From c18530541888bdeec908aea642716565ef2cf9e6 Mon Sep 17 00:00:00 2001 From: Allan Rasmussen Date: Wed, 14 May 2025 16:21:47 +0200 Subject: [PATCH 1/3] docker image verify --- source/mainnet/docs/installation/downloads.rst | 8 +++++++- .../installation/verification-instructions.rst | 17 +++++++++++++++++ source/mainnet/docs/network/nodes/run-node.rst | 4 +++- 3 files changed, 27 insertions(+), 2 deletions(-) diff --git a/source/mainnet/docs/installation/downloads.rst b/source/mainnet/docs/installation/downloads.rst index 0eaff97901..e932066f5e 100644 --- a/source/mainnet/docs/installation/downloads.rst +++ b/source/mainnet/docs/installation/downloads.rst @@ -195,7 +195,11 @@ For the system requirements to run a node, see :ref:`System requirements to run .. dropdown:: Linux-Docker |mainnet-node-version| - To learn how to run a node with Ubuntu, see :ref:`Run a node on a server with Ubuntu `. To upgrade your Docker node either restart the service if you are using the `:latest` image tag, or change the image tag to the new version. See :ref:`Running/upgrading a node` for details. + To learn how to run a node with Docker, see :ref:`Run a node with Docker `. + + To upgrade your Docker node either restart the service if you are using the `:latest` image tag, or change the image tag to the new version. See :ref:`Running/upgrading a node` for details. + + See :ref:`Verify Concordium Node Docker Image` for how the verify the signature on the Docker image. .. dropdown:: Windows |mainnet-node-version| @@ -230,6 +234,8 @@ For the system requirements to run a node, see :ref:`System requirements to run To upgrade your Docker node either restart the service if you are using the `:latest` image tag, or change the image tag to the new version. See :ref:`Running/upgrading a node` for details. + See :ref:`Verify Concordium Node Docker Image` for how the verify the signature on the Docker image. + .. dropdown:: Windows |testnet-node-version| To run a node on Windows, `download a Testnet Windows Installer package `_. **Please be aware that you should backup your configuration, as the installer will overwrite the current configuration with a standard configuration.** diff --git a/source/mainnet/docs/installation/verification-instructions.rst b/source/mainnet/docs/installation/verification-instructions.rst index 70d788b7fb..13a5138d9f 100644 --- a/source/mainnet/docs/installation/verification-instructions.rst +++ b/source/mainnet/docs/installation/verification-instructions.rst @@ -7,6 +7,23 @@ Verification instructions To find instructions on how to verify the integrity of the file you have downloaded, navigate to the respective section that outlines the steps needed for that specific file. +.. _verify-docker-image: + +Verify Concordium Node Docker Image +=================================== + +The Docker images are signed with Sigstore Cosign. To verify +the signature run ``cosign verify`` with the ``certificate-oidc-issuer`` and ``certificate-identity`` as specified (important): + +.. code-block:: console + :substitutions: + + $cosign verify concordium/mainnet-node:|mainnet-node-version| \ + --certificate-identity=https://github.com/Concordium/concordium-node/.github/workflows/release.yaml@refs/heads/main \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com + +This verifies that the image was build and signed by Concordium. You can replace the image with ``testnet-node`` and the tag with the tag you want to run. + Concordium Desktop Wallet ========================= diff --git a/source/mainnet/docs/network/nodes/run-node.rst b/source/mainnet/docs/network/nodes/run-node.rst index 2196425c68..e6fa79f72d 100644 --- a/source/mainnet/docs/network/nodes/run-node.rst +++ b/source/mainnet/docs/network/nodes/run-node.rst @@ -42,7 +42,9 @@ Running/upgrading a node ======================== Concordium provides two Docker images, a `mainnet `_ one and a `testnet `_ one. -These images are designed to be used together with docker-compose, or a similar driver. This guide provides a sample configuration using ``docker-compose``. +The images are signed with Sigstore Cosign and the signature can be verified by following :ref:`Verify Concordium Node Docker Image`. + +The images are designed to be used together with docker-compose, or a similar driver. This guide provides a sample configuration using ``docker-compose``. The node requires a database which must be stored on the host system so that it persists when the docker container is stopped. It is up to the user to select the location of the database on their host system. In the guide the location used is ``/var/lib/concordium-mainnet`` or ``/var/lib/concordium-testent`` but any location to which the user that runs the Docker command has access to will do. From 72a98a2a9d77ef1de807af4f2d725f17fae71b16 