Signature Verification

Verifying a Cosign signature

All binaries and container images are signed by Cosign.

You need the following tool:

Cosign

Verifying signed container images

Use the following command for keyless verification:

cosign verify aquasec/trivy:<version> \
--certificate-identity-regexp 'https://github\.com/aquasecurity/trivy/\.github/workflows/.+' \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com"

You should get the following output

Verification for index.docker.io/aquasec/trivy:latest --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - Existence of the claims in the transparency log was verified offline
  - The code-signing certificate was verified using trusted certificate authority certificates

  ....

Verifying signed binaries

Download the required tarball, associated signature and certificate files

Use the following command for keyless verification:

cosign verify-blob <path to binray> \
--certificate <path to cert> \
--signature <path to sig> \
--certificate-identity-regexp 'https://github\.com/aquasecurity/trivy/\.github/workflows/.+' \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com"

You should get the following output
```
Verified OK
```

For example:

$ wget "https://github.com/aquasecurity/trivy/releases/download/v0.45.0/trivy_0.45.0_Linux-32bit.tar.gz"
$ wget "https://github.com/aquasecurity/trivy/releases/download/v0.45.0/trivy_0.45.0_Linux-32bit.tar.gz.pem"
$ wget "https://github.com/aquasecurity/trivy/releases/download/v0.45.0/trivy_0.45.0_Linux-32bit.tar.gz.sig"
$ cosign verify-blob trivy_0.45.0_Linux-32bit.tar.gz \
  --certificate trivy_0.45.0_Linux-32bit.tar.gz.pem \
  --signature trivy_0.45.0_Linux-32bit.tar.gz.sig \
  --certificate-identity-regexp 'https://github\.com/aquasecurity/trivy/\.github/workflows/.+' \
  --certificate-oidc-issuer "https://token.actions.githubusercontent.com" 

Vetified OK

Verifying a GPG signature

RPM and Deb packages are also signed by GPG.

Verifying RPM

The public key downloaded here.

Download the public key

curl https://aquasecurity.github.io/trivy-repo/rpm/public.key \ 
--output pub.key

Import the key
```
rpm --import pub.key
```

Verify that the key has been imported

rpm -q --queryformat "%{SUMMARY}\n" $(rpm -q gpg-pubkey)

You should get the following output

gpg(trivy)

Download the required binary

curl -L https://github.com/aquasecurity/trivy/releases/download/<version>/<file name>.rpm \
--output trivy.rpm

Check the binary with the following command
```
rpm -K trivy.rpm
```
You should get the following output
```
trivy.rpm: digests signatures OK
```