Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2025-08-03 20:44:14 -04:00
Code Issues Projects Releases Packages Wiki Activity

Revert "docs: fix sigstore doc links (#2272)" (#2280)

Browse source 
This reverts commit ec1bba7a8b.
This commit is contained in:
Daniel Weiße 2023-08-24 11:12:28 +02:00 committed by GitHub
parent f15c5444da
commit f33cc647ed
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
22 changed files with 48 additions and 52 deletions
Download patch file Download diff file Expand all files Collapse all files

2
docs/versioned_docs/version-2.3/workflows/sbom.md
View file

@ -36,7 +36,7 @@ cosign verify-blob --key cosign.pub --signature constellation.spdx.sbom.sig cons
### Container Images
SBOMs for container images are [attached to the image using Cosign](https://docs.sigstore.dev/docs/signing/other_types#sboms-software-bill-of-materials) and uploaded to the same registry.
SBOMs for container images are [attached to the image using Cosign](https://docs.sigstore.dev/signing/other_types#sboms-software-bill-of-materials) and uploaded to the same registry.
As a consumer, use cosign to download and verify the SBOM:

6
docs/versioned_docs/version-2.3/workflows/verify-cli.md
View file

@ -1,6 +1,6 @@
# Verify the CLI
Edgeless Systems uses [sigstore](https://www.sigstore.dev/) and [SLSA](https://slsa.dev) to ensure supply-chain security for the Constellation CLI and node images ("artifacts"). sigstore consists of three components: [Cosign](https://docs.sigstore.dev/docs/signing/quickstart), [Rekor](https://docs.sigstore.dev/docs/logging/overview), and Fulcio. Edgeless Systems uses Cosign to sign artifacts. All signatures are uploaded to the public Rekor transparency log, which resides at <https://rekor.sigstore.dev/>.
Edgeless Systems uses [sigstore](https://www.sigstore.dev/) and [SLSA](https://slsa.dev) to ensure supply-chain security for the Constellation CLI and node images ("artifacts"). sigstore consists of three components: [Cosign](https://docs.sigstore.dev/signing/quickstart), [Rekor](https://docs.sigstore.dev/logging/overview), and Fulcio. Edgeless Systems uses Cosign to sign artifacts. All signatures are uploaded to the public Rekor transparency log, which resides at <https://rekor.sigstore.dev/>.
:::note
The public key for Edgeless Systems' long-term code-signing key is:
@ -25,7 +25,7 @@ You don't need to verify the Constellation node images. This is done automatical
## Verify the signature
First, [install the Cosign CLI](https://docs.sigstore.dev/docs/system_config/installation). Next, [download](https://github.com/edgelesssys/constellation/releases) and verify the signature that accompanies your CLI executable, for example:
First, [install the Cosign CLI](https://docs.sigstore.dev/system_config/installation). Next, [download](https://github.com/edgelesssys/constellation/releases) and verify the signature that accompanies your CLI executable, for example:
```shell-session
$ cosign verify-blob --key https://edgeless.systems/es.pub --signature constellation-linux-amd64.sig constellation-linux-amd64
@ -46,7 +46,7 @@ Verified OK
### Optional: Manually inspect the transparency log
To further inspect the public Rekor transparency log, [install the Rekor CLI](https://docs.sigstore.dev/docs/logging/installation). A search for the CLI executable should give a single UUID. (Note that this UUID contains the UUID from the previous `cosign` command.)
To further inspect the public Rekor transparency log, [install the Rekor CLI](https://docs.sigstore.dev/logging/installation). A search for the CLI executable should give a single UUID. (Note that this UUID contains the UUID from the previous `cosign` command.)
```shell-session
$ rekor-cli search --artifact constellation-linux-amd64