Downloading essential tools, like kubectl, often starts and ends with
curl. This works almost everywhere but it can open users up to potential vulnerabilities if a storage bucket or GitHub account is compromised. Although some of our projects publish signing keys or digests, the user experience for finding key material and digests isn’t standardized.
We have built new tools to improve the user experience and security: an Asset Transparency service and command line tool. Here is an example of how to use it to get kubectl and helm:
tl get https://storage.googleapis.com/kubernetes-release/release/v1.19.0/bin/linux/amd64/kubectl tl cat https://raw.githubusercontent.com/helm/helm/v3.3.0/scripts/get-helm-3 | bash
The system associates https URLs to an expected content digest. And it is backed by a cryptographic data structure called a transparency log which protects users from the service giving different answers to different users or rewinding the log.
Asset Transparency is in Beta and we would love to see it used by the Kubernetes community. If you are interested in learning more about GitHub release integration, integrating into update systems, and other topics checkout the Asset Transparency website.
We look forward to your feedback.