Docker Image Verification(4.1)

All  images are signed with the [cosign] (https://github.com/sigstore/cosign) tool. 

In order to verify the signature of the docker images, install the "cosign" command line tool.

To verify the image:

  1. Save the following public key to cosign.pub file:

    -----BEGIN PUBLIC KEY-----
    MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEU95nqvgnrhrxLLU33rK6lt5qQZVU
    AUUEor1i8IGMQQnUOrnH0aRHv5i2AxX3vlgHIRtCUWyxtY52GSakFsNQMQ==
    -----END PUBLIC KEY-----
  2. Execute the following command:

    cosign verify --key cosign.pub ghcr.io/digitalroute-public/usage-engine-private-edition:<tag>

    Example

    cosign verify --key cosign.pub ghcr.io/digitalroute-public/usage-engine-private-edition:2.2.0

    Output:

    Verification for ghcr.io/digitalroute-public/usage-engine-private-edition:2.2.0 --
    The following checks were performed on each of these signatures:
      - The cosign claims were validated
      - The signatures were verified against the specified public key
    
    [{"critical":{"identity":{"docker-reference":"ghcr.io/digitalroute-public/usage-engine-private-edition"},"image":{"docker-manifest-digest":"sha256:a91a8b812fb3c0cba61dd0247b9dbc6ffe2e8cefdba55ee5021df61ec23c29fd"},"type":"cosign container image signature"},"optional":null}]