Check the Signatures

Verify the integrity of the ISO by checking the signatures.

Check the Signatures

Optional Step

This is an optional but strongly encouraged step for security reasons.

Our ISO releases have sha256 files to checksum the validity of the artifacts. At the same time, our sha256 files are signed automatically in the CI during the release workflow to verify that they haven’t been tampered with, adding an extra step to the supply chain.

It is recommended that before starting any installation the whole security chain is validated by verifying our sha256 signature and validating that the checksum matches with the download artifacts.

To validate the whole chain you need:

sha256sum which is usually installed by default on most linux distributions.
cosign to verify the signatures of the sha256 file. You can install cosign via their installation docs
sha256, certificate and signature files that you want to verify

In this example we will use the v3.1.3 version and @flavor flavor and @flavorRelease flavor release.

First we check that we have all needed files:

$ ls      
kairos-@flavor-@flavorRelease-core-amd64-generic-v3.1.3.iso         kairos-@flavor-@flavorRelease-core-amd64-generic-v3.1.3.iso.sha256.pem
kairos-@flavor-@flavorRelease-core-amd64-generic-v3.1.3.iso.sha256  kairos-@flavor-@flavorRelease-core-amd64-generic-v3.1.3.iso.sha256.sig

Then we verify that the sha256 checksums haven’t been tampered with:

$ COSIGN_EXPERIMENTAL=1 cosign verify-blob --cert kairos-@flavor-@flavorRelease-core-amd64-generic-v3.1.3.iso.sha256.pem --signature kairos-@flavor-@flavorRelease-core-amd64-generic-v3.1.3.iso.sha256.sig kairos-@flavor-@flavorRelease-core-amd64-generic-v3.1.3.iso.sha256 
tlog entry verified with uuid: 51ef927a43557386ad7912802607aa421566772524319703a99f8331f0bb778f index: 11977200
Verified OK

Once we see that Verified OK we can be sure that the file hasn’t been tampered with, and we can continue verifying the iso checksum.

For an example of a failure validation see below:

$ COSIGN_EXPERIMENTAL=1 cosign verify-blob --enforce-sct --cert kairos-@flavor-@flavorRelease-core-amd64-generic-v3.1.3.iso.sha256.pem --signature kairos-@flavor-@flavorRelease-core-amd64-generic-v3.1.3.iso.sha256.sig kairos-@flavor-@flavorRelease-core-amd64-generic-v3.1.3.iso.sha256.modified
Error: verifying blob [kairos-@flavor-@flavorRelease-core-amd64-generic-v3.1.3.iso.sha256.modified]: invalid signature when validating ASN.1 encoded signature
main.go:62: error during command execution: verifying blob [kairos-@flavor-@flavorRelease-core-amd64-generic-v3.1.3.iso.sha256.modified]: invalid signature when validating ASN.1 encoded signature

Info

We use COSIGN_EXPERIMENTAL=1 to verify the blob using the keyless method. That means that only ephemeral keys are created to sign, and it relays on using OIDC Identity Tokens to authenticate so not even Kairos developers have access to the private keys and can modify an existing signature. All signatures are done via the CI with no external access to the signing process. For more information about keyless signing please check the cosign docs

Now we can verify that the integrity of the ISO hasnt been compromise:

$ sha256sum -c kairos-@flavor-@flavorRelease-core-amd64-generic-v3.1.3.iso.sha256
kairos-@flavor-@flavorRelease-core-amd64-generic-v3.1.3.iso: OK

Once we reached this point, we can be sure that from the ISO hasn’t been tampered with since it was created by our release workflow.

Last modified August 28, 2024: Finish restructure and add video (bbf1010)