Knative Security and Disclosure Information¶
This page describes Knative security and disclosure information.
Knative threat model¶
Code Signature Verification¶
All platforms¶
Our releases from 1.9 are signed with cosign. You can use the following steps to verify our binaries.
- Download the files you want, and the
checksums.txt
,checksum.txt.pem
andchecksums.txt.sig
files from the releases page:# this example verifies the 1.10.0 kn cli from the knative/client repository wget https://github.com/knative/client/releases/download/knative-v1.10.0/checksums.txt wget https://github.com/knative/client/releases/download/knative-v1.10.0/kn-darwin-amd64 wget https://github.com/knative/client/releases/download/knative-v1.10.0/checksums.txt.sig wget https://github.com/knative/client/releases/download/knative-v1.10.0/checksums.txt.pem
- Verify the signature:
cosign verify-blob \ --certificate-identity=[email protected] \ --certificate-oidc-issuer=https://accounts.google.com \ --cert checksums.txt.pem \ --signature checksums.txt.sig \ checksums.txt
- If the signature is valid, you can then verify the SHA256 sums match with the downloaded binary:
sha256sum --ignore-missing -c checksums.txt
Note
Knative images are signed in KEYLESS
mode. To learn more about keyless signing, please refer to
Keyless Signatures
Our signing identity(Subject) for our releases is [email protected]
and the Issuer is https://accounts.google.com
Apple macOS¶
In addition to signing our binaries with cosign
, we notarize our macOS binaries. You can use the codesign
utility to verify our binaries from 1.9 release. You should expect an output that looks
like this. The expected TeamIdentifier is 7R64489VHL
codesign --verify -d --verbose=2 ~/Downloads/kn-quickstart-darwin-amd64
Executable=/Users/REDACTED/Downloads/kn-quickstart-darwin-amd64
Identifier=kn-quickstart-darwin-amd64
...
Authority=Developer ID Application: Mahamed Ali (7R64489VHL)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=3 Oct 2022 at 22:50:07
...
TeamIdentifier=7R64489VHL
Report a vulnerability¶
We're extremely grateful for security researchers and users that report vulnerabilities to the Knative Open Source Community. All reports are thoroughly investigated by a set of community volunteers.
To make a report, please email the private [email protected] list with the security details and the details expected for all Knative bug reports.
When Should I Report a Vulnerability?¶
- You think you discovered a potential security vulnerability in Knative
- You are unsure how a vulnerability affects Knative
- You think you discovered a vulnerability in another project that Knative depends on
- For projects with their own vulnerability reporting and disclosure process, please report it directly there
When Should I NOT Report a Vulnerability?¶
- You need help tuning Knative components for security
- You need help applying security related updates
- Your issue is not security related