Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2025-12-27 13:34:44 -05:00
Code Issues Projects Releases Packages Wiki Activity
constellation/next/workflows/verify-cli/index.html

47 lines
No EOL
39 KiB
HTML
Raw Permalink Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!doctype html>
<html lang="en" dir="ltr" class="docs-wrapper plugin-docs plugin-id-default docs-version-current docs-doc-page docs-doc-id-workflows/verify-cli" data-has-hydrated="false">
<head>
<meta charset="UTF-8">
<meta name="generator" content="Docusaurus v3.9.2">
<title data-rh="true">Verify the CLI | Constellation</title><meta data-rh="true" name="viewport" content="width=device-width,initial-scale=1"><meta data-rh="true" name="twitter:card" content="summary_large_image"><meta data-rh="true" property="og:url" content="https://docs.edgeless.systems/constellation/next/workflows/verify-cli"><meta data-rh="true" property="og:locale" content="en"><meta data-rh="true" name="docusaurus_locale" content="en"><meta data-rh="true" name="docsearch:language" content="en"><meta data-rh="true" name="docusaurus_version" content="current"><meta data-rh="true" name="docusaurus_tag" content="docs-default-current"><meta data-rh="true" name="docsearch:version" content="current"><meta data-rh="true" name="docsearch:docusaurus_tag" content="docs-default-current"><meta data-rh="true" property="og:title" content="Verify the CLI | Constellation"><meta data-rh="true" name="description" content="This recording presents the essence of this page. It&#x27;s recommended to read it in full for the motivation and all details."><meta data-rh="true" property="og:description" content="This recording presents the essence of this page. It&#x27;s recommended to read it in full for the motivation and all details."><link data-rh="true" rel="icon" href="/constellation/img/favicon.ico"><link data-rh="true" rel="canonical" href="https://docs.edgeless.systems/constellation/next/workflows/verify-cli"><link data-rh="true" rel="alternate" href="https://docs.edgeless.systems/constellation/next/workflows/verify-cli" hreflang="en"><link data-rh="true" rel="alternate" href="https://docs.edgeless.systems/constellation/next/workflows/verify-cli" hreflang="x-default"><script data-rh="true" type="application/ld+json">{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Workflows","item":"https://docs.edgeless.systems/constellation/next/category/workflows"},{"@type":"ListItem","position":2,"name":"Verify the CLI","item":"https://docs.edgeless.systems/constellation/next/workflows/verify-cli"}]}</script><script src="/constellation/gtagman.js" async data-cookieconsent="ignore"></script><link rel="stylesheet" href="/constellation/assets/css/styles.9ca3c5b3.css">
<script src="/constellation/assets/js/runtime~main.87c4c513.js" defer="defer"></script>
<script src="/constellation/assets/js/main.add27954.js" defer="defer"></script>
</head>
<body class="navigation-with-keyboard">
<svg style="display: none;"><defs>
<symbol id="theme-svg-external-link" viewBox="0 0 24 24"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"/></symbol>
</defs></svg>
<script>document.documentElement.setAttribute("data-theme","light"),document.documentElement.setAttribute("data-theme-choice","light"),function(){try{const n=new URLSearchParams(window.location.search).entries();for(var[t,e]of n)if(t.startsWith("docusaurus-data-")){var a=t.replace("docusaurus-data-","data-");document.documentElement.setAttribute(a,e)}}catch(t){}}(),document.documentElement.setAttribute("data-announcement-bar-initially-dismissed",function(){try{return"true"===localStorage.getItem("docusaurus.announcement.dismiss")}catch(t){}return!1}())</script><div id="__docusaurus"><div role="region" aria-label="Skip to main content"><a class="skipToContent_fXgn" href="#__docusaurus_skipToContent_fallback">Skip to main content</a></div><div class="theme-announcement-bar announcementBar_mb4j" style="background-color:#E7E6E6" role="banner"><div class="announcementBarPlaceholder_vyr4"></div><div class="content_knG7 announcementBarContent_xLdY">If you like Constellation, give it a star on <a target="_blank" rel="noopener noreferrer" href="https://github.com/edgelesssys/constellation">GitHub</a> ⭐️</div><button type="button" aria-label="Close" class="clean-btn close closeButton_CVFx announcementBarClose_gvF7"><svg viewBox="0 0 15 15" width="14" height="14"><g stroke="currentColor" stroke-width="3.1"><path d="M.75.75l13.5 13.5M14.25.75L.75 14.25"></path></g></svg></button></div><nav aria-label="Main" class="theme-layout-navbar navbar navbar--fixed-top"><div class="navbar__inner"><div class="theme-layout-navbar-left navbar__items"><button aria-label="Toggle navigation bar" aria-expanded="false" class="navbar__toggle clean-btn" type="button"><svg