Mon Sep 17 00:00:00 2001 From: Allan Rasmussen Date: Wed, 14 May 2025 16:41:03 +0200 Subject: [PATCH 2/3] digest --- .../docs/installation/verification-instructions.rst | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/source/mainnet/docs/installation/verification-instructions.rst b/source/mainnet/docs/installation/verification-instructions.rst index 13a5138d9f..e9095188d3 100644 --- a/source/mainnet/docs/installation/verification-instructions.rst +++ b/source/mainnet/docs/installation/verification-instructions.rst @@ -24,6 +24,17 @@ the signature run ``cosign verify`` with the ``certificate-oidc-issuer`` and ``c This verifies that the image was build and signed by Concordium. You can replace the image with ``testnet-node`` and the tag with the tag you want to run. +To make sure the image is not modified between you check the signature and you use the image, +you should first get the image hash and then verify and run the image by referencing the hash: + +.. code-block:: console + :substitutions: + + $crane digest concordium/mainnet-node:|mainnet-node-version| + $cosign verify concordium/mainnet-node@sha256:6a4f8c65345ddea7db82431b76c8eadb09b9d0ebd93d4825870704e878d81f1a \ + --certificate-identity=https://github.com/Concordium/concordium-node/.github/workflows/release.yaml@refs/heads/main \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com + Concordium Desktop Wallet ========================= From 9280b516cee7b42d6de921c535ab6230d9e9c6ea Mon Sep 17 00:00:00 2001 From: Allan Rasmussen Date: Tue, 20 May 2025 18:49:25 +0200 Subject: [PATCH 3/3] fix --- source/mainnet/docs/installation/downloads.rst | 2 +- .../mainnet/docs/installation/verification-instructions.rst | 4 ++-- source/mainnet/docs/network/nodes/run-node.rst | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/source/mainnet/docs/installation/downloads.rst b/source/mainnet/docs/installation/downloads.rst index e932066f5e..5b6fa02816 100644 --- a/source/mainnet/docs/installation/downloads.rst +++ b/source/mainnet/docs/installation/downloads.rst @@ -234,7 +234,7 @@ For the system requirements to run a node, see :ref:`System requirements to run To upgrade your Docker node either restart the service if you are using the `:latest` image tag, or change the image tag to the new version. See :ref:`Running/upgrading a node` for details. - See :ref:`Verify Concordium Node Docker Image` for how the verify the signature on the Docker image. + See :ref:`Verify Concordium Node Docker Image` for how the verify the signature on the Docker image. .. dropdown:: Windows |testnet-node-version| diff --git a/source/mainnet/docs/installation/verification-instructions.rst b/source/mainnet/docs/installation/verification-instructions.rst index e9095188d3..0d36fb61fc 100644 --- a/source/mainnet/docs/installation/verification-instructions.rst +++ b/source/mainnet/docs/installation/verification-instructions.rst @@ -18,7 +18,7 @@ the signature run ``cosign verify`` with the ``certificate-oidc-issuer`` and ``c .. code-block:: console :substitutions: - $cosign verify concordium/mainnet-node:|mainnet-node-version| \ + $cosign verify concordium/mainnet-node:|mainnet-node-version| \ --certificate-identity=https://github.com/Concordium/concordium-node/.github/workflows/release.yaml@refs/heads/main \ --certificate-oidc-issuer=https://token.actions.githubusercontent.com @@ -31,7 +31,7 @@ you should first get the image hash and then verify and run the image by referen :substitutions: $crane digest concordium/mainnet-node:|mainnet-node-version| - $cosign verify concordium/mainnet-node@sha256:6a4f8c65345ddea7db82431b76c8eadb09b9d0ebd93d4825870704e878d81f1a \ + $cosign verify concordium/mainnet-node@sha256:6a4f8c65345ddea7db82431b76c8eadb09b9d0ebd93d4825870704e878d81f1a \ --certificate-identity=https://github.com/Concordium/concordium-node/.github/workflows/release.yaml@refs/heads/main \ --certificate-oidc-issuer=https://token.actions.githubusercontent.com diff --git a/source/mainnet/docs/network/nodes/run-node.rst b/source/mainnet/docs/network/nodes/run-node.rst index e6fa79f72d..0b96e5bba3 100644 --- a/source/mainnet/docs/network/nodes/run-node.rst +++ b/source/mainnet/docs/network/nodes/run-node.rst @@ -42,7 +42,7 @@ Running/upgrading a node ======================== Concordium provides two Docker images, a `mainnet `_ one and a `testnet `_ one. -The images are signed with Sigstore Cosign and the signature can be verified by following :ref:`Verify Concordium Node Docker Image`. +The images are signed with Sigstore Cosign and the signature can be verified by following :ref:`Verify Concordium Node Docker Image`. The images are designed to be used together with docker-compose, or a similar driver. This guide provides a sample configuration using ``docker-compose``.