Cosign Verification

This guide demonstrates how to verify signed artifacts (i.e., container images, Helm charts) hosted on ocir.immuta.com using Cosign from Sigstore.

Cosign installation

To verify a signed artifact or blob, install Cosign before proceeding.

Verify

  1. Create a file named immuta-cosign.pub with the following content:

    -----BEGIN PUBLIC KEY-----
    MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIGUDdu5dgqxQTlbNt0bCIl+zCN65
    JC/PmmaC08Eb/UbpkSDmcn/t9Jh+w6Chwkkcp1olcOS1BqCaWrbtViu6Xg==
    -----END PUBLIC KEY-----
  2. Verify artifact signature.

    cosign verify \
        --key ./immuta-cosign.pub \
        ocir.immuta.com/stable/<artifact-name>:2024.3.1

Frequently asked question

How can I list all container images referenced in the IEHC?

Yq installation

The following step presumes command-line tool yq is installed.

List all container images by rendering the chart templates locally.

helm template <release-name> oci://ocir.immuta.com/stable/immuta-enterprise \
    --values immuta-values.yaml \
    --version 2024.3.1 \
| yq '..|.image? | select(.)' | sort -u

Last updated

Copyright © 2014-2024 Immuta Inc. All rights reserved.