Cosign Verification
This guide demonstrates how to verify signed artifacts (i.e., container images, Helm charts) hosted on ocir.immuta.com using Cosign from Sigstore.
Verify
Create a file named
immuta-cosign.pub
with the following content:-----BEGIN PUBLIC KEY----- MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIGUDdu5dgqxQTlbNt0bCIl+zCN65 JC/PmmaC08Eb/UbpkSDmcn/t9Jh+w6Chwkkcp1olcOS1BqCaWrbtViu6Xg== -----END PUBLIC KEY-----
Verify artifact signature.
cosign verify \ --key ./immuta-cosign.pub \ ocir.immuta.com/stable/<artifact-name>:2024.2.20
Frequently asked question
How can I list all container images referenced in the IEHC?
List all container images by rendering the chart templates locally.
helm template <release-name> oci://ocir.immuta.com/stable/immuta-enterprise \
--values immuta-values.yaml \
--version 2024.2.20 \
| yq '..|.image? | select(.)' | sort -u
Last updated
Was this helpful?