mirror of
https://github.com/edgelesssys/constellation.git
synced 2024-12-17 20:04:36 -05:00
This reverts commit ec1bba7a8b
.
This commit is contained in:
parent
f15c5444da
commit
f33cc647ed
@ -11,15 +11,13 @@ SBOMs for Constellation are generated using [Syft](https://github.com/anchore/sy
|
|||||||
|
|
||||||
:::note
|
:::note
|
||||||
The public key for Edgeless Systems' long-term code-signing key is:
|
The public key for Edgeless Systems' long-term code-signing key is:
|
||||||
|
|
||||||
```
|
```
|
||||||
-----BEGIN PUBLIC KEY-----
|
-----BEGIN PUBLIC KEY-----
|
||||||
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEf8F1hpmwE+YCFXzjGtaQcrL6XZVT
|
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEf8F1hpmwE+YCFXzjGtaQcrL6XZVT
|
||||||
JmEe5iSLvG1SyQSAew7WdMKF6o9t8e2TFuCkzlOhhlws2OHWbiFZnFWCFw==
|
JmEe5iSLvG1SyQSAew7WdMKF6o9t8e2TFuCkzlOhhlws2OHWbiFZnFWCFw==
|
||||||
-----END PUBLIC KEY-----
|
-----END PUBLIC KEY-----
|
||||||
```
|
```
|
||||||
|
The public key is also available for download at https://edgeless.systems/es.pub and in the Twitter profile [@EdgelessSystems](https://twitter.com/EdgelessSystems).
|
||||||
The public key is also available for download at <https://edgeless.systems/es.pub> and in the Twitter profile [@EdgelessSystems](https://twitter.com/EdgelessSystems).
|
|
||||||
|
|
||||||
Make sure the key is available in a file named `cosign.pub` to execute the following examples.
|
Make sure the key is available in a file named `cosign.pub` to execute the following examples.
|
||||||
:::
|
:::
|
||||||
@ -40,7 +38,7 @@ cosign verify-blob --key cosign.pub --signature constellation.spdx.sbom.sig cons
|
|||||||
|
|
||||||
### Container Images
|
### Container Images
|
||||||
|
|
||||||
SBOMs for container images are [attached to the image using Cosign](https://docs.sigstore.dev/docs/signing/other_types#sboms-software-bill-of-materials) and uploaded to the same registry.
|
SBOMs for container images are [attached to the image using Cosign](https://docs.sigstore.dev/signing/other_types#sboms-software-bill-of-materials) and uploaded to the same registry.
|
||||||
|
|
||||||
As a consumer, use cosign to download and verify the SBOM:
|
As a consumer, use cosign to download and verify the SBOM:
|
||||||
|
|
||||||
|
@ -8,7 +8,7 @@ This recording presents the essence of this page. It's recommended to read it in
|
|||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
Edgeless Systems uses [sigstore](https://www.sigstore.dev/) and [SLSA](https://slsa.dev) to ensure supply-chain security for the Constellation CLI and node images ("artifacts"). sigstore consists of three components: [Cosign](https://docs.sigstore.dev/docs/signing/quickstart), [Rekor](https://docs.sigstore.dev/docs/logging/overview), and Fulcio. Edgeless Systems uses Cosign to sign artifacts. All signatures are uploaded to the public Rekor transparency log, which resides at <https://rekor.sigstore.dev/>.
|
Edgeless Systems uses [sigstore](https://www.sigstore.dev/) and [SLSA](https://slsa.dev) to ensure supply-chain security for the Constellation CLI and node images ("artifacts"). sigstore consists of three components: [Cosign](https://docs.sigstore.dev/signing/quickstart), [Rekor](https://docs.sigstore.dev/logging/overview), and Fulcio. Edgeless Systems uses Cosign to sign artifacts. All signatures are uploaded to the public Rekor transparency log, which resides at <https://rekor.sigstore.dev/>.
|
||||||
|
|
||||||
:::note
|
:::note
|
||||||
The public key for Edgeless Systems' long-term code-signing key is:
|
The public key for Edgeless Systems' long-term code-signing key is:
|
||||||
@ -33,7 +33,7 @@ You don't need to verify the Constellation node images. This is done automatical
|
|||||||
|
|
||||||
## Verify the signature
|
## Verify the signature
|
||||||
|
|
||||||
First, [install the Cosign CLI](https://docs.sigstore.dev/docs/system_config/installation). Next, [download](https://github.com/edgelesssys/constellation/releases) and verify the signature that accompanies your CLI executable, for example:
|
First, [install the Cosign CLI](https://docs.sigstore.dev/system_config/installation). Next, [download](https://github.com/edgelesssys/constellation/releases) and verify the signature that accompanies your CLI executable, for example:
|
||||||
|
|
||||||
```shell-session
|
```shell-session
|
||||||
$ cosign verify-blob --key https://edgeless.systems/es.pub --signature constellation-linux-amd64.sig constellation-linux-amd64
|
$ cosign verify-blob --key https://edgeless.systems/es.pub --signature constellation-linux-amd64.sig constellation-linux-amd64
|
||||||
@ -54,7 +54,7 @@ Verified OK
|
|||||||
|
|
||||||
### Optional: Manually inspect the transparency log
|
### Optional: Manually inspect the transparency log
|
||||||
|
|
||||||
To further inspect the public Rekor transparency log, [install the Rekor CLI](https://docs.sigstore.dev/docs/logging/installation). A search for the CLI executable should give a single UUID. (Note that this UUID contains the UUID from the previous `cosign` command.)
|
To further inspect the public Rekor transparency log, [install the Rekor CLI](https://docs.sigstore.dev/logging/installation). A search for the CLI executable should give a single UUID. (Note that this UUID contains the UUID from the previous `cosign` command.)
|
||||||
|
|
||||||
```shell-session
|
```shell-session
|
||||||
$ rekor-cli search --artifact constellation-linux-amd64
|
$ rekor-cli search --artifact constellation-linux-amd64
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
# Verify the CLI
|
# Verify the CLI
|
||||||
|
|
||||||
Edgeless Systems uses [sigstore](https://www.sigstore.dev/) to ensure supply-chain security for the Constellation CLI and node images ("artifacts"). sigstore consists of three components: [Cosign](https://docs.sigstore.dev/docs/signing/quickstart), [Rekor](https://docs.sigstore.dev/docs/logging/overview), and Fulcio. Edgeless Systems uses Cosign to sign artifacts. All signatures are uploaded to the public Rekor transparency log, which resides at <https://rekor.sigstore.dev/>.
