Docker Image Verification(3.1)

Owned by Jenni Wallin
May 11, 2023
1 min read

All  images are signed with the [cosign] (https://github.com/sigstore/cosign) tool. 

In order to verify the signature of the docker images, install the "cosign" command line tool.

To verify the image:

  1. Save the following public key to cosign.pub file:

    -----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEU95nqvgnrhrxLLU33rK6lt5qQZVU
AUUEor1i8IGMQQnUOrnH0aRHv5i2AxX3vlgHIRtCUWyxtY52GSakFsNQMQ==
-----END PUBLIC KEY-----

  2. Execute the following command:

    cosign verify --key cosign.pub ghcr.io/digitalroute-public/usage-engine-private-edition:<tag>

    Example

    cosign verify --key cosign.pub ghcr.io/digitalroute-public/usage-engine-private-edition:2.2.0

    Output:

    Verification for ghcr.io/digitalroute-public/usage-engine-private-edition:2.2.0 --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - The signatures were verified against the specified public key

[{"critical":{"identity":{"docker-reference":"ghcr.io/digitalroute-public/usage-engine-private-edition"},"image":{"docker-manifest-digest":"sha256:a91a8b812fb3c0cba61dd0247b9dbc6ffe2e8cefdba55ee5021df61ec23c29fd"},"type":"cosign container image signature"},"optional":null}]