Cosign Verification

This guide demonstrates how to verify signed artifacts (i.e., container images, Helm charts) hosted on ocir.immuta.com using from .

Cosign installation

This guide utilizes the cosign command to verify artifacts; ensure it's installed before proceeding. Refer to the for further assistance.

Download public key

The provided key is used to sign the Helm chart and container images.

Identify container images

A DIGESTS.md markdown file comes bundled in the Helm chart and contains a comprehensive list of images and digests referenced. To view the file, follow these steps:

Download and extract the Helm chart into the working directory.

helm pull oci://ocir.immuta.com/stable/immuta-enterprise --destination . --untar --version 2024.3.9

Open file immuta-enterprise/DIGESTS.md

Verify signature

Verify an artifact's signature by referencing Immuta's public key.

cosign verify --key ./immuta-cosign.pub <image>

Last updated 7 days ago

Was this helpful?