width="30" height="30" viewBox="0 0 30 30" aria-hidden="true"><path stroke="currentColor" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" d="M4 7h22M4 15h22M4 23h22"></path></svg></button><a class="navbar__brand" href="/constellation/"><div class="navbar__logo"><img src="/constellation/img/logos/constellation_oneline.svg" alt="Constellation Logo" class="themedComponent_mlkZ themedComponent--light_NVdE"><img src="/constellation/img/logos/constellation_oneline.svg" alt="Constellation Logo" class="themedComponent_mlkZ themedComponent--dark_xIcU"></div></a></div><div class="theme-layout-navbar-right navbar__items navbar__items--right"><div class="navbar__item dropdown dropdown--hoverable dropdown--right"><a aria-current="page" class="navbar__link active" aria-haspopup="true" aria-expanded="false" role="button" href="/constellation/next/workflows/verify-cli">Next</a><ul class="dropdown__menu"><li><a aria-current="page" class="dropdown__link dropdown__link--active" href="/constellation/next/workflows/verify-cli">Next</a></li><li><a class="dropdown__link" href="/constellation/workflows/verify-cli">2.24</a></li><li><a class="dropdown__link" href="/constellation/2.23/workflows/verify-cli">2.23</a></li><li><a class="dropdown__link" href="/constellation/2.22/workflows/verify-cli">2.22</a></li></ul></div><a href="https://github.com/edgelesssys/constellation" target="_blank" rel="noopener noreferrer" class="navbar__item navbar__link header-github-link"></a><div class="navbarSearchContainer_Bca1"><div class="dsla-search-wrapper"><div class="dsla-search-field" data-tags="default,docs-default-current"></div></div></div></div></div><div role="presentation" class="navbar-sidebar__backdrop"></div></nav><div id="__docusaurus_skipToContent_fallback" class="theme-layout-main main-wrapper mainWrapper_z2l0"><div class="docsWrapper_hBAB"><button aria-label="Scroll back to top" class="clean-btn theme-back-to-top-button backToTopButton_sjWU" type="button"></button><div class="docRoot_UBD9"><aside class="theme-doc-sidebar-container docSidebarContainer_YfHR"><div class="sidebarViewport_aRkj"><div class="sidebar_njMd"><nav aria-label="Docs sidebar" class="menu thin-scrollbar menu_SIkG menuWithAnnouncementBar_GW3s"><ul class="theme-doc-sidebar-menu menu__list"><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-1 menu__list-item"><a class="menu__link" href="/constellation/next/"><span title="Introduction" class="linkLabel_WmDU">Introduction</span></a></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="categoryLink_byQd menu__link menu__link--sublist" href="/constellation/next/category/basics"><span title="Basics" class="categoryLinkLabel_W154">Basics</span></a><button aria-label="Expand sidebar category &#x27;Basics&#x27;" aria-expanded="false" type="button" class="clean-btn menu__caret"></button></div></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="categoryLink_byQd menu__link menu__link--sublist" href="/constellation/next/category/getting-started"><span title="Getting started" class="categoryLinkLabel_W154">Getting started</span></a><button aria-label="Expand sidebar category &#x27;Getting started&#x27;" aria-expanded="false" type="button" class="clean-btn menu__caret"></button></div></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item"><div class="menu__list-item-collapsible"><a class="categoryLink_byQd menu__link menu__link--sublist menu__link--active" href="/constellation/next/category/workflows"><span title="Workflows" class="categoryLinkLabel_W154">Workflows</span></a><button aria-label="Collapse sidebar category &#x27;Workflows&#x27;" aria-expanded="true" type="button" class="clean-btn menu__caret"></button></div><ul class="menu__list"><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link menu__link--active" aria-current="page" tabindex="0" href="/constellation/next/workflows/verify-cli"><span title="Verify the CLI" class="linkLabel_WmDU">Verify the CLI</span></a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/constellation/next/workflows/config"><span title="Configure your cluster" class="linkLabel_WmDU">Configure your cluster</span></a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/constellation/next/workflows/create"><span title="Create your cluster" class="linkLabel_WmDU">Create your cluster</span></a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/constellation/next/workflows/scale"><span title="Scale your cluster" class="linkLabel_WmDU">Scale your cluster</span></a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/constellation/next/workflows/upgrade"><span title="Upgrade your cluster" class="linkLabel_WmDU">Upgrade your cluster</span></a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/constellation/next/workflows/lb"><span title="Expose a service" class="linkLabel_WmDU">Expose