OCI artifact verification

Cloud Control Helm Charts and container images are made available as OCI artifacts. To allow verification of authenticity of these artifacts, each of them is signed using cosign.

The following public key can be used to verify the Cloud Control OCI artifacts:

-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8V1VF5mq63jGEe8vfUg87pQKQ/qN
201vIRUbfaJrbYgToDfCIg+q90FKSLvxssho8AyWgvGoEf1UQycf/QbyJA==
-----END PUBLIC KEY-----

This verification can be performed via several methods, below we will show how to do this manually using the cosign CLI. Prerequisite to be able to do this manually is to download and install cosign, which can be done via the above link.

First, make sure to save the above public key to a local file, we will use /tmp/cc.pub in the below examples.

Then, make sure you have a login configuration locally for the OX registry, this can be done either via Docker (if installed) or cosign using the login command. Example using cosign:

cosign login registry.open-xchange.com --username=REGISTRY_USER --password=REGISTRY_PASS

# Note: You can also feed the password in via stdin
# See `cosign login --help` for more options.

Now you can use cosign to verify the signatures of the CloudControl OCI artifacts. To do this, you can use the following command:

cosign verify --key=/tmp/cc.pub registry.open-xchange.com/<repository>/<name>:<tag>

Output upon successful verification should include:

The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - Existence of the claims in the transparency log was verified offline
  - The signatures were verified against the specified public key

<JSON encoded details of the verification>