Verifying Mirantis k0rdent Enterprise Artifacts and Security#
Mirantis provides security artifacts for Mirantis k0rdent Enterprise releases to ensure software supply chain transparency and enable users to verify the integrity and composition of the software. These artifacts include cryptographically signed binaries and container images, Software Bills of Materials (SBOMs), and CVE scan reports.
Verifying these artifacts is a critical step to ensure you are running genuine, untampered software and to assess its security posture before deployment.
Artifact Signature Verification with Cosign#
All Mirantis k0rdent Enterprise release artifacts (container images,
binary files, reports) are cryptographically signed. Verification requires the
cosign command-line tool.
Verifying OCI Container Images#
Use the cosign verify command, specifying the public key
(https://get.mirantis.com/k0rdent-enterprise/cosign.pub) and the full image
path, as in:
cosign verify --key https://get.mirantis.com/k0rdent-enterprise/cosign.pub registry.mirantis.com/k0rdent-enterprise/<image-name>:<tag>
For example, you can verify the kcm-controller:1.0.0 component with:
cosign verify --key https://get.mirantis.com/k0rdent-enterprise/cosign.pub registry.mirantis.com/k0rdent-enterprise/kcm-controller:1.0.0
Verifying Binary Artifacts (Reports, Binaries)#
Binary artifacts (such as executables) have a corresponding .sig file
containing the signature, located alongside the artifact. To verify these
artifacts:
- Download both the artifact file and its
.sigfile. -
Use the
cosign verify-blobcommand:cosign verify-blob --key https://get.mirantis.com/k0rdent-enterprise/cosign.pub --signature <artifact-name>.sig <artifact-name>For example, verify the version 1.0.0
release.yamlfile:wget https://get.mirantis.com/k0rdent-enterprise/1.0.0/release.yaml wget https://get.mirantis.com/k0rdent-enterprise/1.0.0/release.yaml.sig cosign verify-blob --key https://get.mirantis.com/k0rdent-enterprise/cosign.pub --signature release.yaml.sig release.yamlVerified OK
Successful verification confirms the artifact's authenticity and integrity.
Software Bill of Materials (SBOMs)#
Mirantis provides SBOMs in the SPDX format for Mirantis k0rdent Enterprise components. SBOMs offer a detailed inventory of software ingredients, making it possible to manage vulnerabilities, perform license compliance checks, and understand software dependencies.
Getting SBOMs#
Each OCI artifact contains an SBOM attached to it in the SPDX format. To get the SBOM
you can use cosign.
Note
Since cosign returns predicates in json format jq must be used to query
specific fields, like contents of the SPDX.
For example to get the SPDX for
kcm-controller:1.0.0 you can use
the following command:
cosign verify-attestation --key https://get.mirantis.com/k0rdent-enterprise/cosign.pub --type spdx registry.mirantis.com/k0rdent-enterprise/kcm-controller:1.0.0 | jq '.payload | @base64d | fromjson | .predicate' -r
This will get you a full SPDX file for kcm-controller and also will verify
authenticity (attestation) of the attached SPDX.
CVE Reports#
CVE scans are also attached to the OCI artifacts as a
form of attestation. CVE reports are generated using the trivy scanner and are
provided in the
Cosign Vulnerability Scan Record format.
You can use cosign to get the CVE report for a specific artifact.
For example, to get CVE vulnerability scan for
kcm-controller:1.0.0 you can use:
cosign verify-attestation --key https://get.mirantis.com/k0rdent-enterprise/cosign.pub --type vuln registry.mirantis.com/k0rdent-enterprise/kcm-controller:1.0.0 | jq '.payload | @base64d | fromjson | .' -r
This command returns JSON with the cosign vulnerability scan record attestation. It also verifies the authenticity of the data.