# Cosign Verification This guide demonstrates how to verify signed artifacts (i.e., container images, Helm charts) hosted on ocir.immuta.com using [Cosign](https://github.com/sigstore/cosign) from [Sigstore](https://sigstore.dev/). {% hint style="info" %} **Cosign installation** This guide utilizes the `cosign` command to verify artifacts; ensure it's installed before proceeding. Refer to the [Cosign documentation](https://docs.sigstore.dev/cosign/system_config/installation/) for further assistance. {% endhint %} ## Download public key The provided key is used to sign the Helm chart and container images. {% file src="" %} ## Identify container images A `DIGESTS.md` markdown file comes bundled in the Helm chart and contains a comprehensive list of images and digests referenced. To view the file, follow these steps: 1. Download and extract the Helm chart into the working directory. ```shell helm pull oci://ocir.immuta.com/stable/immuta-enterprise --destination . --untar --version 2024.3.14 ``` 2. Open file `immuta-enterprise/DIGESTS.md` ## Verify signature Verify an artifact's signature by referencing Immuta's public key. ```shell cosign verify --key ./immuta-cosign.pub ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://documentation.immuta.com/2024.3/self-managed-deployment/configure/cosign-verification.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.