|
Edgeless Systems uses [sigstore](https://www.sigstore.dev/) to ensure supply-chain security for the Constellation CLI and node images ("artifacts"). sigstore consists of three components: [Cosign](https://docs.sigstore.dev/signing/quickstart), [Rekor](https://docs.sigstore.dev/logging/overview), and Fulcio. Edgeless Systems uses Cosign to sign artifacts. All signatures are uploaded to the public Rekor transparency log, which resides at <https://rekor.sigstore.dev/>.
|
||||||
|
|
||||||
:::note
|
:::note
|
||||||
The public key for Edgeless Systems' long-term code-signing key is:
|
The public key for Edgeless Systems' long-term code-signing key is:
|
||||||
@ -25,7 +25,7 @@ You don't need to verify the Constellation node images. This is done automatical
|
|||||||
|
|
||||||
## Verify the signature
|
## Verify the signature
|
||||||
|
|
||||||
First, [install the Cosign CLI](https://docs.sigstore.dev/docs/system_config/installation). Next, [download](https://github.com/edgelesssys/constellation/releases) and verify the signature that accompanies your CLI executable, for example:
|
First, [install the Cosign CLI](https://docs.sigstore.dev/system_config/installation). Next, [download](https://github.com/edgelesssys/constellation/releases) and verify the signature that accompanies your CLI executable, for example:
|
||||||
|
|
||||||
```shell-session
|
```shell-session
|
||||||
$ cosign verify-blob --key https://edgeless.systems/es.pub --signature constellation-linux-amd64.sig constellation-linux-amd64
|
$ cosign verify-blob --key https://edgeless.systems/es.pub --signature constellation-linux-amd64.sig constellation-linux-amd64
|
||||||
@ -46,7 +46,7 @@ Verified OK
|
|||||||
|
|
||||||
## Optional: Manually inspect the transparency log
|
## Optional: Manually inspect the transparency log
|
||||||
|
|
||||||
To further inspect the public Rekor transparency log, [install the Rekor CLI](https://docs.sigstore.dev/docs/logging/installation). A search for the CLI executable should give a single UUID. (Note that this UUID contains the UUID from the previous `cosign` command.)
|
To further inspect the public Rekor transparency log, [install the Rekor CLI](https://docs.sigstore.dev/logging/installation). A search for the CLI executable should give a single UUID. (Note that this UUID contains the UUID from the previous `cosign` command.)
|
||||||
|
|
||||||
```shell-session
|
```shell-session
|
||||||
$ rekor-cli search --artifact constellation-linux-amd64
|
$ rekor-cli search --artifact constellation-linux-amd64
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
# Verify the CLI
|
# Verify the CLI
|
||||||
|
|
||||||
Edgeless Systems uses [sigstore](https://www.sigstore.dev/) to ensure supply-chain security for the Constellation CLI and node images ("artifacts"). sigstore consists of three components: [Cosign](https://docs.sigstore.dev/docs/signing/quickstart), [Rekor](https://docs.sigstore.dev/docs/logging/overview), and Fulcio. Edgeless Systems uses Cosign to sign artifacts. All signatures are uploaded to the public Rekor transparency log, which resides at <https://rekor.sigstore.dev/>.
|
Edgeless Systems uses [sigstore](https://www.sigstore.dev/) to ensure supply-chain security for the Constellation CLI and node images ("artifacts"). sigstore consists of three components: [Cosign](https://docs.sigstore.dev/signing/quickstart), [Rekor](https://docs.sigstore.dev/logging/overview), and Fulcio. Edgeless Systems uses Cosign to sign artifacts. All signatures are uploaded to the public Rekor transparency log, which resides at <https://rekor.sigstore.dev/>.
|
||||||
|
|
||||||
:::note
|
:::note
|
||||||
The public key for Edgeless Systems' long-term code-signing key is:
|
The public key for Edgeless Systems' long-term code-signing key is:
|
||||||
@ -25,7 +25,7 @@ You don't need to verify the Constellation node images. This is done automatical
|
|||||||
|
|
||||||
## Verify the signature
|
## Verify the signature
|
||||||
|
|
||||||
First, [install the Cosign CLI](https://docs.sigstore.dev/docs/system_config/installation). Next, [download](https://github.com/edgelesssys/constellation/releases) and verify the signature that accompanies your CLI executable, for example:
|
First, [install the Cosign CLI](https://docs.sigstore.dev/system_config/installation). Next, [download](https://github.com/edgelesssys/constellation/releases) and verify the signature that accompanies your CLI executable, for example:
|
||||||
|
|
||||||
```shell-session
|
```shell-session
|
||||||
$ cosign verify-blob --key https://edgeless.systems/es.pub --signature constellation-linux-amd64.sig constellation-linux-amd64
|
$ cosign verify-blob --key https://edgeless.systems/es.pub --signature constellation-linux-amd64.sig constellation-linux-amd64
|
||||||
@ -46,7 +46,7 @@ Verified OK
|
|||||||
|
|
||||||
## Optional: Manually inspect the transparency log
|
## Optional: Manually inspect the transparency log
|
||||||
|
|
||||||
To further inspect the public Rekor transparency log, [install the Rekor CLI](https://docs.sigstore.dev/docs/logging/installation). A search for the CLI executable should give a single UUID. (Note that this UUID contains the UUID from the previous `cosign` command.)
|
To further inspect the public Rekor transparency log, [install the Rekor CLI](https://docs.sigstore.dev/logging/installation). A search for the CLI executable should give a single UUID. (Note that this UUID contains the UUID from the previous `cosign` command.)
