Verify Integrity of Atlas Kubernetes Operator Packages
Starting in Atlas Kubernetes Operator 2.2.0, the MongoDB release team digitally signs Atlas Kubernetes Operator packages to certify that they are valid and unaltered MongoDB releases.
You can verify Atlas Kubernetes Operator packages using a makefile rule, or cosign.
Prerequisites
Before you can verify Atlas Kubernetes Operator packages, you must have a local copy of the Atlas Kubernetes Operator repository.
Verify with Makefile Rule
The makefile rule verify
verifies an Atlas Kubernetes Operator multi-architecture
image's signature.
Run the following command to verify with the signatures at the
mongodb/signatures
MongoDB registry. Replace the following
placeholders with your values:
Placeholder | Description |
---|---|
| The image reference you want to verify. |
| The repository that contains all the signatures you want to verify against. |
make verify {IMG}=mongodb/mongodb-atlas-kubernetes-operator:2.2.0 {SIGNATURE_REPO}=mongodb/signatures
If the command is successful, it prints VERIFIED OK
. Otherwise, it
prints an error such as Error: no matching signatures
.
Verify with Cosign
Install Cosign.
Verify the package.
Run the following command to verify the Atlas Kubernetes Operator package. Replace the following placeholders with your values:
Placeholder | Description |
---|---|
| The image reference you want to verify. |
| The name of the file you downloaded the signature key PEM to. |
COSIGN_REPOSITORY=mongodb/signatures cosign verify --insecure-ignore-tlog --key="${KEY_FILENAME}" "${IMG}" && echo PASS
If the command is successful, it prints PASS
. Otherwise, it
prints an error such as Error: no matching signatures
.