buoyant.io
You are viewing docs for an older version of Buoyant Enterprise for Linkerd. You may want the latest documentation instead.

Verifying signed artifacts

To verify the authenticity of BEL Docker images and Helm charts, use the following commands.

Prerequisites

Verify Docker images and SBOMs 

tag=enterprise-2.18.7
for component in controller extension-init policy-controller proxy proxy-init; do
  for suffix in "" -fips; do
    image=ghcr.io/buoyantio/$component:$tag$suffix
    digest=$(crane digest $image)
    image_uri_digest=$image@$digest

    # verify index image
    cosign verify \
      --certificate-identity=https://github.com/BuoyantIO/enterprise-linkerd/.github/workflows/actions.yml@refs/tags/$tag \
      --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
      $image_uri_digest

    # verify index sbom
    cosign verify-attestation \
      --type spdxjson \
      --certificate-identity=https://github.com/BuoyantIO/enterprise-linkerd/.github/workflows/actions.yml@refs/tags/$tag \
      --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
      $image_uri_digest

    # view index sbom
    cosign download attestation \
      $image_uri_digest \
      --predicate-type https://spdx.dev/Document |
      jq -r '.payload' | base64 -d | jq .

    # iterate through all platform-specific images referenced in the index sbom
    cosign download attestation \
      $image_uri_digest \
      --predicate-type https://spdx.dev/Document |
      jq -r '.payload' | base64 -d |
      jq -r '.predicate.packages[1:][] .versionInfo' |
      while read -r sha; do
        # platform-specific image digest
        image_uri_digest="$image@$sha"

        # verify platform-specific image
        cosign verify \
          --certificate-identity=https://github.com/BuoyantIO/enterprise-linkerd/.github/workflows/actions.yml@refs/tags/$tag \
          --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
          $image_uri_digest

        # verify platform-specific image sbom
        cosign verify-attestation \
          --type spdxjson \
          --certificate-identity=https://github.com/BuoyantIO/enterprise-linkerd/.github/workflows/actions.yml@refs/tags/$tag \
          --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
          $image_uri_digest
      done
  done
done

Verify Helm charts 

gpg --keyring ./bel.pubring.kbx --no-default-keyring \
  --keyserver hkps://keys.openpgp.org \
  --receive-keys '54A1FEAE3864F855F6724F03F09B21EC0428D8B8'
gpg --keyring ./bel.pubring.kbx --no-default-keyring \
  --export --output ./bel.pubring.gpg \
  '[email protected]'

helm repo add linkerd-buoyant https://helm.buoyant.cloud
helm repo update
helm pull --verify --keyring ./bel.pubring.gpg linkerd-buoyant/linkerd-enterprise-crds
helm pull --verify --keyring ./bel.pubring.gpg linkerd-buoyant/linkerd-enterprise-control-plane
helm pull --verify --keyring ./bel.pubring.gpg linkerd-buoyant/linkerd-enterprise-multicluster