Check the Signatures
Check the Signatures
Optional Step
This is an optional but strongly encouraged step for security reasons.Our ISO releases have sha256 files to checksum the validity of the artifacts. At the same time, our sha256 files are signed automatically in the CI during the release workflow to verify that they haven’t been tampered with, adding an extra step to the supply chain.
It is recommended that before starting any installation the whole security chain is validated by verifying our sha256 signature and validating that the checksum matches with the download artifacts.
To validate the whole chain you need:
sha256sum
which is usually installed by default on most linux distributions.cosign
to verify the signatures of the sha256 file. You can install cosign via their installation docs- sha256, certificate and signature files that you want to verify
In this example we will use the v3.2.3
version and @flavor
flavor and @flavorRelease
flavor release.
First we check that we have all needed files:
$ ls
kairos-@flavor-@flavorRelease-core-amd64-generic-v3.2.3.iso kairos-@flavor-@flavorRelease-core-amd64-generic-v3.2.3.iso.sha256.pem
kairos-@flavor-@flavorRelease-core-amd64-generic-v3.2.3.iso.sha256 kairos-@flavor-@flavorRelease-core-amd64-generic-v3.2.3.iso.sha256.sig
Then we verify that the sha256 checksums haven’t been tampered with:
$ COSIGN_EXPERIMENTAL=1 cosign verify-blob --cert kairos-@flavor-@flavorRelease-core-amd64-generic-v3.2.3.iso.sha256.pem --signature kairos-@flavor-@flavorRelease-core-amd64-generic-v3.2.3.iso.sha256.sig kairos-@flavor-@flavorRelease-core-amd64-generic-v3.2.3.iso.sha256
tlog entry verified with uuid: 51ef927a43557386ad7912802607aa421566772524319703a99f8331f0bb778f index: 11977200
Verified OK
Once we see that Verified OK
we can be sure that the file hasn’t been tampered with, and we can continue verifying the iso checksum.
For an example of a failure validation see below:
$ COSIGN_EXPERIMENTAL=1 cosign verify-blob --enforce-sct --cert kairos-@flavor-@flavorRelease-core-amd64-generic-v3.2.3.iso.sha256.pem --signature kairos-@flavor-@flavorRelease-core-amd64-generic-v3.2.3.iso.sha256.sig kairos-@flavor-@flavorRelease-core-amd64-generic-v3.2.3.iso.sha256.modified
Error: verifying blob [kairos-@flavor-@flavorRelease-core-amd64-generic-v3.2.3.iso.sha256.modified]: invalid signature when validating ASN.1 encoded signature
main.go:62: error during command execution: verifying blob [kairos-@flavor-@flavorRelease-core-amd64-generic-v3.2.3.iso.sha256.modified]: invalid signature when validating ASN.1 encoded signature
Info
We useCOSIGN_EXPERIMENTAL=1
to verify the blob using the keyless method. That means that only ephemeral keys are created to sign, and it relays on using
OIDC Identity Tokens to authenticate so not even Kairos developers have access to the private keys and can modify an existing signature. All signatures are done
via the CI with no external access to the signing process. For more information about keyless signing please check the cosign docs
Now we can verify that the integrity of the ISO hasnt been compromise:
$ sha256sum -c kairos-@flavor-@flavorRelease-core-amd64-generic-v3.2.3.iso.sha256
kairos-@flavor-@flavorRelease-core-amd64-generic-v3.2.3.iso: OK
Once we reached this point, we can be sure that from the ISO hasn’t been tampered with since it was created by our release workflow.