From 1ae679ba832c111353a478bfe49e91df041ed519 Mon Sep 17 00:00:00 2001 From: Simon Mayer Date: Tue, 2 Sep 2025 08:35:25 +0200 Subject: [PATCH 1/3] Add information regarding artifact signing --- docs/docs/06-For CISOs/artifacts-signing.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/docs/docs/06-For CISOs/artifacts-signing.md b/docs/docs/06-For CISOs/artifacts-signing.md index 93d18dc9..6d3afa6d 100644 --- a/docs/docs/06-For CISOs/artifacts-signing.md +++ b/docs/docs/06-For CISOs/artifacts-signing.md @@ -1,7 +1,10 @@ --- slug: /artifact-signing title: Artifact Signing -draft: true --- # Artifact Signing + +To increase trust and integrity, metal-stack introduces artifact signing for its released components. + +The release vector is now published as an OCI artifact and signed using [cosign](https://github.com/sigstore/cosign). While this feature is currently available as a preview, our long-term goal is to extend signing to all metal-stack container images as well, ensuring that users can always verify the authenticity of the artifacts they consume. \ No newline at end of file From 61b9574cf0bb31d3d9ef8548c353787e4efd2653 Mon Sep 17 00:00:00 2001 From: Gerrit Date: Wed, 13 May 2026 11:26:14 +0200 Subject: [PATCH 2/3] Update. --- .../Security/05-artifacts-signing.md | 41 +++++++++++++++++++ docs/06-For CISOs/artifacts-signing.md | 7 ---- 2 files changed, 41 insertions(+), 7 deletions(-) create mode 100644 docs/06-For CISOs/Security/05-artifacts-signing.md delete mode 100644 docs/06-For CISOs/artifacts-signing.md diff --git a/docs/06-For CISOs/Security/05-artifacts-signing.md b/docs/06-For CISOs/Security/05-artifacts-signing.md new file mode 100644 index 00000000..833d5c8d --- /dev/null +++ b/docs/06-For CISOs/Security/05-artifacts-signing.md @@ -0,0 +1,41 @@ +--- +slug: /artifact-signing +title: Artifact Signing +sidebar_position: 5 +--- + +# Artifact Signing + +To increase trust and integrity, metal-stack introduces artifact signing for its released components. + +The release vector is published as an [OCI artifact](/community/06-oci-artifacts.md) and signed using [cosign](https://github.com/sigstore/cosign). + +The images are signed using a public key that is always attached to a metal-stack release in the [releases repository](https://github.com/metal-stack/releases/blob/master/cosign.pub). + +To verify an image, the following command can be used: + +```bash +cosign verify --key files/cosign.pub ghcr.io/metal-stack/metal-deployment-base:v0.9.2 + +Verification for ghcr.io/metal-stack/metal-deployment-base:v0.9.2 -- +The following checks were performed on each of these signatures: + - The cosign claims were validated + - Existence of the claims in the transparency log was verified offline + - The signatures were verified against the specified public key + +[{"critical":{"identity":{"docker-reference":"ghcr.io/metal-stack/metal-deployment-base:v0.9.2"},"image":{"docker-manifest-digest":"sha256:8b4a19650efc27f6cd29798c94eca9f1ebbab2d20004a267d6729ad69f3c095f"},"type":"https://sigstore.dev/cosign/sign/v1"},"optional":{}},{"critical":{"identity":{"docker-reference":"ghcr.io/metal-stack/metal-deployment-base:v0.9.2"},"image":{"docker-manifest-digest":"sha256:8b4a19650efc27f6cd29798c94eca9f1ebbab2d20004a267d6729ad69f3c095f"},"type":"https://sigstore.dev/cosign/sign/v1"},"optional":{}}] +``` + +Certain images we also sign keyless in addition, such the command can also look like this: + +```bash +cosign verify ghcr.io/metal-stack/metal-deployment-base:v0.9.2 --certificate-oidc-issuer https://accounts.google.com --certificate-identity keyless@metal-stack.iam.gserviceaccount.com + +Verification for ghcr.io/metal-stack/metal-deployment-base:v0.9.2 -- +The following checks were performed on each of these signatures: + - The cosign claims were validated + - Existence of the claims in the transparency log was verified offline + - The code-signing certificate was verified using trusted certificate authority certificates + +[{"critical":{"identity":{"docker-reference":"ghcr.io/metal-stack/metal-deployment-base:v0.9.2"},"image":{"docker-manifest-digest":"sha256:8b4a19650efc27f6cd29798c94eca9f1ebbab2d20004a267d6729ad69f3c095f"},"type":"https://sigstore.dev/cosign/sign/v1"},"optional":{}},{"critical":{"identity":{"docker-reference":"ghcr.io/metal-stack/metal-deployment-base:v0.9.2"},"image":{"docker-manifest-digest":"sha256:8b4a19650efc27f6cd29798c94eca9f1ebbab2d20004a267d6729ad69f3c095f"},"type":"https://sigstore.dev/cosign/sign/v1"},"optional":{}}] +``` diff --git a/docs/06-For CISOs/artifacts-signing.md b/docs/06-For CISOs/artifacts-signing.md deleted file mode 100644 index 93d18dc9..00000000 --- a/docs/06-For CISOs/artifacts-signing.md +++ /dev/null @@ -1,7 +0,0 @@ ---- -slug: /artifact-signing -title: Artifact Signing -draft: true ---- - -# Artifact Signing From 3c991a3ae2e711e0e2f1254d66ca55285ef2bc10 Mon Sep 17 00:00:00 2001 From: Gerrit Date: Wed, 13 May 2026 11:27:14 +0200 Subject: [PATCH 3/3] Clean. --- .../docs/06-For CISOs/artifacts-signing.md | 10 ---------- 1 file changed, 10 deletions(-) delete mode 100644 versioned_docs/version-v0.21/docs/06-For CISOs/artifacts-signing.md diff --git a/versioned_docs/version-v0.21/docs/06-For CISOs/artifacts-signing.md b/versioned_docs/version-v0.21/docs/06-For CISOs/artifacts-signing.md deleted file mode 100644 index 6d3afa6d..00000000 --- a/versioned_docs/version-v0.21/docs/06-For CISOs/artifacts-signing.md +++ /dev/null @@ -1,10 +0,0 @@ ---- -slug: /artifact-signing -title: Artifact Signing ---- - -# Artifact Signing - -To increase trust and integrity, metal-stack introduces artifact signing for its released components. - -The release vector is now published as an OCI artifact and signed using [cosign](https://github.com/sigstore/cosign). While this feature is currently available as a preview, our long-term goal is to extend signing to all metal-stack container images as well, ensuring that users can always verify the authenticity of the artifacts they consume. \ No newline at end of file