|
||||||
|
|
||||||
```shell-session
|
```shell-session
|
||||||
$ rekor-cli search --artifact constellation-linux-amd64
|
$ rekor-cli search --artifact constellation-linux-amd64
|
||||||
|
@ -11,15 +11,13 @@ SBOMs for Constellation are generated using [Syft](https://github.com/anchore/sy
|
|||||||
|
|
||||||
:::note
|
:::note
|
||||||
The public key for Edgeless Systems' long-term code-signing key is:
|
The public key for Edgeless Systems' long-term code-signing key is:
|
||||||
|
|
||||||
```
|
```
|
||||||
-----BEGIN PUBLIC KEY-----
|
-----BEGIN PUBLIC KEY-----
|
||||||
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEf8F1hpmwE+YCFXzjGtaQcrL6XZVT
|
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEf8F1hpmwE+YCFXzjGtaQcrL6XZVT
|
||||||
JmEe5iSLvG1SyQSAew7WdMKF6o9t8e2TFuCkzlOhhlws2OHWbiFZnFWCFw==
|
JmEe5iSLvG1SyQSAew7WdMKF6o9t8e2TFuCkzlOhhlws2OHWbiFZnFWCFw==
|
||||||
-----END PUBLIC KEY-----
|
-----END PUBLIC KEY-----
|
||||||
```
|
```
|
||||||
|
The public key is also available for download at https://edgeless.systems/es.pub and in the Twitter profile [@EdgelessSystems](https://twitter.com/EdgelessSystems).
|
||||||
The public key is also available for download at <https://edgeless.systems/es.pub> and in the Twitter profile [@EdgelessSystems](https://twitter.com/EdgelessSystems).
|
|
||||||
|
|
||||||
Make sure the key is available in a file named `cosign.pub` to execute the following examples.
|
Make sure the key is available in a file named `cosign.pub` to execute the following examples.
|
||||||
:::
|
:::
|
||||||
@ -40,7 +38,7 @@ cosign verify-blob --key cosign.pub --signature constellation.spdx.sbom.sig cons
|
|||||||
|
|
||||||
### Container Images
|
### Container Images
|
||||||
|
|
||||||
SBOMs for container images are [attached to the image using Cosign](https://docs.sigstore.dev/docs/signing/other_types#sboms-software-bill-of-materials) and uploaded to the same registry.
|
SBOMs for container images are [attached to the image using Cosign](https://docs.sigstore.dev/signing/other_types#sboms-software-bill-of-materials) and uploaded to the same registry.
|
||||||
|
|
||||||
As a consumer, use cosign to download and verify the SBOM:
|
As a consumer, use cosign to download and verify the SBOM:
|
||||||
|
|
||||||
|
@ -8,7 +8,7 @@ This recording presents the essence of this page. It's recommended to read it in
|
|||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
Edgeless Systems uses [sigstore](https://www.sigstore.dev/) and [SLSA](https://slsa.dev) to ensure supply-chain security for the Constellation CLI and node images ("artifacts"). sigstore consists of three components: [Cosign](https://docs.sigstore.dev/docs/signing/quickstart), [Rekor](https://docs.sigstore.dev/docs/logging/overview), and Fulcio. Edgeless Systems uses Cosign to sign artifacts. All signatures are uploaded to the public Rekor transparency log, which resides at <https://rekor.sigstore.dev/>.
|
Edgeless Systems uses [sigstore](https://www.sigstore.dev/) and [SLSA](https://slsa.dev) to ensure supply-chain security for the Constellation CLI and node images ("artifacts"). sigstore consists of three components: [Cosign](https://docs.sigstore.dev/signing/quickstart), [Rekor](https://docs.sigstore.dev/logging/overview), and Fulcio. Edgeless Systems uses Cosign to sign artifacts. All signatures are uploaded to the public Rekor transparency log, which resides at <https://rekor.sigstore.dev/>.
|
||||||
|
|
||||||
:::note
|
:::note
|
||||||
The public key for Edgeless Systems' long-term code-signing key is:
|
The public key for Edgeless Systems' long-term code-signing key is:
|
||||||
@ -33,7 +33,7 @@ You don't need to verify the Constellation node images. This is done automatical
|
|||||||
|
|
||||||
## Verify the signature
|
## Verify the signature
|
||||||
|
|
||||||
First, [install the Cosign CLI](https://docs.sigstore.dev/docs/system_config/installation). Next, [download](https://github.com/edgelesssys/constellation/releases) and verify the signature that accompanies your CLI executable, for example:
|
First, [install the Cosign CLI](https://docs.sigstore.dev/system_config/installation). Next, [download](https://github.com/edgelesssys/constellation/releases) and verify the signature that accompanies your CLI executable, for example:
|
||||||
|
|
||||||
```shell-session
|
```shell-session
|
||||||
$ cosign verify-blob --key https://edgeless.systems/es.pub --signature constellation-linux-amd64.sig constellation-linux-amd64
|
$ cosign verify-blob --key https://edgeless.systems/es.pub --signature constellation-linux-amd64.sig constellation-linux-amd64
|
||||||
@ -54,7 +54,7 @@ Verified OK
|
|||||||
|
|
||||||
### Optional: Manually inspect the transparency log
|
### Optional: Manually inspect the transparency log
|
||||||
|
|
||||||
To further inspect the public Rekor transparency log, [install the Rekor CLI](https://docs.sigstore.dev/docs/logging/installation). A search for the CLI executable should give a single UUID. (Note that this UUID contains the UUID from the previous `cosign` command.)
|
To further inspect the public Rekor transparency log, [install the Rekor CLI](https://docs.sigstore.dev/logging/installation). A search for the CLI executable should give a single UUID. (Note that this UUID contains the UUID from the previous `cosign` command.)
|
||||||
|
|
||||||
```shell-session
|
```shell-session
|
||||||
$ rekor-cli search --artifact constellation-linux-amd64
|
$ rekor-cli search --artifact constellation-linux-amd64
|
||||||
|
@ -36,7 +36,7 @@ cosign verify-blob --key cosign.pub --signature constellation.spdx.sbom.sig cons
|
|||||||
|
|
||||||
### Container Images
|
### Container Images
|
||||||
|
|
||||||
SBOMs for container images are [attached to the image using Cosign](https://docs.sigstore.dev/docs/signing/other_types#sboms-software-bill-of-materials) and uploaded to the same registry.
|
SBOMs for container images are [attached to the image using Cosign](https://docs.sigstore.dev/signing/other_types#sboms-software-bill-of-materials) and uploaded to the same registry.