a service</span></a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/constellation/next/workflows/cert-manager"><span title="Install cert-manager" class="linkLabel_WmDU">Install cert-manager</span></a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/constellation/next/workflows/s3proxy"><span title="Install s3proxy" class="linkLabel_WmDU">Install s3proxy</span></a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/constellation/next/workflows/terminate"><span title="Terminate your cluster" class="linkLabel_WmDU">Terminate your cluster</span></a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/constellation/next/workflows/recovery"><span title="Recover your cluster" class="linkLabel_WmDU">Recover your cluster</span></a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/constellation/next/workflows/verify-cluster"><span title="Verify your cluster" class="linkLabel_WmDU">Verify your cluster</span></a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/constellation/next/workflows/storage"><span title="Use persistent storage" class="linkLabel_WmDU">Use persistent storage</span></a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/constellation/next/workflows/terraform-provider"><span title="Use the Terraform provider" class="linkLabel_WmDU">Use the Terraform provider</span></a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/constellation/next/workflows/sbom"><span title="Consume SBOMs" class="linkLabel_WmDU">Consume SBOMs</span></a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/constellation/next/workflows/reproducible-builds"><span title="Reproduce release artifacts" class="linkLabel_WmDU">Reproduce release artifacts</span></a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/constellation/next/workflows/troubleshooting"><span title="Troubleshooting" class="linkLabel_WmDU">Troubleshooting</span></a></li></ul></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="categoryLink_byQd menu__link menu__link--sublist" href="/constellation/next/category/architecture"><span title="Architecture" class="categoryLinkLabel_W154">Architecture</span></a><button aria-label="Expand sidebar category &#x27;Architecture&#x27;" aria-expanded="false" type="button" class="clean-btn menu__caret"></button></div></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="categoryLink_byQd menu__link menu__link--sublist" href="/constellation/next/category/reference"><span title="Reference" class="categoryLinkLabel_W154">Reference</span></a><button aria-label="Expand sidebar category &#x27;Reference&#x27;" aria-expanded="false" type="button" class="clean-btn menu__caret"></button></div></li></ul></nav></div></div></aside><main class="docMainContainer_TBSr"><div class="container padding-top--md padding-bottom--lg"><div class="row"><div class="col docItemCol_VOVn"><div class="theme-doc-version-banner alert alert--warning margin-bottom--md" role="alert"><div>This is unreleased documentation for <!-- -->Constellation<!-- --> <b>Next</b> version.</div><div class="margin-top--md">For up-to-date documentation, see the <b><a href="/constellation/workflows/verify-cli">latest version</a></b> (<!-- -->2.24<!-- -->).</div></div><div class="docItemContainer_Djhp"><article><nav class="theme-doc-breadcrumbs breadcrumbsContainer_Z_bl" aria-label="Breadcrumbs"><ul class="breadcrumbs"><li class="breadcrumbs__item"><a aria-label="Home page" class="breadcrumbs__link" href="/constellation/"><svg viewBox="0 0 24 24" class="breadcrumbHomeIcon_YNFT"><path d="M10 19v-5h4v5c0 .55.45 1 1 1h3c.55 0 1-.45 1-1v-7h1.7c.46 0 .68-.57.33-.87L12.67 3.6c-.38-.34-.96-.34-1.34 0l-8.36 7.53c-.34.3-.13.87.33.87H5v7c0 .55.45 1 1 1h3c.55 0 1-.45 1-1z" fill="currentColor"></path></svg></a></li><li class="breadcrumbs__item"><a class="breadcrumbs__link" href="/constellation/next/category/workflows"><span>Workflows</span></a></li><li class="breadcrumbs__item breadcrumbs__item--active"><span class="breadcrumbs__link">Verify the CLI</span></li></ul></nav><span class="theme-doc-version-badge badge badge--secondary">Version: Next</span><div class="tocCollapsible_ETCw theme-doc-toc-mobile tocMobile_ITEo"><button type="button" class="clean-btn tocCollapsibleButton_TO0P">On this page</button></div><div class="theme-doc-markdown markdown"><header><h1>Verify the CLI</h1></header>
<div class="theme-admonition theme-admonition-info admonition_xJq3 alert alert--info"><div class="admonitionHeading_Gvgb"><span class="admonitionIcon_Rf37"><svg viewBox="0 0 14 16"><path fill-rule="evenodd" d="M7 2.3c3.14 0 5.7 2.56 5.7 5.7s-2.56 5.7-5.7 5.7A5.71 5.71 0 0 1 1.3 8c0-3.14 2.56-5.7 5.7-5.7zM7 1C3.14 1 0 4.14 0 8s3.14 7 7 7 7-3.14 7-7-3.14-7-7-7zm1 3H6v5h2V4zm0 6H6v2h2v-2z"></path></svg></span>info</div><div class="admonitionContent_BuS1"><p>This recording presents the essence of this page. It&#x27;s recommended to read it in full for the motivation and all details.</p></div></div>
