/
COSIGN Setup
Search
Duplicate
Try Notion
Page icon

COSIGN Setup

All KIRA Release Files are signed using sigstore cosign tool, you will need to install and verify integrity of that tool in order to securely interact with any testnet tools.
Secure Setup Example
Bash
Copy
# assume root permissions sudo -s # Install essential dependencies apt-get install -y wget # Download Cosign COSIGN_VERSION="v2.0.0" && \ UBUNTU_AGENT="Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36" && \ if [[ "$(uname -m)" == *"ar"* ]] ; then ARCH="arm64"; else ARCH="amd64" ; fi && \ cd /tmp && PLATFORM=$(uname) && declare -l FILE="cosign-${PLATFORM}-${ARCH}" && rm -rfv ./$FILE ./${FILE}.sig && \ wget --user-agent="$UBUNTU_AGENT" https://github.com/sigstore/cosign/releases/download/${COSIGN_VERSION}/$FILE -O ./$FILE && \ wget --user-agent="$UBUNTU_AGENT" https://github.com/sigstore/cosign/releases/download/${COSIGN_VERSION}/${FILE}.sig -O ./${FILE}.sig # If you do NOT have cosign installed already you should check that the "$FILE" has one of the below hashes # Hashes are only for the 'linux' platform, for other platforms please refer to the github repository COSIGN_HASH_ARM="8132cb2fb99a4c60ba8e03b079e12462c27073028a5d08c07ecda67284e0c88d" && \ COSIGN_HASH_AMD="169a53594c437d53ffc401b911b7e70d453f5a2c1f96eb2a736f34f6356c4f2b" && \ FILE_HASH=$(sha256sum ./$FILE | awk '{ print $1 }' | xargs || echo -n "") && \ if [ "$FILE_HASH" != "$COSIGN_HASH_ARM" ] && [ "$FILE_HASH" != "$COSIGN_HASH_AMD" ] ; then echoErr "ERROR: Failed to download cosign tool, expected checksum to be '$COSIGN_HASH_ARM' or '$COSIGN_HASH_AMD', but got '$FILE_HASH'" exit 1 fi # Move cosign to bin directory chmod +x -v ./$FILE && mv -fv ./$FILE /usr/local/bin/cosign # Check cosign version cosign version # Save public key cat > ./sigstore-cosign.pub << EOL -----BEGIN PUBLIC KEY----- MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEhyQCx0E9wQWSFI9ULGwy3BuRklnt IqozONbbdbqz11hlRJy9c7SG+hdcFl9jE9uE/dwtuwU2MqU9T/cN0YkWww== -----END PUBLIC KEY----- EOL # Verify cosign release cosign verify-blob --key="./sigstore-cosign.pub" --signature="./${FILE}.sig" "./$FILE"