|
||||||
|
|
||||||
As a consumer, use cosign to download and verify the SBOM:
|
As a consumer, use cosign to download and verify the SBOM:
|
||||||
|
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
# Verify the CLI
|
# Verify the CLI
|
||||||
|
|
||||||
Edgeless Systems uses [sigstore](https://www.sigstore.dev/) to ensure supply-chain security for the Constellation CLI and node images ("artifacts"). sigstore consists of three components: [Cosign](https://docs.sigstore.dev/docs/signing/quickstart), [Rekor](https://docs.sigstore.dev/docs/logging/overview), and Fulcio. Edgeless Systems uses Cosign to sign artifacts. All signatures are uploaded to the public Rekor transparency log, which resides at <https://rekor.sigstore.dev/>.
|
Edgeless Systems uses [sigstore](https://www.sigstore.dev/) to ensure supply-chain security for the Constellation CLI and node images ("artifacts"). sigstore consists of three components: [Cosign](https://docs.sigstore.dev/signing/quickstart), [Rekor](https://docs.sigstore.dev/logging/overview), and Fulcio. Edgeless Systems uses Cosign to sign artifacts. All signatures are uploaded to the public Rekor transparency log, which resides at <https://rekor.sigstore.dev/>.
|
||||||
|
|
||||||
:::note
|
:::note
|
||||||
The public key for Edgeless Systems' long-term code-signing key is:
|
The public key for Edgeless Systems' long-term code-signing key is:
|
||||||
@ -25,7 +25,7 @@ You don't need to verify the Constellation node images. This is done automatical
|
|||||||
|
|
||||||
## Verify the signature
|
## Verify the signature
|
||||||
|
|
||||||
First, [install the Cosign CLI](https://docs.sigstore.dev/docs/system_config/installation). Next, [download](https://github.com/edgelesssys/constellation/releases) and verify the signature that accompanies your CLI executable, for example:
|
First, [install the Cosign CLI](https://docs.sigstore.dev/system_config/installation). Next, [download](https://github.com/edgelesssys/constellation/releases) and verify the signature that accompanies your CLI executable, for example:
|
||||||
|
|
||||||
```shell-session
|
```shell-session
|
||||||
$ cosign verify-blob --key https://edgeless.systems/es.pub --signature constellation-linux-amd64.sig constellation-linux-amd64
|
$ cosign verify-blob --key https://edgeless.systems/es.pub --signature constellation-linux-amd64.sig constellation-linux-amd64
|
||||||
@ -46,7 +46,7 @@ Verified OK
|
|||||||
|
|
||||||
## Optional: Manually inspect the transparency log
|
## Optional: Manually inspect the transparency log
|
||||||
|
|
||||||
To further inspect the public Rekor transparency log, [install the Rekor CLI](https://docs.sigstore.dev/docs/logging/installation). A search for the CLI executable should give a single UUID. (Note that this UUID contains the UUID from the previous `cosign` command.)
|
To further inspect the public Rekor transparency log, [install the Rekor CLI](https://docs.sigstore.dev/logging/installation). A search for the CLI executable should give a single UUID. (Note that this UUID contains the UUID from the previous `cosign` command.)
|
||||||
|
|
||||||
```shell-session
|
```shell-session
|
||||||
$ rekor-cli search --artifact constellation-linux-amd64
|
$ rekor-cli search --artifact constellation-linux-amd64
|
||||||
|
@ -36,7 +36,7 @@ cosign verify-blob --key cosign.pub --signature constellation.spdx.sbom.sig cons
|
|||||||
|
|
||||||
### Container Images
|
### Container Images
|
||||||
|
|
||||||
SBOMs for container images are [attached to the image using Cosign](https://docs.sigstore.dev/docs/signing/other_types#sboms-software-bill-of-materials) and uploaded to the same registry.
|
SBOMs for container images are [attached to the image using Cosign](https://docs.sigstore.dev/signing/other_types#sboms-software-bill-of-materials) and uploaded to the same registry.
|
||||||
|
|
||||||
As a consumer, use cosign to download and verify the SBOM:
|
As a consumer, use cosign to download and verify the SBOM:
|
||||||
|
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
# Verify the CLI
|
# Verify the CLI
|
||||||
|
|
||||||
Edgeless Systems uses [sigstore](https://www.sigstore.dev/) and [SLSA](https://slsa.dev) to ensure supply-chain security for the Constellation CLI and node images ("artifacts"). sigstore consists of three components: [Cosign](https://docs.sigstore.dev/docs/signing/quickstart), [Rekor](https://docs.sigstore.dev/docs/logging/overview), and Fulcio. Edgeless Systems uses Cosign to sign artifacts. All signatures are uploaded to the public Rekor transparency log, which resides at <https://rekor.sigstore.dev/>.
|
Edgeless Systems uses [sigstore](https://www.sigstore.dev/) and [SLSA](https://slsa.dev) to ensure supply-chain security for the Constellation CLI and node images ("artifacts"). sigstore consists of three components: [Cosign](https://docs.sigstore.dev/signing/quickstart), [Rekor](https://docs.sigstore.dev/logging/overview), and Fulcio. Edgeless Systems uses Cosign to sign artifacts. All signatures are uploaded to the public Rekor transparency log, which resides at <https://rekor.sigstore.dev/>.
|
||||||
|
|
||||||
:::note
|
:::note
|
||||||
The public key for Edgeless Systems' long-term code-signing key is:
|
The public key for Edgeless Systems' long-term code-signing key is:
|
||||||
@ -25,7 +25,7 @@ You don't need to verify the Constellation node images. This is done automatical
|
|||||||
|
|
||||||
## Verify the signature
|
## Verify the signature
|
||||||
|
|
||||||
First, [install the Cosign CLI](https://docs.sigstore.dev/docs/system_config/installation). Next, [download](https://github.com/edgelesssys/constellation/releases) and verify the signature that accompanies your CLI executable, for example:
|
First, [install the Cosign CLI](https://docs.sigstore.dev/system_config/installation). Next, [download](https://github.com/edgelesssys/constellation/releases) and verify the signature that accompanies your CLI executable, for example:
|
||||||
|
|
||||||
```shell-session
|
```shell-session
|
||||||
$ cosign verify-blob --key https://edgeless.systems/es.pub --signature constellation-linux-amd64.sig constellation-linux-amd64
|
$ cosign verify-blob --key https://edgeless.systems/es.pub --signature constellation-linux-amd64.sig constellation-linux-amd64
|
||||||
@ -46,7 +46,7 @@ Verified OK
|
|||||||
|
|
||||||
### Optional: Manually inspect the transparency log
|
### Optional: Manually inspect the transparency log
|
||||||
|
|
||||||
To further inspect the public Rekor transparency log, [install the Rekor CLI](https://docs.sigstore.dev/docs/logging/installation). A search for the CLI executable should give a single UUID. (Note that this UUID contains the UUID from the previous `cosign` command.)
