buoyant.io

Verifying signed artifacts

To verify the authenticity of BEL Docker images and Helm charts, use the following commands.

Prerequisites

Verify Docker images 

for component in controller extension-init policy-controller proxy proxy-init; do
  for suffix in "" -fips; do
    image=ghcr.io/buoyantio/$component:enterprise-2.17.0$suffix

    cosign verify $image \
      --certificate-identity-regexp=.* \
      --certificate-oidc-issuer-regexp=.*

    digest=$(crane digest $image)
    cosign verify $image@$digest \
      --certificate-identity-regexp=.* \
      --certificate-oidc-issuer-regexp=.*
  done
done

Verify Helm charts 

gpg --keyring ./bel.pubring.kbx --no-default-keyring \
  --keyserver hkps://keys.openpgp.org \
  --receive-keys '54A1FEAE3864F855F6724F03F09B21EC0428D8B8'
gpg --keyring ./bel.pubring.kbx --no-default-keyring \
  --export --output ./bel.pubring.gpg \
  'hello@buoyant.io'

helm repo add linkerd-buoyant https://helm.buoyant.cloud
helm repo update
helm pull --verify --keyring ./bel.pubring.gpg linkerd-buoyant/linkerd-enterprise-crds
helm pull --verify --keyring ./bel.pubring.gpg linkerd-buoyant/linkerd-enterprise-control-plane
helm pull --verify --keyring ./bel.pubring.gpg linkerd-buoyant/linkerd-enterprise-multicluster