feat: Added documentation on how to verify signatures (#1616)

* Added documentation on how to verify signatures

Signed-off-by: Corbin Phelps <corbin.phelps@observiq.com>

* Removed extra letter

Signed-off-by: Corbin Phelps <corbin.phelps@observiq.com>

* PR feedback

Signed-off-by: Corbin Phelps <corbin.phelps@observiq.com>

---------

Signed-off-by: Corbin Phelps <corbin.phelps@observiq.com>

Makefile

@@ -94,6 +94,7 @@ install-tools:
 	go install github.com/open-telemetry/opentelemetry-collector-contrib/cmd/mdatagen@v0.96.0
 	go install github.com/securego/gosec/v2/cmd/gosec@v2.18.2
 # update cosign in release.yml when updating this version
+# update cosign in docs/verify-signature.md when updating this version
 	go install github.com/sigstore/cosign/cmd/cosign@v1.13.1
 	go install github.com/uw-labs/lichen@v0.1.7
 	go install github.com/vektra/mockery/v2@v2.42.0

docs/installation-linux.md

@@ -4,6 +4,8 @@
 
 Installation is done through deb and rpm packages. Installing the agent will also install the `observiq-otel-collector` service on systemd systems.
 
+Installation artifacts are signed. Information on verifying the signature can be found at [Verifying Artifact Signatures](./verify-signature.md).
+
 ### Install/Update script
 The agent may be installed through a shell script which will automatically determine which package to install.
 

docs/installation-mac.md

@@ -10,6 +10,8 @@ To install using the installation script, you may run:
 sudo sh -c "$(curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_macos.sh)" install_macos.sh
 ```
 
+Installation artifacts are signed. Information on verifying the signature can be found at [Verifying Artifact Signatures](./verify-signature.md).
+
 #### Managed Mode
 
 To install the agent with an OpAMP connection configuration set the following flags. 

docs/installation-windows.md

@@ -11,6 +11,8 @@ Alternately, for an interactive installation [download the latest MSI](https://g
 
 After downloading the MSI, simply double click it to open the installation wizard. Follow the instructions to configure and install the agent.
 
+Installation artifacts are signed. Information on verifying the signature can be found at [Verifying Artifact Signatures](./verify-signature.md).
+
 ### Managed Mode
 
 To install the agent with an OpAMP connection configuration set the following flags. 

docs/verify-signature.md

@@ -0,0 +1,23 @@
+# Verifying Artifact Signatures
+
+Each release artifact has been signed with a ECDSA-P256 key. The public key is available in the repository at [here](../signature/bp_agent_key.pub) and can be used to verify the signature of the artifact. 
+
+In order to verify the signature of an artifact, you will need to install [cosign](https://github.com/sigstore/cosign). This can be done by getting the release artifacts from the [cosign releases page](https://github.com/sigstore/cosign/releases/tag/v1.13.1) or by using the following command if you have Go installed:
+
+```bash
+go install github.com/sigstore/cosign/cmd/cosign@v1.13.1
+```
+
+Once you have cosign installed, you can verify the signature of an artifact by running the following command:
+
+```bash
+cosign verify-blob --key ./signature/bp_agent_key.pub --signature <PATH_TO_SIG> <PATH_TO_ARTIFACT>
+```
+
+## Example
+
+Heres an example of verifying the signature of an agent binary:
+
+```bash
+cosign verify-blob --key ./signature/bp_agent_key.pub --signature observiq-otel-collector-v1.47.1-darwin-amd64.tar.gz.sig observiq-otel-collector-v1.47.1-darwin-amd64.tar.gz
+```

signature/bp_agent_key.pub

@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEOMhlQ5gZi9v5UUhW/Cx/zEv1tL9x
+TJwrvzwDucjvrd+aUUmGn6ojUWz88seu5alDANvq7b/NsqYlB4sXMgIAMQ==
+-----END PUBLIC KEY-----