|
To further inspect the public Rekor transparency log, [install the Rekor CLI](https://docs.sigstore.dev/logging/installation). A search for the CLI executable should give a single UUID. (Note that this UUID contains the UUID from the previous `cosign` command.)
|
||||||
|
|
||||||
```shell-session
|
```shell-session
|
||||||
$ rekor-cli search --artifact constellation-linux-amd64
|
$ rekor-cli search --artifact constellation-linux-amd64
|
||||||
|
@ -36,7 +36,7 @@ cosign verify-blob --key cosign.pub --signature constellation.spdx.sbom.sig cons
|
|||||||
|
|
||||||
### Container Images
|
### Container Images
|
||||||
|
|
||||||
SBOMs for container images are [attached to the image using Cosign](https://docs.sigstore.dev/docs/signing/other_types#sboms-software-bill-of-materials) and uploaded to the same registry.
|
SBOMs for container images are [attached to the image using Cosign](https://docs.sigstore.dev/signing/other_types#sboms-software-bill-of-materials) and uploaded to the same registry.
|
||||||
|
|
||||||
As a consumer, use cosign to download and verify the SBOM:
|
As a consumer, use cosign to download and verify the SBOM:
|
||||||
|
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
# Verify the CLI
|
# Verify the CLI
|
||||||
|
|
||||||
Edgeless Systems uses [sigstore](https://www.sigstore.dev/) and [SLSA](https://slsa.dev) to ensure supply-chain security for the Constellation CLI and node images ("artifacts"). sigstore consists of three components: [Cosign](https://docs.sigstore.dev/docs/signing/quickstart), [Rekor](https://docs.sigstore.dev/docs/logging/overview), and Fulcio. Edgeless Systems uses Cosign to sign artifacts. All signatures are uploaded to the public Rekor transparency log, which resides at <https://rekor.sigstore.dev/>.
|
Edgeless Systems uses [sigstore](https://www.sigstore.dev/) and [SLSA](https://slsa.dev) to ensure supply-chain security for the Constellation CLI and node images ("artifacts"). sigstore consists of three components: [Cosign](https://docs.sigstore.dev/signing/quickstart), [Rekor](https://docs.sigstore.dev/logging/overview), and Fulcio. Edgeless Systems uses Cosign to sign artifacts. All signatures are uploaded to the public Rekor transparency log, which resides at <https://rekor.sigstore.dev/>.
|
||||||
|
|
||||||
:::note
|
:::note
|
||||||
The public key for Edgeless Systems' long-term code-signing key is:
|
The public key for Edgeless Systems' long-term code-signing key is:
|
||||||
@ -25,7 +25,7 @@ You don't need to verify the Constellation node images. This is done automatical
|
|||||||
|
|
||||||
## Verify the signature
|
## Verify the signature
|
||||||
|
|
||||||
First, [install the Cosign CLI](https://docs.sigstore.dev/docs/system_config/installation). Next, [download](https://github.com/edgelesssys/constellation/releases) and verify the signature that accompanies your CLI executable, for example:
|
First, [install the Cosign CLI](https://docs.sigstore.dev/system_config/installation). Next, [download](https://github.com/edgelesssys/constellation/releases) and verify the signature that accompanies your CLI executable, for example:
|
||||||
|
|
||||||
```shell-session
|
```shell-session
|
||||||
$ cosign verify-blob --key https://edgeless.systems/es.pub --signature constellation-linux-amd64.sig constellation-linux-amd64
|
$ cosign verify-blob --key https://edgeless.systems/es.pub --signature constellation-linux-amd64.sig constellation-linux-amd64
|
||||||
@ -46,7 +46,7 @@ Verified OK
|
|||||||
|
|
||||||
### Optional: Manually inspect the transparency log
|
### Optional: Manually inspect the transparency log
|
||||||
|
|
||||||
To further inspect the public Rekor transparency log, [install the Rekor CLI](https://docs.sigstore.dev/docs/logging/installation). A search for the CLI executable should give a single UUID. (Note that this UUID contains the UUID from the previous `cosign` command.)
|
To further inspect the public Rekor transparency log, [install the Rekor CLI](https://docs.sigstore.dev/logging/installation). A search for the CLI executable should give a single UUID. (Note that this UUID contains the UUID from the previous `cosign` command.)
|
||||||
|
|
||||||
```shell-session
|
```shell-session
|
||||||
$ rekor-cli search --artifact constellation-linux-amd64
|
$ rekor-cli search --artifact constellation-linux-amd64
|
||||||
|
@ -36,7 +36,7 @@ cosign verify-blob --key cosign.pub --signature constellation.spdx.sbom.sig cons
|
|||||||
|
|
||||||
### Container Images
|
### Container Images
|
||||||
|
|
||||||
SBOMs for container images are [attached to the image using Cosign](https://docs.sigstore.dev/docs/signing/other_types#sboms-software-bill-of-materials) and uploaded to the same registry.
|
SBOMs for container images are [attached to the image using Cosign](https://docs.sigstore.dev/signing/other_types#sboms-software-bill-of-materials) and uploaded to the same registry.
|
||||||
|
|
||||||
As a consumer, use cosign to download and verify the SBOM:
|
As a consumer, use cosign to download and verify the SBOM:
|
||||||
|
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
# Verify the CLI
|
# Verify the CLI
|
||||||
|
|
||||||
Edgeless Systems uses [sigstore](https://www.sigstore.dev/) and [SLSA](https://slsa.dev) to ensure supply-chain security for the Constellation CLI and node images ("artifacts"). sigstore consists of three components: [Cosign](https://docs.sigstore.dev/docs/signing/quickstart), [Rekor](https://docs.sigstore.dev/docs/logging/overview), and Fulcio. Edgeless Systems uses Cosign to sign artifacts. All signatures are uploaded to the public Rekor transparency log, which resides at <https://rekor.sigstore.dev/>.
