Cosign Verification
This guide demonstrates how to verify signed artifacts (i.e., container images, Helm charts) hosted on ocir.immuta.com using Cosign from Sigstore.
Cosign installation
To verify a signed artifact or blob, install Cosign before proceeding.
Verify
Create a file named immuta-cosign.pub with the following content:
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIGUDdu5dgqxQTlbNt0bCIl+zCN65
JC/PmmaC08Eb/UbpkSDmcn/t9Jh+w6Chwkkcp1olcOS1BqCaWrbtViu6Xg==
-----END PUBLIC KEY-----
Verify artifact signature.
cosign verify \
--key ./immuta-cosign.pub \
ocir.immuta.com/stable/<artifact-name>:2024.2.10
Frequently asked question
How can I list all container images referenced in the IEHC?
Yq installation
The following step presumes command-line tool yq is installed.
List all container images by rendering the chart templates locally.
helm template <release-name> oci://ocir.immuta.com/stable/immuta-enterprise \
--values immuta-values.yaml \
--version 2024.2.10 \
| yq '..|.image? | select(.)' | sort -u