Starting from v1.14, KubeOne provides supply chain security for the KubeOne CLI binary:
Each KubeOne release publishes the following assets to GitHub Releases:
kubeone_<version>_linux_amd64.zip
kubeone_<version>_linux_arm64.zip
kubeone_<version>_darwin_amd64.zip
kubeone_<version>_darwin_arm64.zip
kubeone_<version>_linux_amd64.sbom.spdx.json
kubeone_<version>_linux_arm64.sbom.spdx.json
kubeone_<version>_darwin_amd64.sbom.spdx.json
kubeone_<version>_darwin_arm64.sbom.spdx.json
kubeone_<version>_checksums.txt
kubeone_<version>_checksums.txt.sigstore.json
Install Cosign to verify signatures:
# macOS
brew install cosign
# Linux
curl -O -L "https://github.com/sigstore/cosign/releases/latest/download/cosign-linux-amd64"
sudo mv cosign-linux-amd64 /usr/local/bin/cosign
sudo chmod +x /usr/local/bin/cosign
Each release includes a checksums.txt file covering all release assets (zip archives and SBOMs), signed with Cosign keyless signing via GitHub Actions OIDC.
VERSION=v1.14.0
curl -LO https://github.com/kubermatic/kubeone/releases/download/${VERSION}/kubeone_${VERSION#v}_checksums.txt
curl -LO https://github.com/kubermatic/kubeone/releases/download/${VERSION}/kubeone_${VERSION#v}_checksums.txt.sigstore.json
cosign verify-blob \
--bundle kubeone_${VERSION#v}_checksums.txt.sigstore.json \
--certificate-identity-regexp="^https://github.com/kubermatic/kubeone/.github/workflows/release.yml@refs/tags/v.*" \
--certificate-oidc-issuer=https://token.actions.githubusercontent.com \
kubeone_${VERSION#v}_checksums.txt
Expected output: Verified OK
After verifying the signature of checksums.txt, verify the downloaded archive against the recorded checksum:
VERSION=v1.14.0
OS=linux
ARCH=amd64
curl -LO https://github.com/kubermatic/kubeone/releases/download/${VERSION}/kubeone_${VERSION#v}_${OS}_${ARCH}.zip
grep "kubeone_${VERSION#v}_${OS}_${ARCH}.zip" kubeone_${VERSION#v}_checksums.txt | sha256sum --check
Expected output: kubeone_1.14.0_linux_amd64.zip: OK
Each platform binary has a corresponding SBOM in SPDX-JSON format listing all Go module dependencies included in that build. SBOMs are published as GitHub Release assets.
VERSION=v1.14.0
OS=linux
ARCH=amd64
curl -LO https://github.com/kubermatic/kubeone/releases/download/${VERSION}/kubeone_${VERSION#v}_${OS}_${ARCH}.sbom.spdx.json
# List all dependency packages
jq '.packages[].name' kubeone_1.14.0_linux_amd64.sbom.spdx.json
# Count total dependencies
jq '.packages | length' kubeone_1.14.0_linux_amd64.sbom.spdx.json
Dependabot monitors Go module dependencies and opens automated PRs for vulnerable dependency updates.
KubeOne uses Sigstore keyless signing — no long-lived private keys are stored or managed. The signing identity is bound to the GitHub Actions workflow that produced the release.
At release time:
.sigstore.json fileThe --certificate-identity-regexp flag in the verification command pins the exact workflow that is permitted to produce valid signatures, preventing any other source from forging a trusted signature.