Update Knative cosign verify docs

Signed-off-by: Caleb Woodbine <calebwoodbine.public@gmail.com>
knative · May 17, 2023 · 7994823 · 7994823
1 parent 2f943ad
commit 7994823
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 14 deletions.
diff --git a/docs/snippets/security-prereqs-binaries.md b/docs/snippets/security-prereqs-binaries.md
@@ -16,9 +16,11 @@ Knative `kn` CLI releases from 1.9 onwards are signed with [cosign](https://docs
 1. Verify the signature by running the command:
 
     ```sh
-    COSIGN_EXPERIMENTAL=1 cosign verify-blob \
+    cosign verify-blob \
     --cert checksums.txt.pem \
     --signature checksums.txt.sig \
+    --certificate-identity=signer@knative-releases.iam.gserviceaccount.com \
+    --certificate-oidc-issuer=https://accounts.google.com \
     checksums.txt
     ```
 
@@ -29,4 +31,5 @@ Knative `kn` CLI releases from 1.9 onwards are signed with [cosign](https://docs
     ```
 
 !!! note
-    `COSIGN_EXPERIMENTAL=1` is used to allow verification of images signed in `KEYLESS` mode. To learn more about keyless signing, please refer to [Keyless Signatures](https://github.com/sigstore/cosign/blob/main/KEYLESS.md#keyless-signatures). The signing identity for Knative releases is `signer@knative-nightly.iam.gserviceaccount.com`, and the issuer is `https://accounts.google.com`.
+    Knative images are signed in `KEYLESS` mode. To learn more about keyless signing, please refer to [Keyless Signatures](https://github.com/sigstore/cosign/blob/main/KEYLESS.md#keyless-signatures). The signing identity for Knative releases is `signer@knative-releases.iam.gserviceaccount.com`, and the issuer is `https://accounts.google.com`.
+
diff --git a/docs/snippets/security-prereqs-images.md b/docs/snippets/security-prereqs-images.md
@@ -7,19 +7,15 @@ Knative releases from 1.9 onwards are signed with [cosign](https://docs.sigstore
 1. Extract the images from a manifeset and verify the signatures.
 
 ```
-# download the yaml file, this example uses the serving manifest
-curl -fsSLO https://github.com/knative/serving/releases/download/knative-v1.9.0/serving-core.yaml
-cat serving-core.yaml | grep 'gcr.io/' | awk '{print $2}' > images.txt
-input=images.txt
-while IFS= read -r image
-do
-  COSIGN_EXPERIMENTAL=1 cosign verify -o text "$image" | jq
-done < "$input"
-
+curl -sSL https://github.com/knative/serving/releases/download/knative-v1.10.1/serving-core.yaml \
+  | grep 'gcr.io/' | awk '{print $2}' | sort | uniq \
+  | xargs -n 1 \
+    cosign verify -o text \
+      --certificate-identity=signer@knative-releases.iam.gserviceaccount.com \
+      --certificate-oidc-issuer=https://accounts.google.com
 ```
 
 !!! note
-    `COSIGN_EXPERIMENTAL=1` is used to allow verification of images signed
-    in `KEYLESS` mode. To learn more about keyless signing, please refer to
+    Knative images are signed in `KEYLESS` mode. To learn more about keyless signing, please refer to
     [Keyless Signatures](https://github.com/sigstore/cosign/blob/main/KEYLESS.md#keyless-signatures)
-    Our signing identity(Subject) for our releases is `signer@knative-nightly.iam.gserviceaccount.com` and the Issuer is `https://accounts.google.com`
+    Our signing identity(Subject) for our releases is `signer@knative-releases.iam.gserviceaccount.com` and the Issuer is `https://accounts.google.com`