Artifact Signatures

As part of our commitment to secure software delivery and regulatory compliance, Spectro Cloud digitally signs key artifacts using Cosign. This ensures artifacts are traceable, tamper-evident, and aligned with modern compliance frameworks such as NIST SP 800-218, FedRAMP, and CMMC.

Generated keys use the FIPS-compliant ECDSA-P256 cryptographic algorithm for the signature and SHA256 for hashes, while the keys are stored in PEM-encoded PKCS8 format.

To support trusted deployment and secure validation, Spectro Cloud currently signs the following artifacts:

• All ZST bundles downloaded from Artifact Studio.

• All ISOs downloaded from Artifact Studio.

• Spectro Cloud-owned and upstream images stored in the following registries:

  • us-docker.pkg.dev/palette-images
  • us-docker.pkg.dev/palette-images-fips
  • gcr.io/spectro-images-fips
  • gcr.io/spectro-images-public

warning

Images are signed only if they are built after version 4.7.3. Individual image signatures must be verified by existing Secure Supply Chain validation flows.

For signature information related to Spectro Cloud's offline documentation, refer to our Offline Documentation guide.

Verify Artifact Signatures

All ZST bundles and ISO files downloaded from Artifact Studio are signed. An additional .sig.bin file accompanies each artifact, which must be decrypted using Spectro Cloud's public key, spectro_public_key.pem. Images embedded within ZST bundles that originate from a Spectro Cloud registry are also signed and can be verified using validation flows.

Prerequisites

• ZST bundles or ISO files installed from Artifact Studio with their accompanying signature files. For more information, refer to our Artifact Studio guide.

• OpenSSL installed on the machine where the downloaded artifacts are located.

Artifact Studio Bundle Verification

To verify the integrity and authenticity of your artifacts, you can do a checksum verification of the files downloaded.

1. Navigate to Artifact Studio.

2. At the top right of the page, select Bundle Verification Instructions.

3. Download the public key file spectro_public_key.pem.

4. Use the appropriate command to verify the individual pack integrity, depending on the type of file downloaded.

   Content Bundle (TAR ZST)

   Replace <bundle-name> with the name of the bundle.

   openssl dgst -sha256 -verify spectro_public_key.pem -signature <bundle-name>.tar.sig.bin <bundle-name>.tar.zst

   Management Appliance (ISO)

   Replace <management-appliance> with the name of the appliance.

   openssl dgst -sha256 -verify spectro_public_key.pem -signature <management-appliance>.iso.sig.bin <management-appliance>.iso

   Pack Bundle (ZST)

   Replace <bundle-name> with the name of the bundle.

   openssl dgst -sha256 -verify spectro_public_key.pem -signature <bundle-name>.sig.bin <bundle-name>.zst

5. A successful verification displays Verification OK.

6. Alternatively, if verifying the signature for a content or pack bundle, use the following sample script to check all files downloaded in the current folder. Substitute REPLACE ME with the path to spectro_public_key.pem.

   Sample script

    # This script verifies the signatures of data files against a public key.
    # It expects files named like `datafile.zst` and corresponding signatures `datafile.sig.bin`.
    # Ensure you have OpenSSL installed to run this script and that the public key is in PEM format.
    # Ensure the script has execute permissions: `chmod +x verify-signatures.sh`
    # Usage: ./verify-signatures.sh 
    #!/bin/bash
    PUBKEY="REPLACE ME" # Enter path to public key file
    for sigfile in *.sig.bin; do
      # Strip `.sig.bin` to get base filename and corresponding data file
      base="${sigfile%.sig.bin}"
      datafile="${base}.zst"
      if [[ ! -f "$datafile" ]]; then # Check if data file exists
        echo "$datafile: ❌ Data file not found" # Skip to next iteration  
        continue
      fi
      # Run signature verification
      if openssl dgst -sha256 -verify "$PUBKEY" -signature "$sigfile" "$datafile" > /dev/null 2>&1; then # Verify signature
        echo "$datafile: ✅ Signature valid" # Print success message
      else
        echo "$datafile: ❌ Signature invalid" # Print failure message
      fi
    done

   Next, grant the script execute permissions, and run the script.

   chmod +x verify-signatures.sh
   ./verify-signatures.sh

   The output should be similar to the following.

   Example output

     cni-calico-3.29.2.zst: ✅ Signature valid
     csi-aws-ebs-1.41.0.zst: ✅ Signature valid
     kubernetes-1.32.3.zst: ✅ Signature valid
     spectro-k8s-dashboard-7.11.1.zst: ✅ Signature valid
     ubuntu-aws-22.04.zst: ✅ Signature valid