Skip to main content

COSIGN Setup

All KIRA Release Files are signed using sigstore cosign tool, you will need to install and verify integrity of that tool in order to securely interact with any testnet tools.

Secure Setup Example


# assume root permissions
sudo -s

# Install essential dependencies
apt-get install -y wget

# Download Cosign
COSIGN_VERSION="v2.0.0" && \
UBUNTU_AGENT="Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36" && \
if [[ "$(uname -m)" == *"ar"* ]] ; then ARCH="arm64"; else ARCH="amd64" ; fi && \
 cd /tmp && PLATFORM=$(uname) && declare -l FILE="cosign-${PLATFORM}-${ARCH}" && rm -rfv ./$FILE ./${FILE}.sig && \
 wget --user-agent="$UBUNTU_AGENT" https://github.com/sigstore/cosign/releases/download/${COSIGN_VERSION}/$FILE -O ./$FILE && \
 wget --user-agent="$UBUNTU_AGENT" https://github.com/sigstore/cosign/releases/download/${COSIGN_VERSION}/${FILE}.sig -O ./${FILE}.sig

# If you do NOT have cosign installed already you should check that the "$FILE" has one of the below hashes 
# Hashes are only for the 'linux' platform, for other platforms please refer to the github repository
COSIGN_HASH_ARM="8132cb2fb99a4c60ba8e03b079e12462c27073028a5d08c07ecda67284e0c88d" && \
COSIGN_HASH_AMD="169a53594c437d53ffc401b911b7e70d453f5a2c1f96eb2a736f34f6356c4f2b" && \
FILE_HASH=$(sha256sum ./$FILE | awk '{ print $1 }' | xargs || echo -n "") && \
if [ "$FILE_HASH" != "$COSIGN_HASH_ARM" ] && [ "$FILE_HASH" != "$COSIGN_HASH_AMD" ] ; then
    echoErr "ERROR: Failed to download cosign tool, expected checksum to be '$COSIGN_HASH_ARM' or '$COSIGN_HASH_AMD', but got '$FILE_HASH'"
    exit 1
fi

# Move cosign to bin directory
chmod +x -v ./$FILE && mv -fv ./$FILE /usr/local/bin/cosign 

# Check cosign version
cosign version

# Save public key
cat > ./sigstore-cosign.pub << EOL
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEhyQCx0E9wQWSFI9ULGwy3BuRklnt
IqozONbbdbqz11hlRJy9c7SG+hdcFl9jE9uE/dwtuwU2MqU9T/cN0YkWww==
-----END PUBLIC KEY-----
EOL

# Verify cosign release
cosign verify-blob --key="./sigstore-cosign.pub" --signature="./${FILE}.sig"  "./$FILE"