-
Make sure you install Tekton Pipelines first!
-
Install Chains with:
ko apply -f config/
To get started, you first have to generate a GPG keypair to be used by your Tekton system. There are many ways to go about this, but you can usually use something like this:
gpg --gen-keyEnter a passprase (make sure you remember it!) and a name for the key.
Next, you'll need to upload the private key as a Kubernetes Secret so Tekton can use it
to sign.
To do that, export the secret key and base64 encode it:
gpg --export-secret-key --armor $keyname | base64And set that as the key private in the Secret signing-secrets:
kubectl edit secret signing-secrets -n tekton-pipelinesDo the same for your passphrase, remembering to remove any unnecessary whitespace and base64 encode it:
echo -n 'mypassword' | base64And set that as the key passphrase in the Secret signing-secrets:
kubectl edit secret signing-secrets -n tekton-pipelinesAssuming you have the keys loaded into GPG on your system (you should if you created them earlier), you can retrieve the signature and payload using kubectl to verify them.
Run some task in Tekton that will create a TaskRun object. An example
might be the clustertask-pipelinerun example from the pipelines project:
kubectl apply -f examples/v1beta1/pipelineruns/clustertask-pipelinerun.yamlThen the body and signature of that run will be attached to the object's annotations.
They are stored in annotations on the TaskRun.
kubectl get taskrun $taskrun -o=json | jq -r .items[0].metadata.annotations.body | base64 --decode > body
kubectl get taskrun $taskrun -o=json | jq -r .items[0].metadata.annotations.signed > signatureThen verify them again with gpg:
gpg --verify signature body