How to verify signature of tenv GH release assets

[kieran-lowe]

Hi all,

Not sure if I'm missing something obvious, but I'm really struggling to verify the signatures for tenv. I've tried using GPG, OpenSSL and cosign but not having any luck. Maybe worth adding some documentation on the process?

I noticed the .pem file is base64 encoded but when using the output in cosign it's asking for certificate identity etc

Sorry if this is a stupid question!

Cheers,
Kieran

[dvaumoron]

Hi @kieran-lowe ,

Looking at the opentofu documentation, I suppose the following should work :

cosign \
    verify-blob \
    --certificate-identity "https://github.com/tofuutils/tenv/.github/workflows/release.yml@refs/heads/v2.6.0" \
    --signature "tenv_v2.6.0_checksums.txt.sig" \
    --certificate "tenv_v2.6.0_checksums.txt.pem" \
    --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
    "tenv_v2.6.0_checksums.txt"

[kieran-lowe]

Thanks @dvaumoron !

Just one change I had to make where you have refs/heads/v2.6.0:

- refs/heads/v2.6.0
+ refs/tags/v2.6.0

meaning the command would be:

cosign \
    verify-blob \
    --certificate-identity "https://github.com/tofuutils/tenv/.github/workflows/release.yml@refs/tags/v2.6.0" \
    --signature "tenv_v2.6.0_checksums.txt.sig" \
    --certificate "tenv_v2.6.0_checksums.txt.pem" \
    --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
    "tenv_v2.6.0_checksums.txt"

And I get a Verified OK back 👍

Could be worth adding this to your documentation? You could even expand for those using the .gpgsign option too?

[dvaumoron]

Would you like to make a pull request ?

[kieran-lowe]

Yeah - more than happy to add this! Will raise a PR shortly

[kvendingoldo]

Great, thanks!