Skip to content

Commit 40f78cb

Browse files
sxdsxd
committed
docs: add documentation to verify into the BUILD.md
Signed-off-by: Jonathan Gonzalez V <[email protected]>
1 parent 504be3a commit 40f78cb

File tree

1 file changed

+64
-0
lines changed

1 file changed

+64
-0
lines changed

BUILD.md

+64
Original file line numberDiff line numberDiff line change
@@ -122,6 +122,70 @@ docker run -d --rm -p 5000:5000 --name registry registry:2
122122
This command runs a lightweight, temporary instance of the `registry:2`
123123
container on port `5000`.
124124

125+
# Image Signatures
126+
127+
Every image is signed using cosign and an ephemeral key with GitHub as the OIDC provider, the images can be
128+
verify using the following command:
129+
130+
```shell
131+
cosign verify --certificate-identity-regexp="https://github.com/cloudnative-pg/postgres-containers/.github/workflows/" \
132+
--certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
133+
ghcr.io/cloudnative-pg/postgresql(-testing)@<sha256 image>
134+
```
135+
136+
Using the following image:
137+
`ghcr.io/cloudnative-pg/postgresql-testing@sha256:e5d7aaf92103ecabd4ea4c109e49727692b1c47174fb77d8e17ef1e29685d7dd`
138+
We can execute the following command with the following output
139+
140+
```shell
141+
cosign verify --certificate-identity-regexp="https://github.com/cloudnative-pg/postgres-containers/.github/workflows/" --certificate-oidc-issuer="https://token.actions.githubusercontent.com" ghcr.io/cloudnative-pg/postgresql-testing@sha256:e5d7aaf92103ecabd4ea4c109e49727692b1c47174fb77d8e17ef1e29685d7dd | jq
142+
143+
Verification for ghcr.io/cloudnative-pg/postgresql-testing@sha256:e5d7aaf92103ecabd4ea4c109e49727692b1c47174fb77d8e17ef1e29685d7dd --
144+
The following checks were performed on each of these signatures:
145+
- The cosign claims were validated
146+
- Existence of the claims in the transparency log was verified offline
147+
- The code-signing certificate was verified using trusted certificate authority certificates
148+
[
149+
{
150+
"critical": {
151+
"identity": {
152+
"docker-reference": "ghcr.io/cloudnative-pg/postgresql-testing"
153+
},
154+
