feat: warning about the identity in the cosign verify.

Updates the tutorial of how to verify the signatures of the Kubewarden components adding a warning explaining how to have a more secure check by using the full URL in the subject/identity field. Signed-off-by: José Guilherme Vanz <[email protected]>
kubewarden · Oct 11, 2024 · c2356e2 · c2356e2
1 parent b022ab0
commit c2356e2
Showing 1 changed file with 14 additions and 0 deletions.
diff --git a/docs/tutorials/verifying-kubewarden.md b/docs/tutorials/verifying-kubewarden.md
@@ -20,6 +20,20 @@ following info, where `*` matches any following characters:
 - subject: `https://github.com/kubewarden/*`
 - x509 certificate extension for GHA, "github_workflow_repository": `kubewarden/*`
 
+:::important
+The subject used in the `--certificate-identity-regexp` cosign CLI flag in this
+tutorial utilizes the `https://github.com/kubewarden/*` values to simplify the
+explanation. This allows artifacts from repositories with the same prefix to
+bypass validation. For example: `github.com/kubewarden/policy-server1`.
+
+If you want a more secure check you need to use a full URL:
+```
+https://github.com/kubewarden/policy-server/.github/workflows/container-image.yml@refs/tags/v1.18.0
+```
+Note that the URL have the full repository path, the workflow file path, and
+the version tag.
+:::
+
 ## Helm charts
 
 You can find our Helm charts in our `https://` traditional Helm repository under