Skip to main content

Cosign

Cosign

https://github.com/sigstore/cosign

All KIRA Release Files are signed using sigstore cosign tool. Cosign is a digital signature utility that is used to verify the authenticity and integrity of a file. When a file is signed with a digital signature, it provides a way to verify that the file has not been tampered with, and also to verify the identity of the person or entity who signed the file. It is used in Kira to sign and verify the authenticity of data, such as proprietary tools, binaries and scripts.

Linux

# Assume root permissions
sudo -s

# Install essential dependencies
apt-get install -y wget

# Download Cosign
COSIGN_VERSION="v2.0.0" && \
UBUNTU_AGENT="Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36" && \
if [[ "$(uname -m)" == *"ar"* ]] ; then ARCH="arm64"; else ARCH="amd64" ; fi && \
cd /tmp && PLATFORM=$(uname) && declare -l FILE="cosign-${PLATFORM}-${ARCH}" && rm -rfv ./$FILE ./${FILE}.sig && \
wget --user-agent="$UBUNTU_AGENT" https://github.com/sigstore/cosign/releases/download/${COSIGN_VERSION}/$FILE -O ./$FILE && \
wget --user-agent="$UBUNTU_AGENT" https://github.com/sigstore/cosign/releases/download/${COSIGN_VERSION}/${FILE}.sig -O ./${FILE}.sig

# If you do NOT have cosign installed already you should check that the "$FILE" has one of the below hashes
# Hashes are only for the 'linux' platform, for other platforms please refer to the github repository
COSIGN_HASH_ARM="8132cb2fb99a4c60ba8e03b079e12462c27073028a5d08c07ecda67284e0c88d" && \
COSIGN_HASH_AMD="169a53594c437d53ffc401b911b7e70d453f5a2c1f96eb2a736f34f6356c4f2b" && \
FILE_HASH=$(sha256sum ./$FILE | awk '{ print $1 }' | xargs || echo -n "") && \
if [ "$FILE_HASH" != "$COSIGN_HASH_ARM" ] && [ "$FILE_HASH" != "$COSIGN_HASH_AMD" ] ; then
echoErr "ERROR: Failed to download cosign tool, expected checksum to be '$COSIGN_HASH_ARM' or '$COSIGN_HASH_AMD', but got '$FILE_HASH'"
exit 1
else
echo "Cosign tool downloaded successfully."
fi

# Save cosign public key
cat > ./sigstore-cosign.pub << EOL
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEhyQCx0E9wQWSFI9ULGwy3BuRklnt
IqozONbbdbqz11hlRJy9c7SG+hdcFl9jE9uE/dwtuwU2MqU9T/cN0YkWww==
-----END PUBLIC KEY-----
EOL

# Verify cosign release
cosign verify-blob --key="./sigstore-cosign.pub" --signature="./${FILE}.sig" "./$FILE"

# Move cosign to bin directory
chmod +x -v ./$FILE && mv -fv ./$FILE /usr/local/bin/cosign

# Check cosign version
cosign version

Add KIRA’s public key

# Save KIRA public key allowing to verify signed releases
KIRA_COSIGN_PUB=/usr/keys/kira-cosign.pub && mkdir -p /usr/keys && \
cat > $KIRA_COSIGN_PUB << EOL
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE/IrzBQYeMwvKa44/DF/HB7XDpnE+
f+mU9F/Qbfq25bBWV2+NlYMJv3KvKHNtu3Jknt6yizZjUV4b8WGfKBzFYw==
-----END PUBLIC KEY-----
EOL

# Add key to env
echo "export KIRA_COSIGN_PUB=\"$KIRA_COSIGN_PUB\"" >> /etc/profile