From 555cddac252cb3563b3e1c97009b770f51fc40f8 Mon Sep 17 00:00:00 2001 From: Billy Lynch <1844673+wlynch@users.noreply.github.com> Date: Fri, 24 Feb 2023 19:36:59 -0500 Subject: [PATCH] Update docs for cosign v2 (#725) Verified both getting started and signed provenance tutorials. --- docs/tutorials/getting-started-tutorial.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/docs/tutorials/getting-started-tutorial.md b/docs/tutorials/getting-started-tutorial.md index 40a354403d..c88f5f3182 100644 --- a/docs/tutorials/getting-started-tutorial.md +++ b/docs/tutorials/getting-started-tutorial.md @@ -87,11 +87,20 @@ tkn tr describe --last -o jsonpath="{.metadata.annotations.chains\.tekton\.dev/s Finally, we can check the signature with [cosign]: +```shell +$ cosign verify-blob-attestation --insecure-ignore-tlog --key k8s://tekton-chains/signing-secrets --signature sig --type slsaprovenance --check-claims=false /dev/null +Verified OK +``` + +
If using Cosign v1 + ```shell $ cosign verify-blob --key k8s://tekton-chains/signing-secrets --signature sig sig Verified OK ``` +
+ Now we have a verifiable record of the `TaskRun`! ## What you just created