|
Edgeless Systems uses [sigstore](https://www.sigstore.dev/) and [SLSA](https://slsa.dev) to ensure supply-chain security for the Constellation CLI and node images ("artifacts"). sigstore consists of three components: [Cosign](https://docs.sigstore.dev/signing/quickstart), [Rekor](https://docs.sigstore.dev/logging/overview), and Fulcio. Edgeless Systems uses Cosign to sign artifacts. All signatures are uploaded to the public Rekor transparency log, which resides at <https://rekor.sigstore.dev/>.
|
||||||
|
|
||||||
:::note
|
:::note
|
||||||
The public key for Edgeless Systems' long-term code-signing key is:
|
The public key for Edgeless Systems' long-term code-signing key is:
|
||||||
@ -25,7 +25,7 @@ You don't need to verify the Constellation node images. This is done automatical
|
|||||||
|
|
||||||
## Verify the signature
|
## Verify the signature
|
||||||
|
|
||||||
First, [install the Cosign CLI](https://docs.sigstore.dev/docs/system_config/installation). Next, [download](https://github.com/edgelesssys/constellation/releases) and verify the signature that accompanies your CLI executable, for example:
|
First, [install the Cosign CLI](https://docs.sigstore.dev/system_config/installation). Next, [download](https://github.com/edgelesssys/constellation/releases) and verify the signature that accompanies your CLI executable, for example:
|
||||||
|
|
||||||
```shell-session
|
```shell-session
|
||||||
$ cosign verify-blob --key https://edgeless.systems/es.pub --signature constellation-linux-amd64.sig constellation-linux-amd64
|
$ cosign verify-blob --key https://edgeless.systems/es.pub --signature constellation-linux-amd64.sig constellation-linux-amd64
|
||||||
@ -46,7 +46,7 @@ Verified OK
|
|||||||
|
|
||||||
### Optional: Manually inspect the transparency log
|
### Optional: Manually inspect the transparency log
|
||||||
|
|
||||||
To further inspect the public Rekor transparency log, [install the Rekor CLI](https://docs.sigstore.dev/docs/logging/installation). A search for the CLI executable should give a single UUID. (Note that this UUID contains the UUID from the previous `cosign` command.)
|
To further inspect the public Rekor transparency log, [install the Rekor CLI](https://docs.sigstore.dev/logging/installation). A search for the CLI executable should give a single UUID. (Note that this UUID contains the UUID from the previous `cosign` command.)
|
||||||
|
|
||||||
```shell-session
|
```shell-session
|
||||||
$ rekor-cli search --artifact constellation-linux-amd64
|
$ rekor-cli search --artifact constellation-linux-amd64
|
||||||
|
@ -40,7 +40,7 @@ cosign verify-blob --key cosign.pub --signature constellation.spdx.sbom.sig cons
|
|||||||
|
|
||||||
### Container Images
|
### Container Images
|
||||||
|
|
||||||
SBOMs for container images are [attached to the image using Cosign](https://docs.sigstore.dev/docs/signing/other_types#sboms-software-bill-of-materials) and uploaded to the same registry.
|
SBOMs for container images are [attached to the image using Cosign](https://docs.sigstore.dev/signing/other_types#sboms-software-bill-of-materials) and uploaded to the same registry.
|
||||||
|
|
||||||
As a consumer, use cosign to download and verify the SBOM:
|
As a consumer, use cosign to download and verify the SBOM:
|
||||||
|
|
||||||
|
@ -8,7 +8,7 @@ This recording presents the essence of this page. It's recommended to read it in
|
|||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
Edgeless Systems uses [sigstore](https://www.sigstore.dev/) and [SLSA](https://slsa.dev) to ensure supply-chain security for the Constellation CLI and node images ("artifacts"). sigstore consists of three components: [Cosign](https://docs.sigstore.dev/docs/signing/quickstart), [Rekor](https://docs.sigstore.dev/docs/logging/overview), and Fulcio. Edgeless Systems uses Cosign to sign artifacts. All signatures are uploaded to the public Rekor transparency log, which resides at <https://rekor.sigstore.dev/>.
|
Edgeless Systems uses [sigstore](https://www.sigstore.dev/) and [SLSA](https://slsa.dev) to ensure supply-chain security for the Constellation CLI and node images ("artifacts"). sigstore consists of three components: [Cosign](https://docs.sigstore.dev/signing/quickstart), [Rekor](https://docs.sigstore.dev/logging/overview), and Fulcio. Edgeless Systems uses Cosign to sign artifacts. All signatures are uploaded to the public Rekor transparency log, which resides at <https://rekor.sigstore.dev/>.
|
||||||
|
|
||||||
:::note
|
:::note
|
||||||
The public key for Edgeless Systems' long-term code-signing key is:
|
The public key for Edgeless Systems' long-term code-signing key is:
|
||||||
@ -33,7 +33,7 @@ You don't need to verify the Constellation node images. This is done automatical
|
|||||||
|
|
||||||
## Verify the signature
|
## Verify the signature
|
||||||
|
|
||||||
First, [install the Cosign CLI](https://docs.sigstore.dev/docs/system_config/installation). Next, [download](https://github.com/edgelesssys/constellation/releases) and verify the signature that accompanies your CLI executable, for example:
|
First, [install the Cosign CLI](https://docs.sigstore.dev/system_config/installation). Next, [download](https://github.com/edgelesssys/constellation/releases) and verify the signature that accompanies your CLI executable, for example:
|
||||||
|
|
||||||
```shell-session
|
```shell-session
|
||||||
$ cosign verify-blob --key https://edgeless.systems/es.pub --signature constellation-linux-amd64.sig constellation-linux-amd64
|
$ cosign verify-blob --key https://edgeless.systems/es.pub --signature constellation-linux-amd64.sig constellation-linux-amd64
|
||||||
@ -54,7 +54,7 @@ Verified OK
|
|||||||
|
|
||||||
### Optional: Manually inspect the transparency log
|
### Optional: Manually inspect the transparency log
|
||||||
|
|
||||||
To further inspect the public Rekor transparency log, [install the Rekor CLI](https://docs.sigstore.dev/docs/logging/installation). A search for the CLI executable should give a single UUID. (Note that this UUID contains the UUID from the previous `cosign` command.)
