[bitnami/*] Share Public key and Document How to verify bitnami container images integrity

[abdennour]

Name and Version

bitnami/any:x.y.z

What is the problem this feature will solve?

I can't find the public key to verify the integrity of any Bitnami image!

Expected to be able to run this against any bitnami image

cosign verify --key bitnami.pub <image>

We understand you are using notation, but please share your public key to verify the integrity of images with cosign

REFERENCE

  cosign verify --key <key path>|<key url>|<kms uri> <image uri> [<image uri> ...]

  # verify cosign claims and signing certificates on the image with the transparency log
  cosign verify <IMAGE>

  # verify multiple images
  cosign verify <IMAGE_1> <IMAGE_2> ...

  # additionally verify specified annotations
  cosign verify -a key1=val1 -a key2=val2 <IMAGE>

  # verify image with an on-disk public key
  cosign verify --key cosign.pub <IMAGE>

  # verify image with an on-disk public key, manually specifying the
  # signature digest algorithm
  cosign verify --key cosign.pub --signature-digest-algorithm sha512 <IMAGE>

  # verify image with an on-disk signed image from 'cosign save'
  cosign verify --key cosign.pub --local-image <PATH>

  # verify image with local certificate and certificate chain
  cosign verify --cert cosign.crt --cert-chain chain.crt <IMAGE>

  # verify image using keyless verification with the given certificate
  # chain and identity parameters, without Fulcio roots (for BYO PKI):
  cosign verify --cert-chain chain.crt --certificate-oidc-issuer https://issuer.example.com --certificate-identity [email protected] <IMAGE>

  # verify image with public key provided by URL
  cosign verify --key https://host.for/[FILE] <IMAGE>

  # verify image with a key stored in an environment variable
  cosign verify --key env://[ENV_VAR] <IMAGE>

  # verify image with public key stored in Google Cloud KMS
  cosign verify --key gcpkms://projects/[PROJECT]/locations/global/keyRings/[KEYRING]/cryptoKeys/[KEY] <IMAGE>

  # verify image with public key stored in Hashicorp Vault
  cosign verify --key hashivault://[KEY] <IMAGE>

  # verify image with public key stored in a Kubernetes secret
  cosign verify --key k8s://[NAMESPACE]/[KEY] <IMAGE>

  # verify image with public key stored in GitLab with project name
  cosign verify --key gitlab://[OWNER]/[PROJECT_NAME] <IMAGE>

  # verify image with public key stored in GitLab with project id
  cosign verify --key gitlab://[PROJECT_ID] <IMAGE>

What is the feature you are proposing to solve the problem?

Verifying the integrity of Bitnami Images (that it's the same ones built by Bitnami )

What alternatives have you considered?

I will consider to re-sign it, and pushing it to my private registry... but this is extra-step and overhead

[javsalgar]

Hi!

I am afraid we do not sign our Bitnami public artifacts with cosign. This feature is part of our commercial offering Tanzu Application Catalog. Find more details below:

https://docs.vmware.com/en/VMware-Tanzu-Application-Catalog/services/main/GUID-using-verify-signatures.html#notation-signatures-for-tanzu-application-catalog-artifacts-2

In our public catalog, we have notation and Docker Content Trust available. Find more details here https://blog.bitnami.com/2024/03/bitnami-packaged-containers-and-helm.html