Merge pull request #409 from rod4n4m1/main

add instructions to verify the tarballs using cosign #406
kubearmor · Mar 12, 2024 · 77ffd8d · 77ffd8d
2 parents 00ceb3e + 0e4b208
commit 77ffd8d
Showing 1 changed file with 44 additions and 6 deletions.
diff --git a/README.md b/README.md
@@ -7,23 +7,61 @@
 
 ## Installation
 
-```
+```shell
 curl -sfL http://get.kubearmor.io/ | sudo sh -s -- -b /usr/local/bin
 ```
 
-### Installing from Source 
+### Installing From Source
 
 Build karmor from source if you want to test the latest (pre-release) karmor version.
 
-```
+```shell
 git clone https://github.com/kubearmor/kubearmor-client.git
 cd kubearmor-client
 make install
 ```
 
-## Usage
+### Steps to Verify the Binary (Recommended)
+
+We sign all releases with `cosign`, therefore we recommend verifying **karmor** tarball prior to its installation.
+
+Below are the instructions to verify the binary using `cosign` for version `v1.1.0`.
+
+- Use an environment variable to set the **karmor** version
+
+```shell
+export KARMOR_VERSION="1.1.0"
+```
+
+- Download released tarball, certificate, and signature files
+
+<details>
+  <summary>Download Details</summary>
+
+```shell
+curl -LO https://github.com/kubearmor/kubearmor-client/releases/download/v${KARMOR_VERSION}/karmor_${KARMOR_VERSION}_linux_amd64.tar.gz
+
+curl -LO https://github.com/kubearmor/kubearmor-client/releases/download/v${KARMOR_VERSION}/karmor_${KARMOR_VERSION}_linux_amd64.tar.gz.cert
 
+curl -LO https://github.com/kubearmor/kubearmor-client/releases/download/v${KARMOR_VERSION}/karmor_${KARMOR_VERSION}_linux_amd64.tar.gz.sig
 ```
+
+</details>
+
+- Verify the released tarball integrity with `cosign`
+
+<details>
+  <summary>Verification Details</summary>
+
+```shell
+cosign verify-blob karmor_${KARMOR_VERSION}_linux_amd64.tar.gz --certificate-identity=https://github.com/kubearmor/kubearmor-client/.github/workflows/release.yml@refs/tags/v${KARMOR_VERSION} --certificate-oidc-issuer=https://token.actions.githubusercontent.com --signature karmor_${KARMOR_VERSION}_linux_amd64.tar.gz.sig --certificate karmor_${KARMOR_VERSION}_linux_amd64.tar.gz.cert
+```
+
+</details>
+
+## Usage
+
+```shell
 CLI Utility to help manage KubeArmor
 
 KubeArmor is a container-aware runtime security enforcement system that
@@ -56,6 +94,6 @@ Flags:
 Use "karmor [command] --help" for more information about a command.
 ```
 
-
 ## License
-[![FOSSA Status](https://app.fossa.com/api/projects/git%2Bgithub.com%2Fkubearmor%2Fkubearmor-client.svg?type=large)](https://app.fossa.com/projects/git%2Bgithub.com%2Fkubearmor%2Fkubearmor-client?ref=badge_large)
+
+[![FOSSA Status](https://app.fossa.com/api/projects/git%2Bgithub.com%2Fkubearmor%2Fkubearmor-client.svg?type=large)](https://app.fossa.com/projects/git%2Bgithub.com%2Fkubearmor%2Fkubearmor-client?ref=badge_large)