|
To further inspect the public Rekor transparency log, [install the Rekor CLI](https://docs.sigstore.dev/logging/installation). A search for the CLI executable should give a single UUID. (Note that this UUID contains the UUID from the previous `cosign` command.)
|
||||||
|
|
||||||
```shell-session
|
```shell-session
|
||||||
$ rekor-cli search --artifact constellation-linux-amd64
|
$ rekor-cli search --artifact constellation-linux-amd64
|
||||||
|
@ -40,7 +40,7 @@ cosign verify-blob --key cosign.pub --signature constellation.spdx.sbom.sig cons
|
|||||||
|
|
||||||
### Container Images
|
### Container Images
|
||||||
|
|
||||||
SBOMs for container images are [attached to the image using Cosign](https://docs.sigstore.dev/docs/signing/other_types#sboms-software-bill-of-materials) and uploaded to the same registry.
|
SBOMs for container images are [attached to the image using Cosign](https://docs.sigstore.dev/signing/other_types#sboms-software-bill-of-materials) and uploaded to the same registry.
|
||||||
|
|
||||||
As a consumer, use cosign to download and verify the SBOM:
|
As a consumer, use cosign to download and verify the SBOM:
|
||||||
|
|
||||||
|
@ -8,7 +8,7 @@ This recording presents the essence of this page. It's recommended to read it in
|
|||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
Edgeless Systems uses [sigstore](https://www.sigstore.dev/) and [SLSA](https://slsa.dev) to ensure supply-chain security for the Constellation CLI and node images ("artifacts"). sigstore consists of three components: [Cosign](https://docs.sigstore.dev/docs/signing/quickstart), [Rekor](https://docs.sigstore.dev/docs/logging/overview), and Fulcio. Edgeless Systems uses Cosign to sign artifacts. All signatures are uploaded to the public Rekor transparency log, which resides at <https://rekor.sigstore.dev/>.
|
Edgeless Systems uses [sigstore](https://www.sigstore.dev/) and [SLSA](https://slsa.dev) to ensure supply-chain security for the Constellation CLI and node images ("artifacts"). sigstore consists of three components: [Cosign](https://docs.sigstore.dev/signing/quickstart), [Rekor](https://docs.sigstore.dev/logging/overview), and Fulcio. Edgeless Systems uses Cosign to sign artifacts. All signatures are uploaded to the public Rekor transparency log, which resides at <https://rekor.sigstore.dev/>.
|
||||||
|
|
||||||
:::note
|
:::note
|
||||||
The public key for Edgeless Systems' long-term code-signing key is:
|
The public key for Edgeless Systems' long-term code-signing key is:
|
||||||
@ -33,7 +33,7 @@ You don't need to verify the Constellation node images. This is done automatical
|
|||||||
|
|
||||||
## Verify the signature
|
## Verify the signature
|
||||||
|
|
||||||
First, [install the Cosign CLI](https://docs.sigstore.dev/docs/system_config/installation). Next, [download](https://github.com/edgelesssys/constellation/releases) and verify the signature that accompanies your CLI executable, for example:
|
First, [install the Cosign CLI](https://docs.sigstore.dev/system_config/installation). Next, [download](https://github.com/edgelesssys/constellation/releases) and verify the signature that accompanies your CLI executable, for example:
|
||||||
|
|
||||||
```shell-session
|
```shell-session
|
||||||
$ cosign verify-blob --key https://edgeless.systems/es.pub --signature constellation-linux-amd64.sig constellation-linux-amd64
|
$ cosign verify-blob --key https://edgeless.systems/es.pub --signature constellation-linux-amd64.sig constellation-linux-amd64
|
||||||
@ -54,7 +54,7 @@ Verified OK
|
|||||||
|
|
||||||
### Optional: Manually inspect the transparency log
|
### Optional: Manually inspect the transparency log
|
||||||
|
|
||||||
To further inspect the public Rekor transparency log, [install the Rekor CLI](https://docs.sigstore.dev/docs/logging/installation). A search for the CLI executable should give a single UUID. (Note that this UUID contains the UUID from the previous `cosign` command.)
|
To further inspect the public Rekor transparency log, [install the Rekor CLI](https://docs.sigstore.dev/logging/installation). A search for the CLI executable should give a single UUID. (Note that this UUID contains the UUID from the previous `cosign` command.)
|
||||||
|
|
||||||
```shell-session
|
```shell-session
|
||||||
$ rekor-cli search --artifact constellation-linux-amd64
|
$ rekor-cli search --artifact constellation-linux-amd64
|
||||||
|
@ -40,7 +40,7 @@ cosign verify-blob --key cosign.pub --signature constellation.spdx.sbom.sig cons
|
|||||||
|
|
||||||
### Container Images
|
### Container Images
|
||||||
|
|
||||||
SBOMs for container images are [attached to the image using Cosign](https://docs.sigstore.dev/docs/signing/other_types#sboms-software-bill-of-materials) and uploaded to the same registry.
|
SBOMs for container images are [attached to the image using Cosign](https://docs.sigstore.dev/signing/other_types#sboms-software-bill-of-materials) and uploaded to the same registry.
|
||||||
|
|
||||||
As a consumer, use cosign to download and verify the SBOM:
|
As a consumer, use cosign to download and verify the SBOM:
|
||||||
|
|
||||||
|
@ -8,7 +8,7 @@ This recording presents the essence of this page. It's recommended to read it in
|
|||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
Edgeless Systems uses [sigstore](https://www.sigstore.dev/) and [SLSA](https://slsa.dev) to ensure supply-chain security for the Constellation CLI and node images ("artifacts"). sigstore consists of three components: [Cosign](https://docs.sigstore.dev/docs/signing/quickstart), [Rekor](https://docs.sigstore.dev/docs/logging/overview), and Fulcio. Edgeless Systems uses Cosign to sign artifacts. All signatures are uploaded to the public Rekor transparency log, which resides at <https://rekor.sigstore.dev/>.
|
Edgeless Systems uses [sigstore](https://www.sigstore.dev/) and [SLSA](https://slsa.dev) to ensure supply-chain security for the Constellation CLI and node images ("artifacts"). sigstore consists of three components: [Cosign](https://docs.sigstore.dev/signing/quickstart), [Rekor](https://docs.sigstore.dev/logging/overview), and Fulcio. Edgeless Systems uses Cosign to sign artifacts. All signatures are uploaded to the public Rekor transparency log, which resides at <https://rekor.sigstore.dev/>.
