Software supply chain security
To help prevent supply chain attacks all the TLS Protect for Kubernetes Enterprise Docker images are cryptographically signed so you can be sure that they are actually built by and provided by the Jetstack.
This signing is vitally important if for any reason you need to use a mirrored version of the images; it allows you to confirm that the mirror hasn't tampered with the code inside each image.
Public Keys
-----BEGIN PUBLIC KEY-----MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEnB4iSPi1s+VcHNKzHXlqKLoEJDcDZyUEMqWrnjUqA4jFyhurWBWkERh2kKFEZXAifw6p3GkkhLHLZ+rRVvEHVQ==-----END PUBLIC KEY-----
Copy to clipboard
Verify Docker Images
The simplest way to verify the Docker image signatures is use cosign verify. For example, to verify the cert-manager-controller-fips image:
cosign verify eu.gcr.io/jetstack-secure-enterprise/cert-manager-controller-fips:v1.8.2 \--key https://platform.jetstack.io/documentation/jetstack-secure-enterprise-pubkey-2022-06-24.pem
Copy to clipboard
If successful, the command will exit with exit code 0 and print the following output:
Verification for eu.gcr.io/jetstack-secure-enterprise/cert-manager-controller-fips:v1.8.2 --The following checks were performed on each of these signatures:- The cosign claims were validated- The signatures were verified against the specified public key
Copy to clipboard
[{"critical": {"identity": {"docker-reference": "eu.gcr.io/jetstack-secure-enterprise/cert-manager-controller-fips"},"image": {"docker-manifest-digest": "sha256:dcab92e8f6e47b9e342caa98e9bba799d5c39d8c612030e8aeb718629a56be99"},"type": "cosign container image signature"},"optional": null}]
Copy to clipboard
For a more fully-featured signature verification process in Kubernetes, check out Kyverno: Verifying Image Signatures.