Skip to content

Commit

Permalink
[Docs] Add instructions to verify Docker install images (elastic#15058)
Browse files Browse the repository at this point in the history 
* Add instructions to verify Docker install images

* remove line breaks

* Update docs/static/docker.asciidoc

Co-authored-by: Maxime Gréau <maxime.greau@elastic.co>

---------

Co-authored-by: Maxime Gréau <maxime.greau@elastic.co>
  • Loading branch information
@kilfoyle @mgreau
kilfoyle and mgreau committed May 24, 2023
1 parent feb3ee0 commit b831888
Showing 1 changed file with 39 additions and 0 deletions.
39 changes: 39 additions & 0 deletions docs/static/docker.asciidoc
View file
Expand Up @@ -39,6 +39,45 @@ https://www.docker.elastic.co[www.docker.elastic.co].

endif::[]

==== Verifying the image

Although it's optional, we highly recommend verifying the signatures included with your downloaded Docker images to ensure that the images are valid.

Elastic images are signed with https://docs.sigstore.dev/cosign/overview/[Cosign] which is part of the https://www.sigstore.dev/[Sigstore] project. Cosign supports container signing, verification, and storage in an OCI registry. Install the appropriate https://docs.sigstore.dev/cosign/installation/[Cosign application]
for your operating system.

Run the following commands to verify the container image signature for {ls} v{version}:

ifeval::["{release-state}"=="unreleased"]

Version {logstash_version} of Logstash has not yet been
released, so no Docker image is currently available for this version.

endif::[]

ifeval::["{release-state}"!="unreleased"]

["source","sh",subs="attributes"]
--------------------------------------------
wget https://artifacts.elastic.co/cosign.pub <1>
cosign verify --key cosign.pub {docker-image} <2>
--------------------------------------------
<1> Download the Elastic public key to verify container signature
<2> Verify the container against the Elastic public key

The command prints the check results and the signature payload in JSON format, for example:

["source","sh",subs="attributes"]
--------------------------------------------
Verification for {docker-image} --
The following checks were performed on each of these signatures:
- The cosign claims were validated
- Existence of the claims in the transparency log was verified offline
- The signatures were verified against the specified public key
--------------------------------------------

endif::[]

[[docker-config]]
=== Configuring Logstash for Docker

Expand Down

0 comments on commit b831888

Please sign in to comment.