Optional Step:
The MediationZone package is signed with the [cosign] (https://github.com/sigstore/cosign) tool. There is a signature file in the release package that you can use to verify the main package. To verify the main package, download the *.tgz file and the *.sig file, and run the following commands: Code Block |
---|
$ cat >> dr-cosign.pub << EOF
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEU95nqvgnrhrxLLU33rK6lt5qQZVU
AUUEor1i8IGMQQnUOrnH0aRHv5i2AxX3vlgHIRtCUWyxtY52GSakFsNQMQ==
-----END PUBLIC KEY-----
EOF
$ cosign verify-blob --key dr-cosign.pub --signature <download_path>/<version>.sig <download_path>/<version>.tgz |
You should receive the following output if verification succeeded:
|