buoyant.io

Verifying signed agent artifacts

New in v0.32.1

To verify the authenticity of the Buoyant Cloud agent Docker image and Helm chart, use the following commands.

Prerequisites

Verify the Docker image 

TAG=v0.32.1

cosign verify ghcr.io/buoyantio/linkerd-buoyant:$TAG \
  --certificate-identity-regexp=.* \
  --certificate-oidc-issuer-regexp=.*

digest=$(crane digest ghcr.io/buoyantio/linkerd-buoyant:$TAG)
cosign verify ghcr.io/buoyantio/linkerd-buoyant:$TAG@$digest \
  --certificate-identity-regexp=.* \
  --certificate-oidc-issuer-regexp=.*

Verify the Helm chart 

gpg --keyring ./linkerd-buoyant.pubring.kbx --no-default-keyring \
  --keyserver hkps://keys.openpgp.org \
  --receive-keys '54A1FEAE3864F855F6724F03F09B21EC0428D8B8'
gpg --keyring ./linkerd-buoyant.pubring.kbx --no-default-keyring \
  --export --output ./linkerd-buoyant.pubring.gpg \
  'hello@buoyant.io'

helm repo add linkerd-buoyant https://helm.buoyant.cloud
helm repo update
helm pull --verify --keyring ./linkerd-buoyant.pubring.gpg linkerd-buoyant/linkerd-buoyant