Knative Security and Disclosure Information¶
This page describes Knative security and disclosure information.
Knative threat model¶
Code Signature Verification¶
Our releases from 1.9 are signed with cosign. You can use the following steps to verify our binaries.
- Download the files you want, and the
checksums.txt.sigfiles from the releases page:
# this example verifies the 1.10.0 kn cli from the knative/client repository wget https://github.com/knative/client/releases/download/knative-v1.10.0/checksums.txt wget https://github.com/knative/client/releases/download/knative-v1.10.0/kn-darwin-amd64 wget https://github.com/knative/client/releases/download/knative-v1.10.0/checksums.txt.sig wget https://github.com/knative/client/releases/download/knative-v1.10.0/checksums.txt.pem
- Verify the signature:
cosign verify-blob \ --email@example.com \ --certificate-oidc-issuer=https://accounts.google.com \ --cert checksums.txt.pem \ --signature checksums.txt.sig \ checksums.txt
- If the signature is valid, you can then verify the SHA256 sums match with the downloaded binary:
sha256sum --ignore-missing -c checksums.txt
Knative images are signed in
KEYLESS mode. To learn more about keyless signing, please refer to
Our signing identity(Subject) for our releases is
firstname.lastname@example.org and the Issuer is
In addition to signing our binaries with
cosign, we notarize our macOS binaries. You can use the
codesign utility to verify our binaries from 1.9 release. You should expect an output that looks
like this. The expected TeamIdentifier is
codesign --verify -d --verbose=2 ~/Downloads/kn-quickstart-darwin-amd64 Executable=/Users/REDACTED/Downloads/kn-quickstart-darwin-amd64 Identifier=kn-quickstart-darwin-amd64 ... Authority=Developer ID Application: Mahamed Ali (7R64489VHL) Authority=Developer ID Certification Authority Authority=Apple Root CA Timestamp=3 Oct 2022 at 22:50:07 ... TeamIdentifier=7R64489VHL
Report a vulnerability¶
We're extremely grateful for security researchers and users that report vulnerabilities to the Knative Open Source Community. All reports are thoroughly investigated by a set of community volunteers.
To make a report, please email the private email@example.com list with the security details and the details expected for all Knative bug reports.
When Should I Report a Vulnerability?¶
- You think you discovered a potential security vulnerability in Knative
- You are unsure how a vulnerability affects Knative
- You think you discovered a vulnerability in another project that Knative depends on
- For projects with their own vulnerability reporting and disclosure process, please report it directly there
When Should I NOT Report a Vulnerability?¶
- You need help tuning Knative components for security
- You need help applying security related updates
- Your issue is not security related