"image": {
155+
"docker-manifest-digest": "sha256:e5d7aaf92103ecabd4ea4c109e49727692b1c47174fb77d8e17ef1e29685d7dd"
156+
},
157+
"type": "cosign container image signature"
158+
},
159+
"optional": {
160+
"1.3.6.1.4.1.57264.1.1": "https://token.actions.githubusercontent.com",
161+
"1.3.6.1.4.1.57264.1.2": "workflow_dispatch",
162+
"1.3.6.1.4.1.57264.1.3": "504be3a25448fa5277f712ee8df1ded1066ed164",
163+
"1.3.6.1.4.1.57264.1.4": "Bake images",
164+
"1.3.6.1.4.1.57264.1.5": "cloudnative-pg/postgres-containers",
165+
"1.3.6.1.4.1.57264.1.6": "refs/heads/dev/136",
166+
"Bundle": {
167+
"SignedEntryTimestamp": "MEQCIGTI2BU4HroJxyY5iSLckxjezt9j8HiVSkyNsRn2GfgBAiBwrfzC872HdkpjWD3p9VH6lxAQg3N+UAcyKlFO08EJBw==",
168+
"Payload": {
169+
"body": "eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiI2NGEyZjMzMGQzYTZkN2YwOTBlNmEzNWQ0MWI1ZDljZGM1ZDQ1YzRhZTRhNWYwNTk1YTZiNjIzN2QzNzBkOWIxIn19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FWUNJUUMvMGdYamRVNThhbG1OQ2pRUjVmb0RUK2JCcmlWa2UyNUNUeGNlM2FSem5BSWhBUFRyeUFMRHdGTDFOTjgrVVpxTGZSWHFwNjJtcld5VUpLNXlqSXhPYUVlMSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVaFBWRU5EUW5JclowRjNTVUpCWjBsVllXMVdURFpXVERWSVFuTnJhbUZGTjNKaE9FRnBMMFp3UzBKUmQwTm5XVWxMYjFwSmVtb3dSVUYzVFhjS1RucEZWazFDVFVkQk1WVkZRMmhOVFdNeWJHNWpNMUoyWTIxVmRWcEhWakpOVWpSM1NFRlpSRlpSVVVSRmVGWjZZVmRrZW1SSE9YbGFVekZ3WW01U2JBcGpiVEZzV2tkc2FHUkhWWGRJYUdOT1RXcFZkMDFVU1hkTlZGa3dUa1JOTVZkb1kwNU5hbFYzVFZSSmQwMVVXVEZPUkUweFYycEJRVTFHYTNkRmQxbElDa3R2V2tsNmFqQkRRVkZaU1V0dldrbDZhakJFUVZGalJGRm5RVVZtVDIxb2QwVlhPVXBxUm5sMmRFczJRbkJ1Ym1WeE1GWlhUMk5vTjJwcVVUTkNNWFFLYm5scWRGWXZUVlE1Y1VWb1J6WXhORlpoVVhaM2FVVmxTVmRLTVRCaVIzaENjWHB5YkhoQ2FsaFNPV1psUVZaMGIyRlBRMEprTkhkbloxaGhUVUUwUndwQk1WVmtSSGRGUWk5M1VVVkJkMGxJWjBSQlZFSm5UbFpJVTFWRlJFUkJTMEpuWjNKQ1owVkdRbEZqUkVGNlFXUkNaMDVXU0ZFMFJVWm5VVlUwWlUxMENuUmxWekZ5ZGt4RFQxWlZUR0phTVhSVU1GVk9RMnMwZDBoM1dVUldVakJxUWtKbmQwWnZRVlV6T1ZCd2VqRlphMFZhWWpWeFRtcHdTMFpYYVhocE5Ga0tXa1E0ZDJObldVUldVakJTUVZGSUwwSkhaM2RhYjFwcllVaFNNR05JVFRaTWVUbHVZVmhTYjJSWFNYVlpNamwwVERKT2MySXpWbXRpYlVZd1lWaGFiQXBNV0VKdVRETkNkbU16VW01amJWWjZURmRPZG1KdVVtaGhWelZzWTI1TmRreHRaSEJrUjJneFdXazVNMkl6U25KYWJYaDJaRE5OZGxsdFJuSmFVelUxQ2