<div>Loading asciinema cast...</div>
<hr>
<p>Edgeless Systems uses <a href="https://www.sigstore.dev/" target="_blank" rel="noopener noreferrer" class="">sigstore</a> and <a href="https://slsa.dev" target="_blank" rel="noopener noreferrer" class="">SLSA</a> to ensure supply-chain security for the Constellation CLI and node images (&quot;artifacts&quot;). sigstore consists of three components: <a href="https://docs.sigstore.dev/cosign/signing/overview/" target="_blank" rel="noopener noreferrer" class="">Cosign</a>, <a href="https://docs.sigstore.dev/logging/overview" target="_blank" rel="noopener noreferrer" class="">Rekor</a>, and Fulcio. Edgeless Systems uses Cosign to sign artifacts. All signatures are uploaded to the public Rekor transparency log, which resides at <code>https://rekor.sigstore.dev</code>.</p>
<div class="theme-admonition theme-admonition-note admonition_xJq3 alert alert--secondary"><div class="admonitionHeading_Gvgb"><span class="admonitionIcon_Rf37"><svg viewBox="0 0 14 16"><path fill-rule="evenodd" d="M6.3 5.69a.942.942 0 0 1-.28-.7c0-.28.09-.52.28-.7.19-.18.42-.28.7-.28.28 0 .52.09.7.28.18.19.28.42.28.7 0 .28-.09.52-.28.7a1 1 0 0 1-.7.3c-.28 0-.52-.11-.7-.3zM8 7.99c-.02-.25-.11-.48-.31-.69-.2-.19-.42-.3-.69-.31H6c-.27.02-.48.13-.69.31-.2.2-.3.44-.31.69h1v3c.02.27.11.5.31.69.2.2.42.31.69.31h1c.27 0 .48-.11.69-.31.2-.19.3-.42.31-.69H8V7.98v.01zM7 2.3c-3.14 0-5.7 2.54-5.7 5.68 0 3.14 2.56 5.7 5.7 5.7s5.7-2.55 5.7-5.7c0-3.15-2.56-5.69-5.7-5.69v.01zM7 .98c3.86 0 7 3.14 7 7s-3.14 7-7 7-7-3.12-7-7 3.14-7 7-7z"></path></svg></span>note</div><div class="admonitionContent_BuS1"><p>The public key for Edgeless Systems&#x27; long-term code-signing key is:</p><div class="language-text codeBlockContainer_Ckt0 theme-code-block" style="--prism-color:#393A34;--prism-background-color:#f6f8fa"><div class="codeBlockContent_QJqH"><pre tabindex="0" class="prism-code language-text codeBlock_bY9V thin-scrollbar" style="color:#393A34;background-color:#f6f8fa"><code class="codeBlockLines_e6Vv"><span class="token-line" style="color:#393A34"><span class="token plain">-----BEGIN PUBLIC KEY-----</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEf8F1hpmwE+YCFXzjGtaQcrL6XZVT</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">JmEe5iSLvG1SyQSAew7WdMKF6o9t8e2TFuCkzlOhhlws2OHWbiFZnFWCFw==</span><br></span><span class="token-line" style="color:#393A34"><span class="token plain">-----END PUBLIC KEY-----</span><br></span></code></pre></div></div><p>The public key is also available for download at <a href="https://edgeless.systems/es.pub" target="_blank" rel="noopener noreferrer" class="">https://edgeless.systems/es.pub</a> and in the Twitter profile <a href="https://twitter.com/EdgelessSystems" target="_blank" rel="noopener noreferrer" class="">@EdgelessSystems</a>.</p></div></div>
<p>The Rekor transparency log is a public append-only ledger that verifies and records signatures and associated metadata. The Rekor transparency log enables everyone to observe the sequence of (software) signatures issued by Edgeless Systems and many other parties. The transparency log allows for the public identification of dubious or malicious signatures.</p>
<p>You should always ensure that (1) your CLI executable was signed with the private key corresponding to the above public key and that (2) there is a corresponding entry in the Rekor transparency log. Both can be done as described in the following.</p>
<div class="theme-admonition theme-admonition-info admonition_xJq3 alert alert--info"><div class="admonitionHeading_Gvgb"><span class="admonitionIcon_Rf37"><svg viewBox="0 0 14 16"><path fill-rule="evenodd" d="M7 2.3c3.14 0 5.7 2.56 5.7 5.7s-2.56 5.7-5.7 5.7A5.71 5.71 0 0 1 1.3 8c0-3.14 2.56-5.7 5.7-5.7zM7 1C3.14 1 0 4.14 0 8s3.14 7 7 7 7-3.14 7-7-3.14-7-7-7zm1 3H6v5h2V4zm0 6H6v2h2v-2z"></path></svg></span>info</div><div class="admonitionContent_BuS1"><p>You don&#x27;t need to verify the Constellation node images. This is done automatically by your CLI and the rest of Constellation.</p></div></div>
<h2 class="anchor anchorTargetStickyNavbar_Vzrq" id="verify-the-signature">Verify the signature<a href="#verify-the-signature" class="hash-link" aria-label="Direct link to Verify the signature" title="Direct link to Verify the signature" translate="no"></a></h2>
<div class="theme-admonition theme-admonition-info admonition_xJq3 alert alert--info"><div class="admonitionHeading_Gvgb"><span class="admonitionIcon_Rf37"><svg viewBox="0 0 14 16"><path fill-rule="evenodd" d="M7 2.3c3.14 0 5.7 2.56 5.7 5.7s-2.56 5.7-5.7 5.7A5.71 5.71 0 0 1 1.3 8c0-3.14 2.56-5.7 5.7-5.7zM7 1C3.14 1 0 4.14 0 8s3.14 7 7 7 7-3.14 7-7-3.14-7-7-7zm1 3H6v5h2V4zm0 6H6v2h2v-2z"></path></svg></span>info</div><div class="admonitionContent_BuS1"><p>This guide assumes Linux on an amd64 processor. The exact steps for other platforms differ slightly.</p></div></div>
