DOCSP-39646 ssdlc image verification (#1743)

Author: kyuan-mongodb

source/includes/steps-install-verify-files-pgp.rst

@@ -0,0 +1,46 @@
+.. procedure::
+   :style: normal
+
+   .. step:: Download the MongoDB installation file.
+      
+      To download the ``1.26.0`` release using Darwin with an ARM64 architecture, run the following command:
+   
+      .. io-code-block::
+         :copyable: true
+
+         .. input::
+         
+            wget https://github.com/mongodb/mongodb-enterprise-kubernetes/releases/download/1.26.0/kubectl-mongodb_1.26.0_darwin_arm64.tar.gz
+         
+         .. output::
+         
+            Saving : « kubectl-mongodb_1.26.0_darwin_arm64.tar.gz »
+
+   .. step:: Unzip the MongoDB installation file.
+
+      .. io-code-block::
+         :copyable: true
+
+         .. input::
+         
+            tar -xvzf kubectl-mongodb_1.26.0_darwin_arm64.tar.gz
+
+         .. output::
+         
+            x kubectl-mongodb.sig
+            x kubectl-mongodb     
+   
+   .. step:: Verify the MongoDB installation file.
+      
+      Run the following command:
+
+      .. io-code-block::
+         :copyable: true
+
+         .. input::
+         
+            cosign verify-blob --key mongodb-enterprise-kubernetes-operator.pem --signature kubectl-mongodb.sig kubectl-mongodb
+
+         .. output::
+         
+            Verified OK

source/installation.txt

@@ -21,6 +21,10 @@ Install and Configure the |k8s-op-short|
 :ref:`install-k8s`
   Install the |k8s-op-full|.
 
+:ref:`k8s-operator-verify-mongodb-packages`
+  Verify the package is valid and unaltered before you install
+  |k8s-op-short|.
+
 :ref:`upgrade`
   Upgrade from earlier versions of |k8s-op-short|.
 
@@ -30,4 +34,5 @@ Install and Configure the |k8s-op-short|
 
    /tutorial/plan-k8s-operator-install
    /tutorial/install-k8s-operator
+   /tutorial/verify-mongodb-packages
    /upgrade

source/tutorial/verify-mongodb-packages.txt

@@ -0,0 +1,66 @@
+.. _k8s-operator-verify-mongodb-packages:
+
+============================================================
+Verify the Integrity of the |k8s-op-full| Packages
+============================================================
+
+.. default-domain:: mongodb
+
+.. contents:: On this page
+   :local:
+   :backlinks: none
+   :depth: 1
+   :class: singlecol
+
+Starting in |k8s-op-full| 1.26.0, the MongoDB release team
+digitally signs |k8s-op-full| packages to certify that they are valid and
+unaltered MongoDB releases. Before you install |k8s-op-full|, validate the
+package using the provided PGP signature or SHA-256 checksum.
+
+PGP signatures provide the strongest guarantees by checking both the
+authenticity and integrity of a file to prevent tampering.
+
+Verify Linux/macOS Packages
+---------------------------
+
+Prerequisites
+~~~~~~~~~~~~~
+
+Run the following command to obtain our signing key:
+
+.. code-block::
+
+   wget https://cosign.mongodb.com/mongodb-enterprise-kubernetes-operator.pem 
+
+Use Cosign
+~~~~~~~~~~
+
+MongoDB signs each release branch with a signature file. You can verify
+the authenticity of the binary with our public key file.
+
+.. include:: /includes/steps-install-verify-files-pgp.rst
+
+Use Images
+~~~~~~~~~~
+
+You can also verify the signature of any published Docker images. The
+following example shows how to verify the signature of the |k8s-op-full| 1.26.0
+image:
+
+.. io-code-block::
+   :copyable: true 
+
+   .. input:: 
+            
+      cosign verify --key mongodb-enterprise-kubernetes-operator.pem quay.io/mongodb/mongodb-enterprise-operator-ubi:1.26.0 --insecure-ignore-tlog
+         
+   .. output::
+
+      WARNING: Skipping tlog verification is an insecure practice that lacks of transparency and auditability verification for the signature.
+
+      Verification for quay.io/mongodb/mongodb-enterprise-operator-ubi:1.26.0 --
+      The following checks were performed on each of these signatures:
+      - The cosign claims were validated
+      - The signatures were verified against the specified public key
+
+      [{"critical":{"identity":{"docker-reference":"quay.io/mongodb/mongodb-enterprise-operator-ubi:1.26.0"},"image":{"docker-manifest-digest":"sha256:9281935b4c36e0e4feebcf577abf21291ce0b517e7f637e6eaaf9769642abdd3"},"type":"cosign container image signature"},"optional":null}]