This guide demonstrates how to verify signed artifacts (i.e., container images, Helm charts) hosted on ocir.immuta.com using Cosign from Sigstore.
Cosign installation
This guide utilizes the cosign
command to verify artifacts; ensure it's installed before proceeding. Refer to the Cosign documentation for further assistance.
The provided key is used to sign the Helm chart and container images.
A DIGESTS.md
markdown file comes bundled in the Helm chart and contains a comprehensive list of images and digests referenced. To view the file, follow these steps:
Download and extract the Helm chart into the working directory.
Open file immuta-enterprise/DIGESTS.md
Verify an artifact's signature by referencing Immuta's public key.