Ballerina uses sigstore/cosign
for signing and verifying the release artifacts. The artifacts of the latest Ballerina Swan Lake update release along with their verification files are listed below.
You can use one of the methods below to verify the above artifacts.
Verify using the Cosign CLI
Below is an example of using the Cosign CLI to verify the release artifacts of the MacOS platform.
Info: You can select the verification artifacts you want to verify based on your installer from the ones listed in the table above.
Follow the steps below to verify the artifacts using the Cosign CLI.
-
Download the desired artifact from the table above.
-
Execute the command below to verify the artifacts.
$ cosign verify-blob ballerina-2201.9.5-swan-lake-macos-x64.pkg --certificate ballerina-2201.9.5-swan-lake-macos-x64.pkg.pem --signature ballerina-2201.9.5-swan-lake-macos-x64.pkg.sig --certificate-identity=https://github.com/ballerina-platform/ballerina-distribution/.github/workflows/publish-release.yml@refs/heads/2201.9.x --certificate-oidc-issuer=https://token.actions.githubusercontent.com
If the artifact matches the one signed by Cosign, you will receive the following message.
Verified OK
Verify using the Rekor API
The signatures applied on the Ballerina release artifacts are recorded in Rekor, which is a Sigstore Transparency Log. Below is an example of using the Rekor API to verify the release artifacts of the MacOS platform.
Info: You can select the verification artifacts you want to verify based on your installer from the ones listed in the table above.
Follow the steps below to send an API call to Rekor to retrieve and verify the details of the signature
and the certificate chain
.
-
Download the desired artifact from the table above.
-
Generate an SHA256 Hash for the artifact and store it in a variable.
$ SHASUM=$(shasum -a 256 ballerina-2201.9.5-swan-lake-macos-x64.pkg |awk '{print $1}')
-
Invoke the Rekor API to retrieve the entry of the signature and store it as the UUID value.
$ curl -X POST -H "Content-type: application/json" 'https://rekor.sigstore.dev/api/v1/index/retrieve' --data-raw "{\"hash\":\"sha256:$SHASUM\"}"
-
Assign the UUID returned by the above API call to a variable as shown below.
Tip: Replace the
<UUID_VALUE>
in the below exmaple with the UUID value you recieved$ UUID=<UUID_VALUE>
-
Retrieve the log entry of the artifact signature by sending an API call to Rekor with the assigned UUID variable.
$ curl -X GET "https://rekor.sigstore.dev/api/v1/log/entries/${UUID}"
-
Retrieve the signature and public certificate, which are required to verify the artifact.
-
Retrieve the signature:
$ curl -s -X GET "https://rekor.sigstore.dev/api/v1/log/entries/${UUID}" | jq -r '.[] | .body' | base64 -d |jq -r '.spec .signature .content' | base64 -d > ballerina-2201.9.5-swan-lake-macos-x64.pkg.sig
-
Retrieve the certificate:
$ curl -s -X GET "https://rekor.sigstore.dev/api/v1/log/entries/${UUID}" | jq -r '.[] | .body' | base64 -d |jq -r '.spec .signature .publicKey .content' | base64 -d > ballerina-2201.9.5-swan-lake-macos-x64.pkg.crt
-
-
Extract the
public key
from thecertificate
file usingopenssl
.$ openssl x509 -in ballerina-2201.9.5-swan-lake-macos-x64.pkg.crt -noout -pubkey > ballerina-2201.9.5-swan-lake-macos-x64.pkg.pubkey.crt
-
Verify the artifact using the public key.
$ openssl sha256 -verify ballerina-2201.9.5-swan-lake-macos-x64.pkg.pubkey.crt -signature ballerina-2201.9.5-swan-lake-macos-x64.pkg.sig ballerina-2201.9.5-swan-lake-macos-x64.pkg
If the artifact matches the one signed by Cosign
, you will receive the following message.
Verified OK