From 298245c6486973ae56c35476f3768b6eecfb3dbb Mon Sep 17 00:00:00 2001
From: priyawadhwa <priyawadhwa@google.com>
Date: Wed, 31 Mar 2021 07:14:07 -0700
Subject: [PATCH] Check-in cosign public key and update README (#1611)

---
 README.md  | 18 ++++++++++++++++++
 cosign.pub |  4 ++++
 2 files changed, 22 insertions(+)
 create mode 100644 cosign.pub

diff --git a/README.md b/README.md
index c140743fe..db96d6b47 100644
--- a/README.md
+++ b/README.md
@@ -89,6 +89,7 @@ _If you are interested in contributing to kaniko, see [DEVELOPMENT.md](DEVELOPME
     - [--whitelist-var-run](#--whitelist-var-run)
   - [Debug Image](#debug-image)
 - [Security](#security)
+  - [Verifying Signed Kaniko Images](#verifying-signed-kaniko-images)
 - [Comparison with Other Tools](#comparison-with-other-tools)
 - [Community](#community-1)
 - [Limitations](#limitations)
@@ -777,6 +778,23 @@ use kaniko.
 
 You may be able to achieve the same default seccomp profile that Docker uses in your Pod by setting [seccomp](https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp) profiles with annotations on a [PodSecurityPolicy](https://cloud.google.com/kubernetes-engine/docs/how-to/pod-security-policies) to create or update security policies on your cluster.
 
+
+### Verifying Signed Kaniko Images
+kaniko images are signed for versions >= 1.5.2 using [cosign](https://github.com/sigstore/cosign)!
+
+To verify a public image, install [cosign](https://github.com/sigstore/cosign) and use the provided [public key](cosign.pub):
+
+```
+$ cat cosign.pub
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE9aAfAcgAxIFMTstJUv8l/AMqnSKw
+P+vLu3NnnBDHCfREQpV/AJuiZ1UtgGpFpHlJLCNPmFkzQTnfyN5idzNl6Q==
+-----END PUBLIC KEY-----
+
+$ cosign verify -key ./cosign.pub gcr.io/kaniko-project/executor:latest
+```
+
+
 ## Kaniko Builds - Profiling
 If your builds are taking long, we recently added support to analyze kaniko function
 calls using [Slow Jam](https://github.com/google/slowjam)
diff --git a/cosign.pub b/cosign.pub
new file mode 100644
index 000000000..90218b2fe
--- /dev/null
+++ b/cosign.pub
@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE9aAfAcgAxIFMTstJUv8l/AMqnSKw
+P+vLu3NnnBDHCfREQpV/AJuiZ1UtgGpFpHlJLCNPmFkzQTnfyN5idzNl6Q==
+-----END PUBLIC KEY-----