Update Cosign verify command with identity

[haydentherapper]

Verification of the identity of the signer is a critical part of Sigstore verification. Otherwise, you are only verifying that there is some signature that is valid, instead of checking that the signature was generated by someone you trust.

For more information, sigstore/cosign#2056 contains some discussion around why we want to require these flags, and sigstore/cosign#1947 for why we require both of these flags.

An open question for you is if this specified identity (which came from the certificate) will change between releases. If so, how would you like users to know which identity signed a release?

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: haydentherapper / name: Hayden B (4414a2e, 40d6197)

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign nate-double-u for approval by writing /assign @nate-double-u in a comment. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• content/en/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[k8s-ci-robot]

Welcome @haydentherapper!

It looks like this is your first PR to kubernetes/website 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes/website has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

[netlify]

✅ Pull request preview available for checking

Built without sensitive environment variables

Name	Link
🔨 Latest commit	40d6197
🔍 Latest deploy log	https://app.netlify.com/sites/kubernetes-io-main-staging/deploys/6397f381e0dd6400088caaf8
😎 Deploy Preview	https://deploy-preview-38440--kubernetes-io-main-staging.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site settings.

[haydentherapper]

Something that was unexpected is that the binary was signed by a different identity than the image - krel-staging@k8s-releng-prod.iam.gserviceaccount.com vs krel-trust@k8s-releng-prod.iam.gserviceaccount.com. Was this intentional?

[utkarsh-singh1]

Hi @haydentherapper, please sign EasyCLA as it will allow reviewers to review your PR.

Check these links for EasyCLA -

1. Find about EasyCLA here - https://docs.linuxfoundation.org/lfx/easycla

2. Steps to sign EasyCLA are here - https://docs.linuxfoundation.org/v2/easycla/contributors/individual-contributor

3. Follow this link for EasyCLA - https://api.easycla.lfx.linuxfoundation.org/v2/repository-provider/github/sign/18706487/51478266/38056/#/?version=2

[haydentherapper]

Moving PR to draft after speaking with @puerco about the expected identities.

[natalisucks]

@haydentherapper Howdy there – just wanting to check in on the status of this draft. Happy to keep it open if you're still working, or close for now until an agreed upon way forward with the expected identities. Thanks!

[haydentherapper]

I'll close it for now, unless there's an identity that's been locked in. We'll want to update the documentation for Cosign 2.0 also.