Verification of Argo CD Artifacts

Prerequisites


Release Assets

AssetDescription
argocd-darwin-amd64CLI Binary
argocd-darwin-arm64CLI Binary
argocd-linux_amd64CLI Binary
argocd-linux_arm64CLI Binary
argocd-linux_ppc64leCLI Binary
argocd-linux_s390xCLI Binary
argocd-windows_amd64CLI Binary
argocd-cli.intoto.jsonlAttestation of CLI binaries
argocd-sbom.intoto.jsonlAttestation of SBOM
cli_checksums.txtChecksums of binaries
sbom.tar.gzSbom
sbom.tar.gz.pemCertificate used to sign sbom
sbom.tar.gz.sigSignature of sbom

Verification of container images

Argo CD container images are signed by cosign using identity-based (“keyless”) signing and transparency. Executing the following command can be used to verify the signature of a container image:

  1. cosign verify \
  2. --certificate-identity-regexp https://github.com/argoproj/argo-cd/.github/workflows/image-reuse.yaml@refs/tags/v \
  3. --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  4. --certificate-github-workflow-repository "argoproj/argo-cd" \
  5. quay.io/argoproj/argocd:v2.11.3 | jq

The command should output the following if the container image was correctly verified:

  1. The following checks were performed on each of these signatures:
  2. - The cosign claims were validated
  3. - Existence of the claims in the transparency log was verified offline
  4. - Any certificates were verified against the Fulcio roots.
  5. [
  6. {
  7. "critical": {
  8. "identity": {
  9. "docker-reference": "quay.io/argoproj/argo-cd"
  10. },
  11. "image": {
  12. "docker-manifest-digest": "sha256:63dc60481b1b2abf271e1f2b866be8a92962b0e53aaa728902caa8ac8d235277"
  13. },
  14. "type": "cosign container image signature"
  15. },
  16. "optional": {
  17. "1.3.6.1.4.1.57264.1.1": "https://token.actions.githubusercontent.com",
  18. "1.3.6.1.4.1.57264.1.2": "push",
  19. "1.3.6.1.4.1.57264.1.3": "a6ec84da0eaa519cbd91a8f016cf4050c03323b2",
  20. "1.3.6.1.4.1.57264.1.4": "Publish ArgoCD Release",
  21. "1.3.6.1.4.1.57264.1.5": "argoproj/argo-cd",
  22. "1.3.6.1.4.1.57264.1.6": "refs/tags/<version>",
  23. ...

Verification of container image with SLSA attestations

A SLSA Level 3 provenance is generated using slsa-github-generator.

The following command will verify the signature of an attestation and how it was issued. It will contain the payloadType, payload, and signature.

Run the following command as per the slsa-verifier documentation:

  1. # Get the immutable container image to prevent TOCTOU attacks https://github.com/slsa-framework/slsa-verifier#toctou-attacks
  2. IMAGE=quay.io/argoproj/argocd:v2.7.0
  3. IMAGE="${IMAGE}@"$(crane digest "${IMAGE}")
  4. # Verify provenance, including the tag to prevent rollback attacks.
  5. slsa-verifier verify-image "$IMAGE" \
  6. --source-uri github.com/argoproj/argo-cd \
  7. --source-tag v2.7.0

If you only want to verify up to the major or minor verion of the source repository tag (instead of the full tag), use the --source-versioned-tag which performs semantic versioning verification:

  1. slsa-verifier verify-image "$IMAGE" \
  2. --source-uri github.com/argoproj/argo-cd \
  3. --source-versioned-tag v2 # Note: May use v2.7 for minor version verification.

The attestation payload contains a non-forgeable provenance which is base64 encoded and can be viewed by passing the --print-provenance option to the commands above:

  1. slsa-verifier verify-image "$IMAGE" \
  2. --source-uri github.com/argoproj/argo-cd \
  3. --source-tag v2.7.0 \
  4. --print-provenance | jq

If you prefer using cosign, follow these instructions.

Tip

cosign or slsa-verifier can both be used to verify image attestations. Check the documentation of each binary for detailed instructions.


Verification of CLI artifacts with SLSA attestations

A single attestation (argocd-cli.intoto.jsonl) from each release is provided. This can be used with slsa-verifier to verify that a CLI binary was generated using Argo CD workflows on GitHub and ensures it was cryptographically signed.

  1. slsa-verifier verify-artifact argocd-linux-amd64 \
  2. --provenance-path argocd-cli.intoto.jsonl \
  3. --source-uri github.com/argoproj/argo-cd \
  4. --source-tag v2.7.0

If you only want to verify up to the major or minor verion of the source repository tag (instead of the full tag), use the --source-versioned-tag which performs semantic versioning verification:

  1. slsa-verifier verify-artifact argocd-linux-amd64 \
  2. --provenance-path argocd-cli.intoto.jsonl \
  3. --source-uri github.com/argoproj/argo-cd \
  4. --source-versioned-tag v2 # Note: May use v2.7 for minor version verification.

The payload is a non-forgeable provenance which is base64 encoded and can be viewed by passing the --print-provenance option to the commands above:

  1. slsa-verifier verify-artifact argocd-linux-amd64 \
  2. --provenance-path argocd-cli.intoto.jsonl \
  3. --source-uri github.com/argoproj/argo-cd \
  4. --source-tag v2.7.0 \
  5. --print-provenance | jq

Verification of Sbom

A single attestation (argocd-sbom.intoto.jsonl) from each release is provided along with the sbom (sbom.tar.gz). This can be used with slsa-verifier to verify that the SBOM was generated using Argo CD workflows on GitHub and ensures it was cryptographically signed.

  1. slsa-verifier verify-artifact sbom.tar.gz \
  2. --provenance-path argocd-sbom.intoto.jsonl \
  3. --source-uri github.com/argoproj/argo-cd \
  4. --source-tag v2.7.0

Verification on Kubernetes

Policy controllers

Note

We encourage all users to verify signatures and provenances with your admission/policy controller of choice. Doing so will verify that an image was built by us before it’s deployed on your Kubernetes cluster.

Cosign signatures and SLSA provenances are compatible with several types of admission controllers. Please see the cosign documentation and slsa-github-generator for supported controllers.