Docker Image Verification(4.3)
All images are signed with the [cosign] (https://github.com/sigstore/cosign) tool.
In order to verify the signature of the docker images, install the "cosign" command line tool.
To verify the image:
Save the following public key to
cosign.pub
file:-----BEGIN PUBLIC KEY----- MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEU95nqvgnrhrxLLU33rK6lt5qQZVU AUUEor1i8IGMQQnUOrnH0aRHv5i2AxX3vlgHIRtCUWyxtY52GSakFsNQMQ== -----END PUBLIC KEY-----
Execute the following command:
cosign verify --key cosign.pub ghcr.io/digitalroute-public/usage-engine-private-edition:<tag>
Example
cosign verify --key cosign.pub ghcr.io/digitalroute-public/usage-engine-private-edition:2.2.0
Output:
Verification for ghcr.io/digitalroute-public/usage-engine-private-edition:2.2.0 -- The following checks were performed on each of these signatures: - The cosign claims were validated - The signatures were verified against the specified public key [{"critical":{"identity":{"docker-reference":"ghcr.io/digitalroute-public/usage-engine-private-edition"},"image":{"docker-manifest-digest":"sha256:a91a8b812fb3c0cba61dd0247b9dbc6ffe2e8cefdba55ee5021df61ec23c29fd"},"type":"cosign container image signature"},"optional":null}]