Skip to content

2201.8.2

Compare
Choose a tag to compare
@ballerina-bot ballerina-bot released this 14 Oct 18:48
· 0 commits to cae253c5e012d98e518657d92843b956c2af0fc4 since this release

Ballerina uses sigstore/cosign for signing and verifying the release artifacts. The artifacts of the latest Ballerina Swan Lake update release along with their verification files are listed below.

Platform Installer Certificate Signature
Linux DEB ballerina-2201.8.2-swan-lake-linux-x64.deb ballerina-2201.8.2-swan-lake-linux-x64.deb.pem ballerina-2201.8.2-swan-lake-linux-x64.deb.sig
Linux RPM ballerina-2201.8.2-swan-lake-linux-x64.rpm ballerina-2201.8.2-swan-lake-linux-x64.rpm.pem ballerina-2201.8.2-swan-lake-linux-x64.rpm.sig
macOS ballerina-2201.8.2-swan-lake-macos-x64.pkg ballerina-2201.8.2-swan-lake-macos-x64.pkg.pem ballerina-2201.8.2-swan-lake-macos-x64.pkg.sig
macOS ARM ballerina-2201.8.2-swan-lake-macos-arm-x64.pkg ballerina-2201.8.2-swan-lake-macos-arm-x64.pkg.pem ballerina-2201.8.2-swan-lake-macos-arm-x64.pkg.sig
Windows ballerina-2201.8.2-swan-lake-windows-x64.msi ballerina-2201.8.2-swan-lake-windows-x64.msi.pem ballerina-2201.8.2-swan-lake-windows-x64.msi.sig

You can use one of the methods below to verify the above artifacts.

Verify using the Cosign CLI

Below is an example of using the Cosign CLI to verify the release artifacts of the MacOS platform.

Info: You can select the verification artifacts you want to verify based on your installer from the ones listed in the table above.

Follow the steps below to verify the artifacts using the Cosign CLI.

  1. Download the desired artifact from the table above.

  2. Execute the command below to verify the artifacts.

    $ cosign verify-blob ballerina-2201.8.2-swan-lake-macos-x64.pkg --certificate ballerina-2201.8.2-swan-lake-macos-x64.pkg.pem --signature ballerina-2201.8.2-swan-lake-macos-x64.pkg.sig --certificate-identity=https://github.com/ballerina-platform/ballerina-distribution/.github/workflows/publish-release.yml@refs/heads/2201.8.x --certificate-oidc-issuer=https://token.actions.githubusercontent.com
    

If the artifact matches the one signed by Cosign, you will receive the following message.

Verified OK

Verify using the Rekor API

The signatures applied on the Ballerina release artifacts are recorded in Rekor, which is a Sigstore Transparency Log. Below is an example of using the Rekor API to verify the release artifacts of the MacOS platform.

Info: You can select the verification artifacts you want to verify based on your installer from the ones listed in the table above.

Follow the steps below to send an API call to Rekor to retrieve and verify the details of the signature and the certificate chain.

  1. Download the desired artifact from the table above.

  2. Generate an SHA256 Hash for the artifact and store it in a variable.

    $ SHASUM=$(shasum -a 256 ballerina-2201.8.2-swan-lake-macos-x64.pkg |awk '{print $1}')
    
  3. Invoke the Rekor API to retrieve the entry of the signature and store it as the UUID value.

    $ curl -X POST -H "Content-type: application/json" 'https://rekor.sigstore.dev/api/v1/index/retrieve' --data-raw "{\"hash\":\"sha256:$SHASUM\"}
    
  4. Assign the UUID returned by the above API call to a variable as shown below.

    Tip: Replace the <UUID_VALUE> in the below exmaple with the UUID value you recieved

    $ UUID=<UUID_VALUE>
    
  5. Retrieve the log entry of the artifact signature by sending an API call to Rekor with the assigned UUID variable.

     $ curl -X GET "https://rekor.sigstore.dev/api/v1/log/entries/${UUID?}"
    
  6. Retrieve the signature and public certificate, which are required to verify the artifact.

    • Retrieve the signature:

      $ curl -s -X GET "https://rekor.sigstore.dev/api/v1/log/entries/${UUID?} \ | jq -r '.[] | .body' \ | base64 -d |jq -r '.spec .signature .content' \ | base64 -d > ballerina-2201.8.2-swan-lake-macos-x64.pkg.sig
      
    • Retrieve the certificate:

      $ curl -s -X GET "https://rekor.sigstore.dev/api/v1/log/entries/${UUID?}" \ | jq -r '.[] | .body' \ | base64 -d |jq -r '.spec .signature .publicKey .content' \ | base64 -d > ballerina-2201.8.2-swan-lake-macos-x64.pkg.crt
      
  7. Extract the public key from the certificate file using openssl.

    $ openssl x509 -in ballerina-2201.8.2-swan-lake-macos-x64.pkg.crt -noout -pubkey > ballerina-2201.8.2-swan-lake-macos-x64.pkg.pubkey.crt
    
  8. Verify the artifact using the public key.

    $ openssl sha256 -verify ballerina-2201.8.2-swan-lake-macos-x64.pkg.pubkey.crt -signature ballerina-2201.8.2-swan-lake-macos-x64.pkg.sig ballerina-2201.8.2-swan-lake-macos-x64.pkg
    

If the artifact matches the one signed by Cosign, you will receive the following message.

Verified OK