Verify VMware Tanzu Application Catalog signatures

VMware Tanzu Application Catalog allows artifacts (container images, Helm charts, and metadata bundles) to be signed and verified by using either Sigstore Cosign or Notation.

Securing your modern applications and infrastructure requires a proactive approach to address potential threats. Signing and verifying OCI artifacts is becoming a critical part of this proactive approach.

The artifacts along with their signatures are pushed to your registry. By using Sigstore Cosign or Notation, VMware Tanzu Application Catalog can efficiently deliver signed and verifiable OCI artifacts to enterprises, adding a layer of trust to their software supply chain.

Signing helps you verify the Tanzu Application Catalog artifacts. This ensures that:

• The artifacts that you downloaded comes from VMware.
• They have not been tampered/modified/altered in any form.

This tutorial walks you through the process of verifying Tanzu Application Catalog artifacts signature by using either the Cosign or Notation tool.

How to verify signatures?

Sigstore Cosign signatures for Tanzu Application Catalog artifacts

Sigstore Cosign is a part of the Sigstore project, an open-source project aimed at improving the security and transparency of the software supply chain by providing cryptographic signing and verification of software artifacts. Cosign, specifically, is focused on securing container image signing and verification. Cosign offers a command-line interface (CLI) that allows users to easily sign, verify, and work with container images, integrating the signing and verification processes seamlessly into development workflows.

To verify Tanzu Application Catalog artifacts signatures by using Cosign:

1. Install the Cosign tool. See Sigstore Cosign official documentation.

2. Once installed, execute:

   $ cosign verify --key https://app-catalog.vmware.com/.well-known/cosign.pub ARTIFACT_REFERENCE --insecure-ignore-tlog

   Note

   Please refer to this section if you need to verify the key thumbprint.

   Ensure to replace the ARTIFACT_REFERENCE placeholder with any of the following options:

   • A container image.

   Example: us-east1-docker.pkg.dev/vmw-app-catalog/hosted-registry-5682e11a02d/containers/ubuntu-22/nginx:latest

   • A container image metadata bundle.

   Example: us-east1-docker.pkg.dev/vmw-app-catalog/hosted-registry-5682e11a02d/containers/ubuntu-22/nginx:1.25.4-ubuntu-22-r5-metadata

   • A Helm chart.

   Example: us-east1-docker.pkg.dev/vmw-app-catalog/hosted-registry-5682e11a02d/charts/ubuntu-22/nginx:16.0.5

   • A Helm chart metadata bundle.

   Example: us-east1-docker.pkg.dev/vmw-app-catalog/hosted-registry-5682e11a02d/charts/ubuntu-22/nginx:16.0.5-metadata

   Note

   ARTIFACT_REFERENCE can be tags or digests.

3. Use the --insecure-ignore-tlog option to ignore transparency log verification only. The OCI signatures are part of the OCI registry and they are not uploaded to any public service for the transparency log.

Notation signatures for Tanzu Application Catalog artifacts

Notation is a command-line interface (CLI) project which enables adding signatures as standard items in the OCI registry ecosystem, and building a set of simple tooling to sign and verify these signatures. Notation is an implementation of the Notary Project specifications, and is a CNCF Incubating project.

Notation CLI simplifies the process of signature verification with an efficient, user-friendly interface. Designed with ease of use in mind, this command-line interface streamlines the often complex task of verifying signatures. To locally verify the signature of an OCI artifact delivered by Tanzu Application Catalog, follow these steps:

1. Download and install Notation CLI. See Notary project official documentation.

2. Download the Tanzu Application Catalog Root CA certificate from app-catalog.vmware.com/.well-known/notationCA.crt.

   Please refer to this section if you need to verify the key thumbprint.

3. Add the Tanzu Application Catalog Root CA certificate to Notation as follows. This will create a trust store named ca:TAC.

   $ notation cert add --type ca --store TAC notationCA.crt

4. Create a Trust Policy file. For example, create a file named trustpolicy.json and add the following content:

   {
     "version": "1.0",
     "trustPolicies": [
        {
              "name": "Tanzu Application Catalog",
              "registryScopes": [
                 "*"
              ],
              "signatureVerification": {
                 "level": "strict"
              },
              "trustStores": [
                 "ca:TAC"
              ],
              "trustedIdentities": [
                 "*"
              ]
        }
     ]
   }
   

5. Import the Trust Policy file to Notation as follows.

   $ notation policy import trustpolicy.json

6. Verify any OCI artifact in your registry from Tanzu Application Catalog as follows:

   $ notation verify my-harbor-registry/containers/debian-11/airflow:2.7.3-debian-11-r1

   You should see an output message similar to this:

   Successfully verified signature for my-harbor-registry/containers/debian-11/airflow@sha256:ef612f4c708c6ef68d834380826c234ccb817e37331d4e237b670ec821df3a93

7. Metadata like VEX, SBoMs, CVE scan results, or tests reports associated with each application are also signed with Notation and can be verified as follows:

   $ notation verify my-harbor-registry/containers/debian-11/airflow:2.7.3-metadata

   You should see an output message similar to this:

   Successfully verified signature for my-harbor-registry/containers/debian-11/airflow@sha256:5a6ecc204e5ff212ebe717db56b307734bab695496efbf8d95e66ddaaabd1133

Verifying the thumbprints

In order to ensure the integrity of files you donwload from app-catalog.vmware.com/.well-known/, please always check the SHA256 thumprints of the files.

• Cosign public key, available at app-catalog.vmware.com/.well-known/cosign.pub: D0:C7:C4:58:04:A0:A2:45:87:14:FE:8B:A8:AB:1B:58:DC:23:B6:8F:B0:33:91:53:6C:69:DB:75:50:52:F2:4E.

  • Run this command to compute the thumbprint: openssl pkey -pubin -in ./cosign.pub -outform DER | openssl dgst -sha256 -c.

• Tanzu Application Catalog Root CA certificate, available at app-catalog.vmware.com/.well-known/notationCA.crt: C4:41:F3:30:B3:3A:C2:68:74:5E:3C:1D:E7:0F:4B:A4:C7:65:91:34:E0:84:25:F4:7B:C9:46:FF:B4:81:27:66.

  • Run this command to compute the thumbprint: openssl x509 -in ./notationCA.crt -noout -fingerprint -sha256.

Useful links

• Tanzu Application Catalog Leverages Notation to Deliver Stronger Software Supply Chain Security

• Improve application security and interoperability with VMware Tanzu Application Catalog metadata

• Notary project

• Notation project official documentation

• Sigstore Cosign project

• Sigstore Cosign official documentation