MongoDB发布团队对Kubernetes Operator 包的MongoDB控制器进行数字签名,证明它们是有效且未经更改的MongoDB版本。在安装MongoDB Controllers for Kubernetes Operator 之前,请使用提供的 PGP 签名或 SHA-256校验和和来验证包。
PGP 签名通过检查文件的真实性和完整性来防止篡改,从而提供最强有力的保证。
验证 Linux/macOS 包
先决条件
运行以下命令以获取签名密钥:
wget https://cosign.mongodb.com/mongodb-enterprise-kubernetes-operator.pem
使用 Cosign
MongoDB使用签名文件对每个发布分支进行签名。 您可以使用我们的公钥文件验证二进制文件的真实性。
1
2
Use Images
您还可以验证任何已发布Docker映像的签名。以下示例展示了如何验证Kubernetes Operator 1.0.0 的MongoDB控制器签名图像:
cosign verify --key mongodb-enterprise-kubernetes-operator.pem quay.io/mongodb/mongodb-enterprise-kubernetes-operator:1.0.0 --insecure-ignore-tlog
WARNING: Skipping tlog verification is an insecure practice that lacks of transparency and auditability verification for the signature. Verification for quay.io/mongodb/mongodb-kubernetes-operator:1.0.0 -- The following checks were performed on each of these signatures: - The cosign claims were validated - The signatures were verified against the specified public key [{"critical":{"identity":{"docker-reference":"quay.io/mongodb/mongodb-kubernetes-operator:1.0.0"},"image":{"docker-manifest-digest":"sha256:9281935b4c36e0e4feebcf577abf21291ce0b517e7f637e6eaaf9769642abdd3"},"type":"cosign container image signature"},"optional":null}]