Publish threat model in documentation (#6263)

* Publish threat model in documentation

* Separate security contents a bit more, update link to threat model, update nav

* Add a section on supply chain and SBOM/SLSA mitigation

* Update threat model with feedback from David Hadas

* Update introduction with content from davidhadas, add sections on controller and webhook functionality and update targets of threats

Author: evankanderson

config/nav.yml

@@ -343,8 +343,10 @@ nav:
     # Reference docs
     - Reference:
       - Security:
-        - Security Model and Disclosure: reference/security/README.md
-        - Verifying Knative Images: reference/security/verifying-images.md 
+        - Security Disclosure: reference/security/README.md
+        - Threat Model: reference/security/threat-model.md
+        - Verifying Knative Images: reference/security/verifying-images.md
+        - Verifying Knative Binaries: reference/security/verifying-cli.md
       - Release notes: reference/relnotes/README.md
     - Blog: /blog/
     - About:

docs/reference/security/README.md

@@ -11,62 +11,6 @@ function: how-to
 
 This page describes Knative security and disclosure information.
 
-## Knative threat model
-
-* [Threat model](https://github.com/knative/community/blob/main/working-groups/security/threat-model.md)
-
-## Code Signature Verification
-
-### All platforms
-
-Our releases from 1.9 are signed with [cosign](https://docs.sigstore.dev/cosign/overview). You can use the following steps to verify our binaries.
-
-1. Download the files you want, and the `checksums.txt`, `checksum.txt.pem` and `checksums.txt.sig` files from the releases page:
-    ```sh
-    # this example verifies the 1.10.0 kn cli from the knative/client repository
-    wget https://github.com/knative/client/releases/download/knative-v1.10.0/checksums.txt
-    wget https://github.com/knative/client/releases/download/knative-v1.10.0/kn-darwin-amd64
-    wget https://github.com/knative/client/releases/download/knative-v1.10.0/checksums.txt.sig
-    wget https://github.com/knative/client/releases/download/knative-v1.10.0/checksums.txt.pem
-    ```
-1. Verify the signature:
-    ```sh
-    cosign verify-blob \
-    --certificate-identity=signer@knative-releases.iam.gserviceaccount.com \
-    --certificate-oidc-issuer=https://accounts.google.com \
-    --cert checksums.txt.pem \
-    --signature checksums.txt.sig \
-    checksums.txt
-    ```
-1. If the signature is valid, you can then verify the SHA256 sums match with the downloaded binary:
-    ```sh
-    sha256sum --ignore-missing -c checksums.txt
-    ```
-
-!!! note
-    Knative images are signed in `KEYLESS` mode. To learn more about keyless signing, please refer to
-    [Keyless Signatures](https://github.com/sigstore/cosign/blob/main/KEYLESS.md#keyless-signatures)
-    Our signing identity(Subject) for our releases is `[email protected]` and the Issuer is `https://accounts.google.com`
-
-### Apple macOS
-
-In addition to signing our binaries with `cosign`, we [notarize](https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution) our macOS binaries. You can use the `codesign` utility to verify our binaries from 1.9 release. You should expect an output that looks
-like this. The expected TeamIdentifier is `7R64489VHL`
-
-```
-codesign --verify -d --verbose=2 ~/Downloads/kn-quickstart-darwin-amd64
-
-Executable=/Users/REDACTED/Downloads/kn-quickstart-darwin-amd64
-Identifier=kn-quickstart-darwin-amd64
-...
-Authority=Developer ID Application: Mahamed Ali (7R64489VHL)
-Authority=Developer ID Certification Authority
-Authority=Apple Root CA
-Timestamp=3 Oct 2022 at 22:50:07
-...
-TeamIdentifier=7R64489VHL
-```
-
 ## Report a vulnerability
 
 We're extremely grateful for security researchers and users that report vulnerabilities to the Knative Open Source Community. All reports are thoroughly investigated by a set of community volunteers.