xsWE1YTlJTRXBzV201TmRtRkhWbWhhU0UxMldrZFdNa3g2UlhwT2FrRTFRbWR2Y2tKblJVVkJXVTh2VFVGRlFrSkRkRzlrU0ZKM1kzcHZka3d6VW5ZS1lUSldkVXh0Um1wa1IyeDJZbTVOZFZveWJEQmhTRlpwWkZoT2JHTnRUblppYmxKc1ltNVJkVmt5T1hSTlFqaEhRMmx6UjBGUlVVSm5OemgzUVZGSlJRcEZXR1IyWTIxMGJXSkhPVE5ZTWxKd1l6TkNhR1JIVG05TlJGbEhRMmx6UjBGUlVVSm5OemgzUVZGTlJVdEVWWGRPUjBwc1RUSkZlVTVVVVRCUFIxcG9DazVVU1ROT01sa3pUVlJLYkZwVWFHdGFha1pyV2xkUmVFMUVXVEphVjFGNFRtcFJkMGRSV1V0TGQxbENRa0ZIUkhaNlFVSkNRVkZNVVcxR2NscFRRbkFLWWxkR2JscFlUWGROUVZsTFMzZFpRa0pCUjBSMmVrRkNRbEZSYVZreWVIWmtWMUoxV1ZoU2NHUnRWWFJqUjJOMlkwYzVlbVJIWkhsYVdFMTBXVEk1ZFFwa1IwWndZbTFXZVdONlFXZENaMjl5UW1kRlJVRlpUeTlOUVVWSFFrSktlVnBYV25wTU1taHNXVmRTZWt3eVVteGthVGg0VFhwWmQwOTNXVXRMZDFsQ0NrSkJSMFIyZWtGQ1EwRlJkRVJEZEc5a1NGSjNZM3B2ZGt3elVuWmhNbFoxVEcxR2FtUkhiSFppYmsxMVdqSnNNR0ZJVm1sa1dFNXNZMjFPZG1KdVVtd0tZbTVSZFZreU9YUk5TRkZIUTJselIwRlJVVUpuTnpoM1FWRnJSVnBuZUd0aFNGSXdZMGhOTmt4NU9XNWhXRkp2WkZkSmRWa3lPWFJNTWs1ellqTldhd3BpYlVZd1lWaGFiRXhZUW01TU0wSjJZek5TYm1OdFZucE1WMDUyWW01U2FHRlhOV3hqYmsxMlRHMWtjR1JIYURGWmFUa3pZak5LY2xwdGVIWmtNMDEyQ2xsdFJuSmFVelUxV1ZjeGMxRklTbXhhYmsxMllVZFdhRnBJVFhaYVIxWXlUSHBGZWs1cVFUUkNaMjl5UW1kRlJVRlpUeTlOUVVWTFFrTnZUVXRFVlhjS1RrZEtiRTB5UlhsT1ZGRXdUMGRhYUU1VVNUTk9NbGt6VFZSS2JGcFVhR3RhYWtacldsZFJlRTFFV1RKYVYxRjRUbXBSZDBoUldVdExkMWxDUWtGSFJBcDJla0ZDUTNkUlVFUkJNVzVoV0ZKdlpGZEpkR0ZIT1hwa1IxWnJUVVZWUjBOcGMwZEJVVkZDWnpjNGQwRlJkMFZPZDNjeFlVaFNNR05JVFRaTWVUbHVDbUZZVW05a1YwbDFXVEk1ZEV3eVRuTmlNMVpyWW0xR01HRllXbXhNV0VKdVRETkNkbU16VW01amJWWjZURmRPZG1KdVVtaGhWelZzWTI1TmQwOUJXVXNLUzNkWlFrSkJSMFIyZWtGQ1JGRlJjVVJEWnpGTlJGSnBXbFJPYUUxcVZUQk9SR2h0V1ZSVmVVNTZaRzFPZWtWNVdsZFZORnBIV1hoYVIxWnJUVlJCTWdwT2JWWnJUVlJaTUUxRFNVZERhWE5IUVZGUlFtYzNPSGRCVVRSRlJrRjNVMk50Vm0xamVUbHZXbGRHYTJONU9XdGFXRmwyVFZSTk1rMUNhMGREYVhOSENrRlJVVUpuTnpoM1FWRTRSVU4zZDBwT1JHTjNUbFJGTkUxNmEzcE5SRVZIUTJselIwRlJVVUpuTnpoM1FWSkJSVWwzZDJoaFNGSXdZMGhOTmt4NU9XNEtZVmhTYjJSWFNYVlpNamwwVERKT2MySXpWbXRpYlVZd1lWaGFiRXhZUW01TlFtdEhRMmx6UjBGUlVVSm5OemgzUVZKRlJVTjNkMHBOVkVGM1RYcGplZ3BQUkZWNVRVaFJSME5wYzBkQlVWRkNaemM0ZDBGU1NVVmFaM2hyWVVoU01HTklUVFpNZVRsdVlWaFNiMlJYU1hWWk1qbDBUREpPYzJJelZtdGliVVl3Q21GWVdteE1XRUp1VEROQ2RtTXpVbTVqYlZaNlRGZE9kbUp1VW1oaFZ6VnNZMjVOZGt4dFpIQmtSMmd4V1drNU0ySXpTbkphYlhoMlpETk5kbGx0Um5JS1dsTTFOVmxYTVhOUlNFcHNXbTVOZG1GSFZtaGFTRTEyV2tkV01reDZSWHBPYWtFMFFtZHZja0puUlVWQldVOHZUVUZGVkVKRGIwMUxSRlYzVGtkS2JBcE5Na1Y1VGxSUk1FOUhXbWhPVkVrelRqSlpNMDFVU214YVZHaHJXbXBHYTFwWFVYaE5SRmt5V2xkUmVFNXFVWGRKVVZsTFMzZFpRa0pCUjBSMmVrRkNDa1pCVVZSRVFrWXpZak5LY2xwdGVIWmtNVGxyWVZoT2QxbFlVbXBoUkVKd1FtZHZja0puUlVWQldVOHZUVUZGVmtKR2MwMVhWMmd3WkVoQ2VrOXBPSFlLV2pKc01HRklWbWxNYlU1MllsTTVhbUpIT1RGYVJ6Vm9aRWRzTWxwVE1YZGFlVGwzWWpOT01Gb3pTbXhqZVRGcVlqSTFNRmxYYkhWYVdFcDZUREpHYWdwa1IyeDJZbTVOZG1OdVZuVmplVGg0VFdwbk0wMXFVWGRQUkZVMVRrTTVhR1JJVW14aVdFSXdZM2s0ZUUxQ1dVZERhWE5IUVZGUlFtYzNPSGRCVWxsRkNrTkJkMGRqU0ZacFlrZHNhazFKUjB4Q1oyOXlRbWRGUlVGa1dqVkJaMUZEUWtnd1JXVjNRalZCU0dOQk0xUXdkMkZ6WWtoRlZFcHFSMUkwWTIxWFl6TUtRWEZLUzFoeWFtVlFTek12YURSd2VXZERPSEEzYnpSQlFVRkhWV2hLYjB4eVowRkJRa0ZOUVZORVFrZEJhVVZCYXpjMlNURmlibFF2VGtkcFYxTnNjd3BVUXpNeE1WZHhkSFFyVEZodlJVWnZRbmM1Y0ZCdFNVVjFPVkZEU1ZGRE9YbHJRM051VUc5TVpqaExhVTlpUmxCWllsUlRLM1ZKTkZkU2RrUXZMMnN6Q2twWGRWbFRhbUZzVFdwQlMwSm5aM0ZvYTJwUFVGRlJSRUYzVG05QlJFSnNRV3BCYVdkQ1Z5OWlPV1FyVkZsVE0yeFFLMEZaU0dsalMwTnFRVzVqTVd3S1JrSnFjSGxhUmpkaWVpdGFieTlUTkZwVlRGcGFaVVE1VmxKdmVGVlBRMWhZVFRoRFRWRkRWbFpXZWpSS0t6WmhVV1UzYW1KR04zSTVhak5DYjFaSGFncFVlR1J1VVZKMlNXSmxOR3hrUmxaeFpIbENObmhTTVhwcVYybEtRamxPTTFCa2NGWm5SR3M5Q2kwdExTMHRSVTVFSUVORlVsUkpSa2xEUVZSRkxTMHRMUzBLIn19fX0=",
170+
"integratedTime": 1737391476,
171+
"logIndex": 163912591,
172+
"logID": "c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d"
173+
}
174+
},
175+
"Issuer": "https://token.actions.githubusercontent.com",
176+
"Subject": "https://github.com/cloudnative-pg/postgres-containers/.github/workflows/bake.yaml@refs/heads/dev/136",
177+
"githubWorkflowName": "Bake images",
178+
"githubWorkflowRef": "refs/heads/dev/136",
179+
"githubWorkflowRepository": "cloudnative-pg/postgres-containers",
180+
"githubWorkflowSha": "504be3a25448fa5277f712ee8df1ded1066ed164",
181+
"githubWorkflowTrigger": "workflow_dispatch"
182+
}
183+
}
184+
]
185+
```
186+
187+
188+
125189
## Trademarks
126190

127191
*[Postgres, PostgreSQL and the Slonik Logo](https://www.postgresql.org/about/policies/trademarks/)

0 commit comments

Comments
 (0)