mirror of
https://github.com/aquasecurity/trivy.git
synced 2025-12-22 07:10:41 -08:00
ad1dc6327a
* add 'Signature Verification' guide * add gpg signature verification doc --------- Signed-off-by: knqyf263 <knqyf263@gmail.com> Co-authored-by: knqyf263 <knqyf263@gmail.com>
3.1 KiB
3.1 KiB
Signature Verification
Verifying a Cosign signature
All binaries and container images are signed by Cosign.
You need the following tool:
Verifying signed container images
-
Use the following command for keyless verification:
cosign verify aquasec/trivy:<version> \ --certificate-identity-regexp 'https://github\.com/aquasecurity/trivy/\.github/workflows/.+' \ --certificate-oidc-issuer "https://token.actions.githubusercontent.com" -
You should get the following output
Verification for index.docker.io/aquasec/trivy:latest -- The following checks were performed on each of these signatures: - The cosign claims were validated - Existence of the claims in the transparency log was verified offline - The code-signing certificate was verified using trusted certificate authority certificates ....
Verifying signed binaries
- Download the required tarball, associated signature and certificate files
- Use the following command for keyless verification:
cosign verify-blob <path to binray> \ --certificate <path to cert> \ --signature <path to sig> \ --certificate-identity-regexp 'https://github\.com/aquasecurity/trivy/\.github/workflows/.+' \ --certificate-oidc-issuer "https://token.actions.githubusercontent.com" - You should get the following output
Verified OK
For example:
$ wget "https://github.com/aquasecurity/trivy/releases/download/v0.45.0/trivy_0.45.0_Linux-32bit.tar.gz"
$ wget "https://github.com/aquasecurity/trivy/releases/download/v0.45.0/trivy_0.45.0_Linux-32bit.tar.gz.pem"
$ wget "https://github.com/aquasecurity/trivy/releases/download/v0.45.0/trivy_0.45.0_Linux-32bit.tar.gz.sig"
$ cosign verify-blob trivy_0.45.0_Linux-32bit.tar.gz \
--certificate trivy_0.45.0_Linux-32bit.tar.gz.pem \
--signature trivy_0.45.0_Linux-32bit.tar.gz.sig \
--certificate-identity-regexp 'https://github\.com/aquasecurity/trivy/\.github/workflows/.+' \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com"
Vetified OK
Verifying a GPG signature
RPM and Deb packages are also signed by GPG.
Verifying RPM
The public key downloaded here.
-
Download the public key
curl https://aquasecurity.github.io/trivy-repo/rpm/public.key \ --output pub.key -
Import the key
rpm --import pub.key -
Verify that the key has been imported
rpm -q --queryformat "%{SUMMARY}\n" $(rpm -q gpg-pubkey)You should get the following output
gpg(trivy) -
Download the required binary
curl -L https://github.com/aquasecurity/trivy/releases/download/<version>/<file name>.rpm \ --output trivy.rpm -
Check the binary with the following command
rpm -K trivy.rpmYou should get the following output
trivy.rpm: digests signatures OK