Verifying Kubernetes binary artifacts

kubernetes-verify.sh

#!/usr/bin/env bash
set -euox pipefail

TAG=v1.26.0-rc.1
URL=https://dl.k8s.io/release/$TAG/bin/linux/amd64
BIN=kubectl

for EXT in "" .sig .cert; do
    FILE=$BIN$EXT
    curl -sSfL --retry 3 --retry-delay 3 $URL/$FILE -o $FILE
done

COSIGN_EXPERIMENTAL=1 cosign verify-blob $BIN --signature $BIN.sig --certificate $BIN.cert

Output

+ TAG=v1.26.0-rc.1
+ URL=https://dl.k8s.io/release/v1.26.0-rc.1/bin/linux/amd64
+ BIN=kubectl
+ for EXT in "" .sig .cert
+ FILE=kubectl
+ curl -sSfL --retry 3 --retry-delay 3 https://dl.k8s.io/release/v1.26.0-rc.1/bin/linux/amd64/kubectl -o kubectl
+ for EXT in "" .sig .cert
+ FILE=kubectl.sig
+ curl -sSfL --retry 3 --retry-delay 3 https://dl.k8s.io/release/v1.26.0-rc.1/bin/linux/amd64/kubectl.sig -o kubectl.sig
+ for EXT in "" .sig .cert
+ FILE=kubectl.cert
+ curl -sSfL --retry 3 --retry-delay 3 https://dl.k8s.io/release/v1.26.0-rc.1/bin/linux/amd64/kubectl.cert -o kubectl.cert
+ COSIGN_EXPERIMENTAL=1
+ cosign verify-blob kubectl --signature kubectl.sig --certificate kubectl.cert
tlog entry verified with uuid: 5d54b39222e3fa9a21bcb0badd8aac939b4b0d1d9085b37f1f10b18a8cd24657 index: 8173886
Verified OK

you also can do

$ COSIGN_EXPERIMENTAL=1 cosign verify-blob kubectl  --signature https://dl.k8s.io/release/v1.26.0-rc.1/bin/linux/amd64/kubectl.sig --certificate https://dl.k8s.io/release/v1.26.0-rc.1/bin/linux/amd64/kubectl.cert
tlog entry verified with uuid: 5d54b39222e3fa9a21bcb0badd8aac939b4b0d1d9085b37f1f10b18a8cd24657 index: 8173886
Verified OK