Add documentation on fetching Knative supply-chain security attestations

evankanderson · evankanderson · commit 824841b343b3 · 2025-01-13T20:21:42.000-08:00
diff --git a/config/nav.yml b/config/nav.yml
@@ -48,6 +48,8 @@ nav:
           - About metrics: admin/collecting-metrics/README.md
           - Knative Eventing metrics: admin/collecting-metrics/eventing-metrics/metrics.md
           - Knative Serving metrics: admin/collecting-metrics/serving-metrics/metrics.md
+        - Security:
+          - Verifying Knative images: admin/security/verifying-images.md
         - Uninstalling Knative: admin/install/uninstall.md
         # Serving config
         - Knative Serving configuration:
diff --git a/docs/admin/security/verifying-images.md b/docs/admin/security/verifying-images.md
@@ -0,0 +1,29 @@
+# Verifying Knative Images
+
+Knative publishes SBOMs and SLSA provenance documents for each image in the Knative release.  You can configure 
+
+## Knative SLSA Provenance (signed)
+
+The Knative build process produces a SLSA [in-toto](https://in-toto.io/) attestation for each image in the build process.  For a given image in the Knative release manifests, you can verify the build attestation using the following:
+
+```bash
+cosign verify-attestation \
+  --certificate-oidc-issuer https://accounts.google.com \
+  --certificate-identity signer@knative-releases.iam.gserviceaccount.com \
+  --type slsaprovenance02 \
+  $IMAGE
+```
+
+Note that the in-toto document is base64 encoded in the `.payload` attribute of the attestation; you can use `jq` to extract this with the following invocation:
+
+```bash
+cosign verify-attestation \
+  --certificate-oidc-issuer https://accounts.google.com \
+  --certificate-identity signer@knative-releases.iam.gserviceaccount.com \
+  --type slsaprovenance02 \
+  $IMAGE | jq -r .payload | base64 --decode | jq
+```
+
+## Knative SBOMs
+
+For each container image, Knative publishes an SBOM corresponding to each image.  These SBOMs are produced during compilation by the [`ko` tool](https://ko.build/), and can be downloaded using the `cosign download sbom` command.  Note that the image references in the Knative manifests are to multi-architecture images; to extract the software components for a particular architecture (as different architectures may build with different libraries), you will need to run `cosign download sbom` on the architecture-specific image (e.g. for `linux/amd64`).