<p>First, <a href="https://docs.sigstore.dev/cosign/system_config/installation/" target="_blank" rel="noopener noreferrer" class="">install the Cosign CLI</a>. Next, <a href="https://github.com/edgelesssys/constellation/releases" target="_blank" rel="noopener noreferrer" class="">download</a> and verify the signature that accompanies your CLI executable, for example:</p>
<div class="language-shell-session codeBlockContainer_Ckt0 theme-code-block" style="--prism-color:#393A34;--prism-background-color:#f6f8fa"><div class="codeBlockContent_QJqH"><pre tabindex="0" class="prism-code language-shell-session codeBlock_bY9V thin-scrollbar" style="color:#393A34;background-color:#f6f8fa"><code class="codeBlockLines_e6Vv"><span class="token-line" style="color:#393A34"><span class="token command shell-symbol important">$</span><span class="token command"> </span><span class="token command bash language-bash">cosign verify-blob --key https://edgeless.systems/es.pub --signature constellation-linux-amd64.sig constellation-linux-amd64</span><span class="token plain"></span><br></span><span class="token-line" style="color:#393A34"><span class="token plain" style="display:inline-block"></span><br></span><span class="token-line" style="color:#393A34"><span class="token plain"></span><span class="token output">Verified OK</span><br></span></code></pre></div></div>
<p>The above performs an offline verification of the provided public key, signature, and executable. To also verify that a corresponding entry exists in the public Rekor transparency log, add the variable <code>COSIGN_EXPERIMENTAL=1</code>:</p>
<div class="language-shell-session codeBlockContainer_Ckt0 theme-code-block" style="--prism-color:#393A34;--prism-background-color:#f6f8fa"><div class="codeBlockContent_QJqH"><pre tabindex="0" class="prism-code language-shell-session codeBlock_bY9V thin-scrollbar" style="color:#393A34;background-color:#f6f8fa"><code class="codeBlockLines_e6Vv"><span class="token-line" style="color:#393A34"><span class="token command shell-symbol important">$</span><span class="token command"> </span><span class="token command bash language-bash">COSIGN_EXPERIMENTAL=1 cosign verify-blob --key https://edgeless.systems/es.pub --signature constellation-linux-amd64.sig constellation-linux-amd64</span><span class="token plain"></span><br></span><span class="token-line" style="color:#393A34"><span class="token plain" style="display:inline-block"></span><br></span><span class="token-line" style="color:#393A34"><span class="token plain"></span><span class="token output">tlog entry verified with uuid: afaba7f6635b3e058888692841848e5514357315be9528474b23f5dcccb82b13 index: 3477047</span><br></span><span class="token-line" style="color:#393A34"><span class="token output">Verified OK</span><br></span></code></pre></div></div>
<p>🏁 You now know that your CLI executable was officially released and signed by Edgeless Systems.</p>
<h3 class="anchor anchorTargetStickyNavbar_Vzrq" id="optional-manually-inspect-the-transparency-log">Optional: Manually inspect the transparency log<a href="#optional-manually-inspect-the-transparency-log" class="hash-link" aria-label="Direct link to Optional: Manually inspect the transparency log" title="Direct link to Optional: Manually inspect the transparency log" translate="no"></a></h3>
<p>To further inspect the public Rekor transparency log, <a href="https://docs.sigstore.dev/logging/installation" target="_blank" rel="noopener noreferrer" class="">install the Rekor CLI</a>. A search for the CLI executable should give a single UUID. (Note that this UUID contains the UUID from the previous <code>cosign</code> command.)</p>
<div class="language-shell-session codeBlockContainer_Ckt0 theme-code-block" style="--prism-color:#393A34;--prism-background-color:#f6f8fa"><div class="codeBlockContent_QJqH"><pre tabindex="0" class="prism-code language-shell-session codeBlock_bY9V thin-scrollbar" style="color:#393A34;background-color:#f6f8fa"><code class="codeBlockLines_e6Vv"><span class="token-line" style="color:#393A34"><span class="token command shell-symbol important">$</span><span class="token command"> </span><span class="token command bash language-bash">rekor-cli search --artifact constellation-linux-amd64</span><span class="token plain"></span><br></span><span class="token-line" style="color:#393A34"><span class="token plain" style="display:inline-block"></span><br></span><span class="token-line" style="color:#393A34"><span class="token plain"></span><span class="token output">Found matching entries (listed by UUID):</span><br></span><span class="token-line" style="color:#393A34"><span class="token output">362f8ecba72f4326afaba7f6635b3e058888692841848e5514357315be9528474b23f5dcccb82b13</span><br></span></code></pre></div></div>
