buoyant.io

Verifying signed agent artifacts

New in v0.37.0

To verify the authenticity of the Buoyant Cloud agent Docker image and Helm chart, use the following commands.

Prerequisites

Verify the Docker image 

tag=v0.37.0
image=ghcr.io/buoyantio/linkerd-buoyant:$tag
digest=$(crane digest $image)
image_uri_digest=$image@$digest

# verify index image
cosign verify \
  --certificate-identity=https://github.com/BuoyantIO/bcloud-agent/.github/workflows/actions.yml@refs/tags/$tag \
  --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
  $image_uri_digest

# verify index sbom
cosign verify-attestation \
  --type spdxjson \
  --certificate-identity=https://github.com/BuoyantIO/bcloud-agent/.github/workflows/actions.yml@refs/tags/$tag \
  --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
  $image_uri_digest

# view index sbom
cosign download attestation \
  $image_uri_digest \
  --predicate-type https://spdx.dev/Document |
  jq -r '.payload' | base64 -d | jq .

# iterate through all platform-specific images referenced in the index sbom
cosign download attestation \
  $image_uri_digest \
  --predicate-type https://spdx.dev/Document |
  jq -r '.payload' | base64 -d |
  jq -r '.predicate.packages[1:][] .versionInfo' |
  while read -r sha; do
    # platform-specific image digest
    image_uri_digest="$image@$sha"

    # verify platform-specific image
    cosign verify \
      --certificate-identity=https://github.com/BuoyantIO/bcloud-agent/.github/workflows/actions.yml@refs/tags/$tag \
      --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
      $image_uri_digest

    # verify platform-specific image sbom
    cosign verify-attestation \
      --type spdxjson \
      --certificate-identity=https://github.com/BuoyantIO/bcloud-agent/.github/workflows/actions.yml@refs/tags/$tag \
      --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
      $image_uri_digest
  done

Verify the Helm chart 

gpg --keyring ./linkerd-buoyant.pubring.kbx --no-default-keyring \
  --keyserver hkps://keys.openpgp.org \
  --receive-keys '54A1FEAE3864F855F6724F03F09B21EC0428D8B8'
gpg --keyring ./linkerd-buoyant.pubring.kbx --no-default-keyring \
  --export --output ./linkerd-buoyant.pubring.gpg \
  '[email protected]'

helm repo add linkerd-buoyant https://helm.buoyant.cloud
helm repo update
helm pull --verify --keyring ./linkerd-buoyant.pubring.gpg linkerd-buoyant/linkerd-buoyant