|
||||||
|
|
||||||
:::note
|
:::note
|
||||||
The public key for Edgeless Systems' long-term code-signing key is:
|
The public key for Edgeless Systems' long-term code-signing key is:
|
||||||
@ -33,7 +33,7 @@ You don't need to verify the Constellation node images. This is done automatical
|
|||||||
|
|
||||||
## Verify the signature
|
## Verify the signature
|
||||||
|
|
||||||
First, [install the Cosign CLI](https://docs.sigstore.dev/docs/system_config/installation). Next, [download](https://github.com/edgelesssys/constellation/releases) and verify the signature that accompanies your CLI executable, for example:
|
First, [install the Cosign CLI](https://docs.sigstore.dev/system_config/installation). Next, [download](https://github.com/edgelesssys/constellation/releases) and verify the signature that accompanies your CLI executable, for example:
|
||||||
|
|
||||||
```shell-session
|
```shell-session
|
||||||
$ cosign verify-blob --key https://edgeless.systems/es.pub --signature constellation-linux-amd64.sig constellation-linux-amd64
|
$ cosign verify-blob --key https://edgeless.systems/es.pub --signature constellation-linux-amd64.sig constellation-linux-amd64
|
||||||
@ -54,7 +54,7 @@ Verified OK
|
|||||||
|
|
||||||
### Optional: Manually inspect the transparency log
|
### Optional: Manually inspect the transparency log
|
||||||
|
|
||||||
To further inspect the public Rekor transparency log, [install the Rekor CLI](https://docs.sigstore.dev/docs/logging/installation). A search for the CLI executable should give a single UUID. (Note that this UUID contains the UUID from the previous `cosign` command.)
|
To further inspect the public Rekor transparency log, [install the Rekor CLI](https://docs.sigstore.dev/logging/installation). A search for the CLI executable should give a single UUID. (Note that this UUID contains the UUID from the previous `cosign` command.)
|
||||||
|
|
||||||
```shell-session
|
```shell-session
|
||||||
$ rekor-cli search --artifact constellation-linux-amd64
|
$ rekor-cli search --artifact constellation-linux-amd64
|
||||||
|
@ -40,7 +40,7 @@ cosign verify-blob --key cosign.pub --signature constellation.spdx.sbom.sig cons
|
|||||||
|
|
||||||
### Container Images
|
### Container Images
|
||||||
|
|
||||||
SBOMs for container images are [attached to the image using Cosign](https://docs.sigstore.dev/docs/signing/other_types#sboms-software-bill-of-materials) and uploaded to the same registry.
|
SBOMs for container images are [attached to the image using Cosign](https://docs.sigstore.dev/signing/other_types#sboms-software-bill-of-materials) and uploaded to the same registry.
|
||||||
|
|
||||||
As a consumer, use cosign to download and verify the SBOM:
|
As a consumer, use cosign to download and verify the SBOM:
|
||||||
|
|
||||||
|
@ -8,7 +8,7 @@ This recording presents the essence of this page. It's recommended to read it in
|
|||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
Edgeless Systems uses [sigstore](https://www.sigstore.dev/) and [SLSA](https://slsa.dev) to ensure supply-chain security for the Constellation CLI and node images ("artifacts"). sigstore consists of three components: [Cosign](https://docs.sigstore.dev/docs/signing/quickstart), [Rekor](https://docs.sigstore.dev/docs/logging/overview), and Fulcio. Edgeless Systems uses Cosign to sign artifacts. All signatures are uploaded to the public Rekor transparency log, which resides at <https://rekor.sigstore.dev/>.
|
Edgeless Systems uses [sigstore](https://www.sigstore.dev/) and [SLSA](https://slsa.dev) to ensure supply-chain security for the Constellation CLI and node images ("artifacts"). sigstore consists of three components: [Cosign](https://docs.sigstore.dev/signing/quickstart), [Rekor](https://docs.sigstore.dev/logging/overview), and Fulcio. Edgeless Systems uses Cosign to sign artifacts. All signatures are uploaded to the public Rekor transparency log, which resides at <https://rekor.sigstore.dev/>.
|
||||||
|
|
||||||
:::note
|
:::note
|
||||||
The public key for Edgeless Systems' long-term code-signing key is:
|
The public key for Edgeless Systems' long-term code-signing key is:
|
||||||
@ -33,7 +33,7 @@ You don't need to verify the Constellation node images. This is done automatical
|
|||||||
|
|
||||||
## Verify the signature
|
## Verify the signature
|
||||||
|
|
||||||
First, [install the Cosign CLI](https://docs.sigstore.dev/docs/system_config/installation). Next, [download](https://github.com/edgelesssys/constellation/releases) and verify the signature that accompanies your CLI executable, for example:
|
First, [install the Cosign CLI](https://docs.sigstore.dev/system_config/installation). Next, [download](https://github.com/edgelesssys/constellation/releases) and verify the signature that accompanies your CLI executable, for example:
|
||||||
|
|
||||||
```shell-session
|
```shell-session
|
||||||
$ cosign verify-blob --key https://edgeless.systems/es.pub --signature constellation-linux-amd64.sig constellation-linux-amd64
|
$ cosign verify-blob --key https://edgeless.systems/es.pub --signature constellation-linux-amd64.sig constellation-linux-amd64
|
||||||
@ -54,7 +54,7 @@ Verified OK
|
|||||||
|
|
||||||
### Optional: Manually inspect the transparency log
|
### Optional: Manually inspect the transparency log
|
||||||
|
|
||||||
To further inspect the public Rekor transparency log, [install the Rekor CLI](https://docs.sigstore.dev/docs/logging/installation). A search for the CLI executable should give a single UUID. (Note that this UUID contains the UUID from the previous `cosign` command.)
|
To further inspect the public Rekor transparency log, [install the Rekor CLI](https://docs.sigstore.dev/logging/installation). A search for the CLI executable should give a single UUID. (Note that this UUID contains the UUID from the previous `cosign` command.)
|
||||||
|
|
||||||
```shell-session
|
```shell-session
|
||||||
$ rekor-cli search --artifact constellation-linux-amd64
|
$ rekor-cli search --artifact constellation-linux-amd64
|
||||||
|
Loading…
Reference in New Issue
Block a user