Attestation
Open-Xchange signs all of its App Suite chart and image releases using cosign. This ensures the authenticity and integrity of the software we provide to our customers.
The public keys used for signing can be downloaded here.
Manually verifying Signatures
To verify the signatures of the App Suite charts and images, you can use the cosign tool. Below are the steps to verify a signed chart or image:
- Install cosign: If you haven't already, install the
cosigntool by following the instructions in the cosign GitHub repository. - Download the public key: Obtain the public key from the link provided above.
- Verify the signature: Use the following command to verify the signature of a chart or image:
cosign verify --key <path-to-public-key> <chart-or-image>
Replace <path-to-public-key> with the path to the downloaded public key and <chart-or-image> with the path to the chart or image you want to verify. 4. Check the output: If the verification is successful, cosign will output a message indicating that the signature is valid. If the verification fails, it will provide an error message.
This can also be automated in CI/CD pipelines to ensure that only verified App Suite charts are deployed.
For more detailed information on using cosign, refer to the cosign documentation.
Verify images with Kyverno
If you are using Kyverno to enforce image signature verification in your Kubernetes cluster, you can create a policy that utilizes the public key provided by Open-Xchange. Below is an example of a Kyverno policy that verifies images signed with cosign:
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: verify-appsuite-images
spec:
validationFailureAction: enforce
background: false
rules:
- name: verify-cosign-signature
match:
- resources:
kinds:
- Pod
operations:
- CREATE
- UPDATE
verifyImages:
- imageReferces:
- "registry.open-xchange.com/appsuite/*"
required: true
verifyDigest: true
attestors:
- entries:
- keys:
publicKeys: |
-----BEGIN PUBLIC KEY-----
Insert public key here
-----END PUBLIC KEY-----