<p>With this UUID you can get the full entry from the transparency log:</p>
<div class="language-shell-session codeBlockContainer_Ckt0 theme-code-block" style="--prism-color:#393A34;--prism-background-color:#f6f8fa"><div class="codeBlockContent_QJqH"><pre tabindex="0" class="prism-code language-shell-session codeBlock_bY9V thin-scrollbar" style="color:#393A34;background-color:#f6f8fa"><code class="codeBlockLines_e6Vv"><span class="token-line" style="color:#393A34"><span class="token command shell-symbol important">$</span><span class="token command"> </span><span class="token command bash language-bash">rekor-cli get --uuid=362f8ecba72f4326afaba7f6635b3e058888692841848e5514357315be9528474b23f5dcccb82b13</span><span class="token plain"></span><br></span><span class="token-line" style="color:#393A34"><span class="token plain" style="display:inline-block"></span><br></span><span class="token-line" style="color:#393A34"><span class="token plain"></span><span class="token output">LogID: c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d</span><br></span><span class="token-line" style="color:#393A34"><span class="token output">Index: 3477047</span><br></span><span class="token-line" style="color:#393A34"><span class="token output">IntegratedTime: 2022-09-12T22:28:16Z</span><br></span><span class="token-line" style="color:#393A34"><span class="token output">UUID: afaba7f6635b3e058888692841848e5514357315be9528474b23f5dcccb82b13</span><br></span><span class="token-line" style="color:#393A34"><span class="token output">Body: {</span><br></span><span class="token-line" style="color:#393A34"><span class="token output"> &quot;HashedRekordObj&quot;: {</span><br></span><span class="token-line" style="color:#393A34"><span class="token output"> &quot;data&quot;: {</span><br></span><span class="token-line" style="color:#393A34"><span class="token output"> &quot;hash&quot;: {</span><br></span><span class="token-line" style="color:#393A34"><span class="token output"> &quot;algorithm&quot;: &quot;sha256&quot;,</span><br></span><span class="token-line" style="color:#393A34"><span class="token output"> &quot;value&quot;: &quot;40e137b9b9b8204d672642fd1e181c6d5ccb50cfc5cc7fcbb06a8c2c78f44aff&quot;</span><br></span><span class="token-line" style="color:#393A34"><span class="token output"> }</span><br></span><span class="token-line" style="color:#393A34"><span class="token output"> },</span><br></span><span class="token-line" style="color:#393A34"><span class="token output"> &quot;signature&quot;: {</span><br></span><span class="token-line" style="color:#393A34"><span class="token output"> &quot;content&quot;: &quot;MEUCIQCSER3mGj+j5Pr2kOXTlCIHQC3gT30I7qkLr9Awt6eUUQIgcLUKRIlY50UN8JGwVeNgkBZyYD8HMxwC/LFRWoMn180=&quot;,</span><br></span><span class="token-line" style="color:#393A34"><span class="token output"> &quot;publicKey&quot;: {</span><br></span><span class="token-line" style="color:#393A34"><span class="token output"> &quot;content&quot;: &quot;LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFZjhGMWhwbXdFK1lDRlh6akd0YVFjckw2WFpWVApKbUVlNWlTTHZHMVN5UVNBZXc3V2RNS0Y2bzl0OGUyVEZ1Q2t6bE9oaGx3czJPSFdiaUZabkZXQ0Z3PT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==&quot;</span><br></span><span class="token-line" style="color:#393A34"><span class="token output"> }</span><br></span><span class="token-line" style="color:#393A34"><span class="token output"> }</span><br></span><span class="token-line" style="color:#393A34"><span class="token output"> }</span><br></span><span class="token-line" style="color:#393A34"><span class="token output">}</span><br></span></code></pre></div></div>
<p>The field <code>publicKey</code> should contain Edgeless Systems&#x27; public key in Base64 encoding.</p>
<p>You can get an exhaustive list of artifact signatures issued by Edgeless Systems via the following command:</p>
<div class="language-bash codeBlockContainer_Ckt0 theme-code-block" style="--prism-color:#393A34;--prism-background-color:#f6f8fa"><div class="codeBlockContent_QJqH"><pre tabindex="0" class="prism-code language-bash codeBlock_bY9V thin-scrollbar" style="color:#393A34;background-color:#f6f8fa"><code class="codeBlockLines_e6Vv"><span class="token-line" style="color:#393A34"><span class="token plain">rekor-cli search --public-key https://edgeless.systems/es.pub --pki-format x509</span><br></span></code></pre></div></div>
<p>Edgeless Systems monitors this list to detect potential unauthorized use of its private key.</p>
