: bash - cosign verify -key octez.pub tezos/tezos-bare:master + cosign verify --key octez.pub tezos/tezos-bare:master - Replace the image name with the name of your Docker image and tag with the - specific tag ( for example ``tezos/tezos:22.0`` ) + Or more directly: + + .. code-block:: bash + + cosign verify --key https://keyserver.nomadic-labs.com/cosign/nl-prod-docker-sign-key.pem tezos/tezos-bare:master 3. **Check the Output**: -- If the verification is successful, Cosign will output the signatures and their claims. -- If the verification fails, an error message will be displayed indicating the failure reason. You can use tools like ``jq`` to parse the json output of Cosign. + You can use tools like ``jq`` to parse the json output of Cosign: + + .. code-block:: bash + + cosign verify --key https://keyserver.nomadic-labs.com/cosign/nl-prod-docker-sign-key.pem tezos/tezos-bare:master | jq + + If the verification is successful, Cosign will output the signatures and their claims in JSON format: + + .. code-block:: bash + + The following checks were performed on each of these signatures: + - The cosign claims were validated + - Existence of the claims in the transparency log was verified offline + - The signatures were verified against the specified public key + + .. code-block:: JSON + + [ + { + "critical": { + "identity": { + "docker-reference": "" + }, + "image": { + "docker-manifest-digest": "sha256:" + }, + "type": "cosign container image signature" + }, + "optional": { + "Bundle": { + "SignedEntryTimestamp": "", + "Payload": { + "body": "", + "integratedTime": "