1 of 1

Cosign Verification

This guide demonstrates how to verify signed artifacts (i.e., container images, Helm charts) hosted on ocir.immuta.com using Cosign from Sigstore.

Cosign installation

To verify a signed artifact or blob, install Cosign before proceeding.

Verify

Create a file named immuta-cosign.pub with the following content:

-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIGUDdu5dgqxQTlbNt0bCIl+zCN65
JC/PmmaC08Eb/UbpkSDmcn/t9Jh+w6Chwkkcp1olcOS1BqCaWrbtViu6Xg==
-----END PUBLIC KEY-----

Verify artifact signature.

cosign verify \
    --key ./immuta-cosign.pub \
    ocir.immuta.com/stable/<artifact-name>:2024.2.14

Frequently asked question

How can I list all container images referenced in the IEHC?

Yq installation

The following step presumes command-line tool yq is installed.

List all container images by rendering the chart templates locally.

helm template <release-name> oci://ocir.immuta.com/stable/immuta-enterprise \
    --values immuta-values.yaml \
    --version 2024.2.14 \
| yq '..|.image? | select(.)' | sort -u