mirror of
https://github.com/aquasecurity/trivy.git
synced 2025-12-22 07:10:41 -08:00
ad1dc6327a
* add 'Signature Verification' guide * add gpg signature verification doc --------- Signed-off-by: knqyf263 <knqyf263@gmail.com> Co-authored-by: knqyf263 <knqyf263@gmail.com>
100 lines
3.1 KiB
Markdown
100 lines
3.1 KiB
Markdown
# Signature Verification
|
|
|
|
## Verifying a Cosign signature
|
|
All binaries and container images are signed by [Cosign](https://github.com/sigstore/cosign).
|
|
|
|
You need the following tool:
|
|
|
|
- [Cosign](https://docs.sigstore.dev/cosign/installation/)
|
|
|
|
### Verifying signed container images
|
|
1. Use the following command for keyless [verification](https://docs.sigstore.dev/cosign/verify/):
|
|
```shell
|
|
cosign verify aquasec/trivy:<version> \
|
|
--certificate-identity-regexp 'https://github\.com/aquasecurity/trivy/\.github/workflows/.+' \
|
|
--certificate-oidc-issuer "https://token.actions.githubusercontent.com"
|
|
```
|
|
|
|
2. You should get the following output
|
|
```shell
|
|
Verification for index.docker.io/aquasec/trivy:latest --
|
|
The following checks were performed on each of these signatures:
|
|
- The cosign claims were validated
|
|
- Existence of the claims in the transparency log was verified offline
|
|
- The code-signing certificate was verified using trusted certificate authority certificates
|
|
|
|
....
|
|
```
|
|
|
|
### Verifying signed binaries
|
|
|
|
1. Download the required tarball, associated signature and certificate files
|
|
2. Use the following command for keyless verification:
|
|
```shell
|
|
cosign verify-blob <path to binray> \
|
|
--certificate <path to cert> \
|
|
--signature <path to sig> \
|
|
--certificate-identity-regexp 'https://github\.com/aquasecurity/trivy/\.github/workflows/.+' \
|
|
--certificate-oidc-issuer "https://token.actions.githubusercontent.com"
|
|
```
|
|
3. You should get the following output
|
|
```
|
|
Verified OK
|
|
```
|
|
|
|
For example:
|
|
|
|
```shell
|
|
$ wget "https://github.com/aquasecurity/trivy/releases/download/v0.45.0/trivy_0.45.0_Linux-32bit.tar.gz"
|
|
$ wget "https://github.com/aquasecurity/trivy/releases/download/v0.45.0/trivy_0.45.0_Linux-32bit.tar.gz.pem"
|
|
$ wget "https://github.com/aquasecurity/trivy/releases/download/v0.45.0/trivy_0.45.0_Linux-32bit.tar.gz.sig"
|
|
$ cosign verify-blob trivy_0.45.0_Linux-32bit.tar.gz \
|
|
--certificate trivy_0.45.0_Linux-32bit.tar.gz.pem \
|
|
--signature trivy_0.45.0_Linux-32bit.tar.gz.sig \
|
|
--certificate-identity-regexp 'https://github\.com/aquasecurity/trivy/\.github/workflows/.+' \
|
|
--certificate-oidc-issuer "https://token.actions.githubusercontent.com"
|
|
|
|
Vetified OK
|
|
```
|
|
|
|
## Verifying a GPG signature
|
|
|
|
RPM and Deb packages are also signed by GPG.
|
|
|
|
### Verifying RPM
|
|
|
|
The public key downloaded [here](https://aquasecurity.github.io/trivy-repo/rpm/public.key).
|
|
|
|
1. Download the public key
|
|
```shell
|
|
curl https://aquasecurity.github.io/trivy-repo/rpm/public.key \
|
|
--output pub.key
|
|
```
|
|
2. Import the key
|
|
```shell
|
|
rpm --import pub.key
|
|
```
|
|
3. Verify that the key has been imported
|
|
```shell
|
|
rpm -q --queryformat "%{SUMMARY}\n" $(rpm -q gpg-pubkey)
|
|
```
|
|
You should get the following output
|
|
```shell
|
|
gpg(trivy)
|
|
```
|
|
|
|
4. Download the required binary
|
|
```shell
|
|
curl -L https://github.com/aquasecurity/trivy/releases/download/<version>/<file name>.rpm \
|
|
--output trivy.rpm
|
|
```
|
|
5. Check the binary with the following command
|
|
```shell
|
|
rpm -K trivy.rpm
|
|
```
|
|
You should get the following output
|
|
```shell
|
|
trivy.rpm: digests signatures OK
|
|
```
|
|
|