In the last story, we talked about, how we successfully reduced the size of our minectl 🗺 cli container. The idea behind this all is to get minectl 🗺 ready to be used in a pipeline.
Was there not something with Docker Content Trust/Notary. Yeah, but that never really went mainstream in version v1. Don't know about the v2, and the progress there.
The cosign project is part of the sigstore initiative. They have really cool ideas about the whole open source security topic. For now, we stick with the image signing process.
That means that minectl 🗺 has to fit nicely into a secure toolchain. So anyone downloading the minectl 🗺, can be sure it is build from me or a system with access to the private key.
This time I want to download it with arkade, a tool Alex Ellis wrote and which provides a portable marketplace for downloading your favourite devops CLIs and installing helm charts, with a single command.
Lets step back and, verify cosign with cosign. Just for the lolz. They have the public key in their git repository and also the signature of the binary.