<h2 class="anchor anchorTargetStickyNavbar_Vzrq" id="verify-the-provenance">Verify the provenance<a href="#verify-the-provenance" class="hash-link" aria-label="Direct link to Verify the provenance" title="Direct link to Verify the provenance" translate="no"></a></h2>
<p>Provenance attests that a software artifact was produced by a specific repository and build system invocation. For more information on provenance visit <a href="https://slsa.dev/provenance/v0.2" target="_blank" rel="noopener noreferrer" class="">slsa.dev</a> and learn about the <a class="" href="/constellation/next/reference/slsa">adoption of SLSA for Constellation</a>.</p>
<p>Just as checking its signature proves that the CLI hasn&#x27;t been manipulated, checking the provenance proves that the artifact was produced by the expected build process and hasn&#x27;t been tampered with.</p>
<p>To verify the provenance, first install the <a href="https://github.com/slsa-framework/slsa-verifier" target="_blank" rel="noopener noreferrer" class="">slsa-verifier</a>. Then make sure you have the provenance file (<code>constellation.intoto.jsonl</code>) and Constellation CLI downloaded. Both are available on the <a href="https://github.com/edgelesssys/constellation/releases" target="_blank" rel="noopener noreferrer" class="">GitHub release page</a>.</p>
<div class="theme-admonition theme-admonition-info admonition_xJq3 alert alert--info"><div class="admonitionHeading_Gvgb"><span class="admonitionIcon_Rf37"><svg viewBox="0 0 14 16"><path fill-rule="evenodd" d="M7 2.3c3.14 0 5.7 2.56 5.7 5.7s-2.56 5.7-5.7 5.7A5.71 5.71 0 0 1 1.3 8c0-3.14 2.56-5.7 5.7-5.7zM7 1C3.14 1 0 4.14 0 8s3.14 7 7 7 7-3.14 7-7-3.14-7-7-7zm1 3H6v5h2V4zm0 6H6v2h2v-2z"></path></svg></span>info</div><div class="admonitionContent_BuS1"><p>The same provenance file is valid for all Constellation CLI executables of a given version independent of the target platform.</p></div></div>
<p>Use the verifier to perform the check:</p>
<div class="language-shell-session codeBlockContainer_Ckt0 theme-code-block" style="--prism-color:#393A34;--prism-background-color:#f6f8fa"><div class="codeBlockContent_QJqH"><pre tabindex="0" class="prism-code language-shell-session codeBlock_bY9V thin-scrollbar" style="color:#393A34;background-color:#f6f8fa"><code class="codeBlockLines_e6Vv"><span class="token-line" style="color:#393A34"><span class="token command shell-symbol important">$</span><span class="token command"> </span><span class="token command bash language-bash">slsa-verifier verify-artifact constellation-linux-amd64 \</span><br></span><span class="token-line" style="color:#393A34"><span class="token command bash language-bash"> --provenance-path constellation.intoto.jsonl \</span><br></span><span class="token-line" style="color:#393A34"><span class="token command bash language-bash"> --source-uri github.com/edgelesssys/constellation</span><span class="token plain"></span><br></span><span class="token-line" style="color:#393A34"><span class="token plain" style="display:inline-block"></span><br></span><span class="token-line" style="color:#393A34"><span class="token plain"></span><span class="token output">Verified signature against tlog entry index 7771317 at URL: https://rekor.sigstore.dev/api/v1/log/entries/24296fb24b8ad77af2c04c8b4ae0d5bc5...</span><br></span><span class="token-line" style="color:#393A34"><span class="token output">Verified build using builder https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@refs/tags/v1.2.2 at commit 18e9924b416323c37b9cdfd6cc728de8a947424a</span><br></span><span class="token-line" style="color:#393A34"><span class="token output">PASSED: Verified SLSA provenance</span><br></span></code></pre></div></div></div><footer class="theme-doc-footer docusaurus-mt-lg"><div class="row margin-top--sm theme-doc-footer-edit-meta-row"><div class="col noPrint_WFHX"><a href="https://github.com/edgelesssys/constellation/edit/main/docs/docs/workflows/verify-cli.md" target="_blank" rel="noopener noreferrer" class="theme-edit-this-page"><svg fill="currentColor" height="20" width="20" viewBox="0 0 40 40" class="iconEdit_Z9Sw" aria-hidden="true"><g><path d="m34.5 11.7l-3 3.1-6.3-6.3 3.1-3q0.5-0.5 1.2-0.5t1.1 0.5l3.9 3.9q0.5 0.4 0.5 1.1t-0.5 1.2z m-29.5 17.1l18.4-18.5 6.3 6.3-18.4 18.4h-6.3v-6.2z"></path></g></svg>Edit this page</a></div><div class="col lastUpdated_JAkA"></div></div></footer></article><nav class="docusaurus-mt-lg pagination-nav" aria-label="Docs pages"><a class="pagination-nav__link pagination-nav__link--prev" href="/constellation/next/category/workflows"><div class="pagination-nav__sublabel">Previous</div><div class="pagination-nav__label">Workflows</div></a><a class="pagination-nav__link pagination-nav__link--next" href="/constellation/next/workflows/config"><div class="pagination-nav__sublabel">Next</div><div class="pagination-nav__label">Configure your