Cosign Verification

This guide demonstrates how to verify signed artifacts (i.e., container images, Helm charts) hosted on ocir.immuta.com using Cosign from Sigstore.

Cosign installation

This guide utilizes the cosign command to verify artifacts; ensure it's installed before proceeding. Refer to the Cosign documentation for further assistance.

Download public key

The provided key is used to sign the Helm chart and container images.

Identify container images

A DIGESTS.md markdown file comes bundled in the Helm chart and contains a comprehensive list of images and digests referenced. To view the file, follow these steps:

Download and extract the Helm chart into the working directory.

helm pull oci://ocir.immuta.com/stable/immuta-enterprise --destination . --untar --version 2024.3.5

Open file immuta-enterprise/DIGESTS.md

Verify signature

Verify an artifact's signature by referencing Immuta's public key.

cosign verify --key ./immuta-cosign.pub <image>

Last updated 1 month ago