buoyant.io

Verifying signed artifacts

To verify the authenticity of BEL Docker images and Helm charts, use the following commands.

Prerequisites

Verify Docker images and SBOMs 

tag=enterprise-2.18.2
for component in controller extension-init policy-controller proxy proxy-init; do
  for suffix in "" -fips; do
    image=ghcr.io/buoyantio/$component:$tag$suffix
    digest=$(crane digest $image)
    image_uri_digest=$image@$digest

    # verify index image
    cosign verify \
      --certificate-identity=https://github.com/BuoyantIO/enterprise-linkerd/.github/workflows/actions.yml@refs/tags/$tag \
      --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
      $image_uri_digest

    # verify index sbom
    cosign verify-attestation \
      --type spdxjson \
      --certificate-identity=https://github.com/BuoyantIO/enterprise-linkerd/.github/workflows/actions.yml@refs/tags/$tag \
      --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
      $image_uri_digest

    # view index sbom
    cosign download attestation \
      $image_uri_digest \
      --predicate-type https://spdx.dev/Document |
      jq -r '.payload' | base64 -d | jq .

    # iterate through all platform-specific images referenced in the index sbom
    cosign download attestation \
      $image_uri_digest \
      --predicate-type https://spdx.dev/Document |
      jq -r '.payload' | base64 -d |
      jq -r '.predicate.packages[1:][] .versionInfo' |
      while read -r sha; do
        # platform-specific image digest
        image_uri_digest="$image@$sha"

        # verify platform-specific image
        cosign verify \
          --certificate-identity=https://github.com/BuoyantIO/enterprise-linkerd/.github/workflows/actions.yml@refs/tags/$tag \
          --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
          $image_uri_digest

        # verify platform-specific image sbom
        cosign verify-attestation \
          --type spdxjson \
          --certificate-identity=https://github.com/BuoyantIO/enterprise-linkerd/.github/workflows/actions.yml@refs/tags/$tag \
          --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
          $image_uri_digest
      done
  done
done

Verify Helm charts 

gpg --keyring ./bel.pubring.kbx --no-default-keyring \
  --keyserver hkps://keys.openpgp.org \
  --receive-keys '54A1FEAE3864F855F6724F03F09B21EC0428D8B8'
gpg --keyring ./bel.pubring.kbx --no-default-keyring \
  --export --output ./bel.pubring.gpg \
  '[email protected]'

helm repo add linkerd-buoyant https://helm.buoyant.cloud
helm repo update
helm pull --verify --keyring ./bel.pubring.gpg linkerd-buoyant/linkerd-enterprise-crds
helm pull --verify --keyring ./bel.pubring.gpg linkerd-buoyant/linkerd-enterprise-control-plane
helm pull --verify --keyring ./bel.pubring.gpg linkerd-buoyant/linkerd-enterprise-multicluster