cluster</div></a></nav></div></div><div class="col col--3"><div class="tableOfContents_bqdL thin-scrollbar theme-doc-toc-desktop"><ul class="table-of-contents table-of-contents__left-border"><li><a href="#verify-the-signature" class="table-of-contents__link toc-highlight">Verify the signature</a><ul><li><a href="#optional-manually-inspect-the-transparency-log" class="table-of-contents__link toc-highlight">Optional: Manually inspect the transparency log</a></li></ul></li><li><a href="#verify-the-provenance" class="table-of-contents__link toc-highlight">Verify the provenance</a></li></ul></div></div></div></div></main></div></div></div><footer class="theme-layout-footer footer footer--dark"><div class="container container-fluid"><div class="row footer__links"><div class="theme-layout-footer-column col footer__col"><div class="footer__title">Learn</div><ul class="footer__items clean-list"><li class="footer__item"><a class="footer__link-item" href="/constellation/overview/confidential-kubernetes">Confidential Kubernetes</a></li><li class="footer__item"><a class="footer__link-item" href="/constellation/getting-started/install">Install</a></li><li class="footer__item"><a class="footer__link-item" href="/constellation/getting-started/first-steps">First steps</a></li></ul></div><div class="theme-layout-footer-column col footer__col"><div class="footer__title">Community</div><ul class="footer__items clean-list"><li class="footer__item"><a href="https://github.com/edgelesssys/constellation" target="_blank" rel="noopener noreferrer" class="footer__link-item">GitHub<svg width="13.5" height="13.5" aria-label="(opens in new tab)" class="iconExternalLink_nPIU"><use href="#theme-svg-external-link"></use></svg></a></li><li class="footer__item"><a href="https://www.edgeless.systems/#footer" target="_blank" rel="noopener noreferrer" class="footer__link-item">Newsletter<svg width="13.5" height="13.5" aria-label="(opens in new tab)" class="iconExternalLink_nPIU"><use href="#theme-svg-external-link"></use></svg></a></li></ul></div><div class="theme-layout-footer-column col footer__col"><div class="footer__title">Social</div><ul class="footer__items clean-list"><li class="footer__item"><a href="https://www.edgeless.systems/blog/" target="_blank" rel="noopener noreferrer" class="footer__link-item">Blog<svg width="13.5" height="13.5" aria-label="(opens in new tab)" class="iconExternalLink_nPIU"><use href="#theme-svg-external-link"></use></svg></a></li><li class="footer__item"><a href="https://twitter.com/EdgelessSystems" target="_blank" rel="noopener noreferrer" class="footer__link-item">Twitter<svg width="13.5" height="13.5" aria-label="(opens in new tab)" class="iconExternalLink_nPIU"><use href="#theme-svg-external-link"></use></svg></a></li><li class="footer__item"><a href="https://www.linkedin.com/company/edgeless-systems/" target="_blank" rel="noopener noreferrer" class="footer__link-item">LinkedIn<svg width="13.5" height="13.5" aria-label="(opens in new tab)" class="iconExternalLink_nPIU"><use href="#theme-svg-external-link"></use></svg></a></li><li class="footer__item"><a href="https://www.youtube.com/channel/UCOOInN0sCv6icUesisYIDeA" target="_blank" rel="noopener noreferrer" class="footer__link-item">Youtube<svg width="13.5" height="13.5" aria-label="(opens in new tab)" class="iconExternalLink_nPIU"><use href="#theme-svg-external-link"></use></svg></a></li></ul></div><div class="theme-layout-footer-column col footer__col"><div class="footer__title">Company</div><ul class="footer__items clean-list"><li class="footer__item"><a href="https://www.edgeless.systems/imprint/" target="_blank" rel="noopener noreferrer" class="footer__link-item">Imprint<svg width="13.5" height="13.5" aria-label="(opens in new tab)" class="iconExternalLink_nPIU"><use href="#theme-svg-external-link"></use></svg></a></li><li class="footer__item"><a href="https://www.edgeless.systems/privacy/" target="_blank" rel="noopener noreferrer" class="footer__link-item">Privacy Policy<svg width="13.5" height="13.5" aria-label="(opens in new tab)" class="iconExternalLink_nPIU"><use href="#theme-svg-external-link"></use></svg></a></li><li class="footer__item"><a href="javascript: Cookiebot.renew()" class="footer__link-item">Cookie Settings</a></li><li class="footer__item"><a href="https://www.edgeless.systems/contact-us/" target="_blank" rel="noopener noreferrer" class="footer__link-item">Contact Us<svg width="13.5" height="13.5" aria-label="(opens in new tab)" class="iconExternalLink_nPIU"><use href="#theme-svg-external-link"></use></svg></a></li></ul></div></div><div class="footer__bottom text--center"><div class="footer__copyright">Copyright © 2025 Edgeless Systems</div></div></div></footer></div>
</body>
</html>
Reference in a new issue View git blame Copy permalink