Separate security contents a bit more, update link to threat model, update nav

evankanderson · evankanderson · commit 09b918fc98f2 · 2025-05-01T13:26:28.000-07:00
diff --git a/config/nav.yml b/config/nav.yml
@@ -347,8 +347,10 @@ nav:
     # Reference docs
     - Reference:
       - Security:
-        - Security Model and Disclosure: reference/security/README.md
-        - Verifying Knative Images: reference/security/verifying-images.md 
+        - Security Disclosure: reference/security/README.md
+        - Threat Model: reference/security/threat-model.md
+        - Verifying Knative Images: reference/security/verifying-images.md
+        - Verifying Knative Binaries: reference/security/verifying-cli.md
       - Release notes: reference/relnotes/README.md
     - Blog: /blog/
     - About:
diff --git a/docs/reference/security/README.md b/docs/reference/security/README.md
@@ -2,62 +2,6 @@
 
 This page describes Knative security and disclosure information.
 
-## Knative threat model
-
-* [Threat model](https://github.com/knative/community/blob/main/working-groups/security/threat-model.md)
-
-## Code Signature Verification
-
-### All platforms
-
-Our releases from 1.9 are signed with [cosign](https://docs.sigstore.dev/cosign/overview). You can use the following steps to verify our binaries.
-
-1. Download the files you want, and the `checksums.txt`, `checksum.txt.pem` and `checksums.txt.sig` files from the releases page:
-    ```sh
-    # this example verifies the 1.10.0 kn cli from the knative/client repository
-    wget https://github.com/knative/client/releases/download/knative-v1.10.0/checksums.txt
-    wget https://github.com/knative/client/releases/download/knative-v1.10.0/kn-darwin-amd64
-    wget https://github.com/knative/client/releases/download/knative-v1.10.0/checksums.txt.sig
-    wget https://github.com/knative/client/releases/download/knative-v1.10.0/checksums.txt.pem
-    ```
-1. Verify the signature:
-    ```sh
-    cosign verify-blob \
-    --certificate-identity=signer@knative-releases.iam.gserviceaccount.com \
-    --certificate-oidc-issuer=https://accounts.google.com \
-    --cert checksums.txt.pem \
-    --signature checksums.txt.sig \
-    checksums.txt
-    ```
-1. If the signature is valid, you can then verify the SHA256 sums match with the downloaded binary:
-    ```sh
-    sha256sum --ignore-missing -c checksums.txt
-    ```
-
-!!! note
-    Knative images are signed in `KEYLESS` mode. To learn more about keyless signing, please refer to
-    [Keyless Signatures](https://github.com/sigstore/cosign/blob/main/KEYLESS.md#keyless-signatures)
-    Our signing identity(Subject) for our releases is `signer@knative-releases.iam.gserviceaccount.com` and the Issuer is `https://accounts.google.com`
-
-### Apple macOS
-
-In addition to signing our binaries with `cosign`, we [notarize](https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution) our macOS binaries. You can use the `codesign` utility to verify our binaries from 1.9 release. You should expect an output that looks
-like this. The expected TeamIdentifier is `7R64489VHL`
-
-```
-codesign --verify -d --verbose=2 ~/Downloads/kn-quickstart-darwin-amd64
-
-Executable=/Users/REDACTED/Downloads/kn-quickstart-darwin-amd64
-Identifier=kn-quickstart-darwin-amd64
-...
-Authority=Developer ID Application: Mahamed Ali (7R64489VHL)
-Authority=Developer ID Certification Authority
-Authority=Apple Root CA
-Timestamp=3 Oct 2022 at 22:50:07
-...
-TeamIdentifier=7R64489VHL
-```
-
 ## Report a vulnerability
 
 We're extremely grateful for security researchers and users that report vulnerabilities to the Knative Open Source Community. All reports are thoroughly investigated by a set of community volunteers.
diff --git a/docs/reference/security/verifying-cli.md b/docs/reference/security/verifying-cli.md
@@ -0,0 +1,59 @@
+# Verifying client binaries
+
+Knative ships a number of client (command-line) binaries which are installed and run on
+your local machine.  This page describes how to verify that your downloaded binaries
+match those of a Knative release.  While many of these steps may be handled by package
+installers like `brew`, you can always perform these steps by hand if you are unsure
+about the provenance of those binaries.
+
+## Code Signature Verification
+
+### All platforms
+
+Our releases from 1.9 are signed with [cosign](https://docs.sigstore.dev/cosign/overview). You can use the following steps to verify our binaries.
+
+1. Download the files you want, and the `checksums.txt`, `checksum.txt.pem` and `checksums.txt.sig` files from the releases page:
+    ```sh
+    # this example verifies the 1.10.0 kn cli from the knative/client repository
+    wget https://github.com/knative/client/releases/download/knative-v1.10.0/checksums.txt
+    wget https://github.com/knative/client/releases/download/knative-v1.10.0/kn-darwin-amd64
+    wget https://github.com/knative/client/releases/download/knative-v1.10.0/checksums.txt.sig
+    wget https://github.com/knative/client/releases/download/knative-v1.10.0/checksums.txt.pem
+    ```
+1. Verify the signature:
+    ```sh
+    cosign verify-blob \
+    --certificate-identity=signer@knative-releases.iam.gserviceaccount.com \
+    --certificate-oidc-issuer=https://accounts.google.com \
+    --cert checksums.txt.pem \
+    --signature checksums.txt.sig \
+    checksums.txt
+    ```
+1. If the signature is valid, you can then verify the SHA256 sums match with the downloaded binary:
+    ```sh
+    sha256sum --ignore-missing -c checksums.txt
+    ```
+
+!!! note
+    Knative images are signed in `KEYLESS` mode. To learn more about keyless signing, please refer to
+    [Keyless Signatures](https://github.com/sigstore/cosign/blob/main/KEYLESS.md#keyless-signatures)
+    Our signing identity(Subject) for our releases is `signer@knative-releases.iam.gserviceaccount.com` and the Issuer is `https://accounts.google.com`
+
+### Apple macOS
+
+In addition to signing our binaries with `cosign`, we [notarize](https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution) our macOS binaries. You can use the `codesign` utility to verify our binaries from 1.9 release. You should expect an output that looks
+like this. The expected TeamIdentifier is `7R64489VHL`
+
+```
+codesign --verify -d --verbose=2 ~/Downloads/kn-quickstart-darwin-amd64
+
+Executable=/Users/REDACTED/Downloads/kn-quickstart-darwin-amd64
+Identifier=kn-quickstart-darwin-amd64
+...
+Authority=Developer ID Application: Mahamed Ali (7R64489VHL)
+Authority=Developer ID Certification Authority
+Authority=Apple Root CA
+Timestamp=3 Oct 2022 at 22:50:07
+...
+TeamIdentifier=7R64489VHL
+```
