Home Explore Help
Sign In
lqb
/
elasticsearch
mirror of https://gitee.com/mirrors/elasticsearch.git
1
0
Fork 0
Files Issues 0 Wiki
Browse Source

[DOCS] Verifying Elasticsearch container image signatures with Cosign from Sigstore (#96298)

* [DOCS] Verifying Elasticsearch container image signatures with Cosign/Sigstore

This commit adds a step to verify the Elasticsearch container image signatures after pulling the image and before starting any cluster.

The goal is to introduce an easy and standard way for Elastic users to verify the provenance of the Elasticsearch container images before deploying them to any infrastructure and therefore protect against supply chain attacks.

* Update docker.asciidoc

* Update docs/reference/setup/install/docker.asciidoc

* Update docs/reference/setup/install/docker.asciidoc

* Update docs/reference/setup/install/docker.asciidoc

Co-authored-by: David Kilfoyle <41695641+kilfoyle@users.noreply.github.com>

* Update docs/reference/setup/install/docker.asciidoc

Co-authored-by: David Kilfoyle <41695641+kilfoyle@users.noreply.github.com>

* Remove JSON section from sample output

* Fix up command output format

* Change 'console' to 'sh'

---------

Co-authored-by: David Kilfoyle <41695641+kilfoyle@users.noreply.github.com>
Co-authored-by: David Kilfoyle <david.kilfoyle@elastic.co>
Maxime Gréau 2 years ago
parent
d5895087ef
commit
66ce733e31
1 changed files with 45 additions and 1 deletions
Split View Show Diff Stats
  1. 45 1
      docs/reference/setup/install/docker.asciidoc

+ 45 - 1
docs/reference/setup/install/docker.asciidoc
View File 

@@ -43,7 +43,51 @@ docker pull {docker-repo}:{version}
 
 
 endif::[]
 
 
-Now that you have the {es} Docker image, you can start a
 
+[[docker-verify-signature]]
 
+==== Optional: Verify the {es} Docker image signature
 
+
 
+Although it's optional, we highly recommend verifying the signatures included with your downloaded Docker images to ensure that the images are valid.
 
+
 
+Elastic images are signed with https://docs.sigstore.dev/cosign/overview/[Cosign] which is part of the https://www.sigstore.dev/[Sigstore] project.
 
+
 
+Cosign supports container signing, verification, and storage in an OCI registry.
 
+
 
+ifeval::["{release-state}"=="unreleased"]
 
+
 
+WARNING: Version {version} of {es} has not yet been released, so no
 
+Docker image signature is currently available for this version.
 
+
 
+endif::[]
 
+
 
+ifeval::["{release-state}"!="unreleased"]
 
+
 
+Install the appropriate https://docs.sigstore.dev/cosign/installation/[Cosign application]
 
+for your operating system.
 
+
 
+The container image signature for {es} v{version} can be verified as follows:
 
+
 
+["source","sh",subs="attributes"]
 
+--------------------------------------------
 
+wget https://artifacts.elastic.co/cosign.pub <1>
 
+cosign verify --key cosign.pub {docker-repo}:{version} <2>
 
+--------------------------------------------
 
+<1> Download the Elastic public key to verify container signature
 
+<2> Verify the container against the Elastic public key
 
+
 
+The command prints the check results and the signature payload in JSON format:
 
+
 
+[source,sh]
 
+--------------------------------------------
 
+Verification for docker.elastic.co/elasticsearch/elasticsearch:{version} --
 
+The following checks were performed on each of these signatures:
 
+  - The cosign claims were validated
 
+  - Existence of the claims in the transparency log was verified offline
 
+  - The signatures were verified against the specified public key
 
+--------------------------------------------
 
+
 
+endif::[]
 
+
 
+Now that you have verified the {es} Docker image signature, you can start a
 
 <<docker-cli-run-dev-mode,single-node>> or <<docker-compose-file,multi-node>>
 
 cluster.