Skip to content

Verifying Mirantis k0rdent Enterprise Artifacts and Security#

Mirantis provides security artifacts for Mirantis k0rdent Enterprise releases to ensure software supply chain transparency and enable users to verify the integrity and composition of the software. These artifacts include cryptographically signed binaries and container images, Software Bills of Materials (SBOMs), and CVE scan reports.

Verifying these artifacts is a critical step to ensure you are running genuine, untampered software and to assess its security posture before deployment.

Artifact Signature Verification with Cosign#

All Mirantis k0rdent Enterprise release artifacts (container images, binary files, reports) are cryptographically signed. Verification requires the cosign command-line tool.

Verifying OCI Container Images#

Use the cosign verify command, specifying the public key (https://get.mirantis.com/k0rdent-enterprise/cosign.pub) and the full image path, as in:

cosign verify --key https://get.mirantis.com/k0rdent-enterprise/cosign.pub registry.mirantis.com/k0rdent-enterprise/<image-name>:<tag>

For example, you can verify the kcm-controller:1.3.0 component with:

cosign verify --key https://get.mirantis.com/k0rdent-enterprise/cosign.pub registry.mirantis.com/k0rdent-enterprise/kcm-controller:1.3.0

Verifying Binary Artifacts (Reports, Binaries)#

Binary artifacts (such as executables) have a corresponding .sig file containing the signature, located alongside the artifact. To verify these artifacts:

  1. Download both the artifact file and its .sig file.

  2. Use the cosign verify-blob command:

    cosign verify-blob --key https://get.mirantis.com/k0rdent-enterprise/cosign.pub --signature <artifact-name>.sig <artifact-name>

    For example, verify the version 1.3.0 release.yamlfile:

    wget https://get.mirantis.com/k0rdent-enterprise/1.3.0/release.yaml
wget https://get.mirantis.com/k0rdent-enterprise/1.3.0/release.yaml.sig
cosign verify-blob --key https://get.mirantis.com/k0rdent-enterprise/cosign.pub --signature release.yaml.sig release.yaml

    Verified OK

Successful verification confirms the artifact's authenticity and integrity.

Software Bill of Materials (SBOMs)#

Mirantis provides SBOMs in the CycloneDX format for Mirantis k0rdent Enterprise components. SBOMs offer a detailed inventory of software ingredients, making it possible to manage vulnerabilities, perform license compliance checks, and understand software dependencies.

Getting SBOMs#

Each OCI artifact contains an SBOM attached to it in the CycloneDX format. To get the SBOM you can use cosign.

Note

Since cosign returns predicates in json format jq must be used to query specific fields, like contents of the CycloneDX.

For example to get the CycloneDX for kcm-controller:1.3.0 you can use the following command:

cosign verify-attestation --key https://get.mirantis.com/k0rdent-enterprise/cosign.pub --type cyclonedx registry.mirantis.com/k0rdent-enterprise/kcm-controller:1.3.0 | jq '.payload | @base64d | fromjson | .predicate' -r

This will get you a full CycloneDX file for kcm-controller and also will verify authenticity (attestation) of the attached CycloneDX.