Verifying Image Signatures
Prerequisites
You will need to install cosign.
Verify Signed Container Images
Since version 1.13, all Cilium container images are signed using cosign.
Let’s verify a Cilium image’s signature using the cosign verify
command:
$ TAG=v1.13.0
$ cosign verify --certificate-github-workflow-repository cilium/cilium \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-github-workflow-name "Image Release Build" \
--certificate-github-workflow-ref refs/tags/${TAG} \
--certificate-identity "https://github.com/cilium/cilium/.github/workflows/build-images-releases.yaml@refs/tags/${TAG}" \
"quay.io/cilium/cilium:${TAG}" | jq
Note
cosign
is used to verify images signed in KEYLESS
mode. To learn
more about keyless signing, please refer to Keyless Signatures.
--certificate-github-workflow-name string
contains the workflow claim
from the GitHub OIDC Identity token that contains the name of the executed
workflow. For the names of workflows used to build Cilium images, see the
build-images
workflows under Cilium workflows.
--certificate-github-workflow-ref string
contains the ref claim from
the GitHub OIDC Identity token that contains the git ref that the workflow
run was based upon.
--certificate-identity
is used to verify the identity of the certificate
from the GitHub build images release workflow.