docs: release signature verification (#10967)

* chore: release signature documentation

Signed-off-by: Justin Marquis <34fathombelow@protonmail.com>

* fixed typos

Signed-off-by: Justin Marquis <34fathombelow@protonmail.com>

* fixed requested changes

Signed-off-by: Justin Marquis <34fathombelow@protonmail.com>

Signed-off-by: Justin Marquis <34fathombelow@protonmail.com>

argocd-cosign.pub

@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEesHEB7vX5Y2RxXypjMy1nI1z7iRG
+JI9/gt/sYqzpsa65aaNP4npM43DDxoIy/MQBo9s/mxGxmA+8UXeDpVC9vw==
+-----END PUBLIC KEY-----

docs/operator-manual/signed-release-assets.md

@@ -0,0 +1,32 @@
+# Verification of Argo CD signatures
+
+All Argo CD container images are signed by cosign. Checksums are created for the CLI binaries and then signed to ensure integrity.
+
+## Prerequisites
+- Cosign [installation instructions](https://docs.sigstore.dev/cosign/installation)
+- Obtain or have a copy of the [public key](https://github.com/argoproj/argo-cd/blob/master/argocd-cosign.pub) ```argocd-cosign.pub```
+
+Once you have installed cosign, you can use [argocd-cosign.pub](https://github.com/argoproj/argo-cd/blob/master/argocd-cosign.pub) to verify the signed assets or container images.
+```
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEesHEB7vX5Y2RxXypjMy1nI1z7iRG
+JI9/gt/sYqzpsa65aaNP4npM43DDxoIy/MQBo9s/mxGxmA+8UXeDpVC9vw==
+-----END PUBLIC KEY-----
+```
+## Verification of container images
+
+```bash
+cosign verify --key argocd-cosign.pub  quay.io/argoproj/argocd:latest
+
+Verification for quay.io/argoproj/argocd:latest --
+The following checks were performed on each of these signatures:
+  * The cosign claims were validated
+  * The signatures were verified against the specified public key
+...
+```
+## Verification of signed assets
+
+```bash
+cosign verify-blob --key cosign.pub --signature $(cat argocd-$VERSION-checksums.sig) argocd-$VERSION-checksums.txt
+Verified OK
+```

hack/generate-release-notes.sh

@@ -54,6 +54,16 @@ kubectl create namespace argocd
 kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/$version/manifests/ha/install.yaml
 \`\`\`
 
+## Release signatures
+
+All Argo CD container images and CLI binaries are signed by cosign. See the [documentation](https://argo-cd.readthedocs.io/en/stable/operator-manual/signed-release-assets.md/) on how to verify the signatures.
+\`\`\`shell
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEesHEB7vX5Y2RxXypjMy1nI1z7iRG
+JI9/gt/sYqzpsa65aaNP4npM43DDxoIy/MQBo9s/mxGxmA+8UXeDpVC9vw==
+-----END PUBLIC KEY-----
+\`\`\`
+
 ## Upgrading
 
 If upgrading from a different minor version, be sure to read the [upgrading](https://argo-cd.readthedocs.io/en/stable/operator-manual/upgrading/overview/) documentation.

mkdocs.yml

@@ -35,6 +35,7 @@ nav:
   - Security:
     - Overview: operator-manual/security.md
     - snyk/index.md
+    - operator-manual/signed-release-assets.md
   - operator-manual/tls.md
   - operator-manual/cluster-bootstrapping.md
   - operator-manual/secret-management.md