Verifying Image Signatures
Prerequisites
You will need to install cosign.
Verify Signed Container Images
Since version 1.13, all Cilium container images are signed using cosign.
Let’s verify a Cilium image’s signature using the cosign verify
command:
$ COSIGN_EXPERIMENTAL=1 cosign verify --certificate-github-workflow-repository cilium/cilium --certificate-oidc-issuer https://token.actions.githubusercontent.com --certificate-github-workflow-name "Image Release Build" --certificate-github-workflow-ref refs/tags/[RELEASE TAG] quay.io/cilium/cilium:v1.13 | jq
Note
COSIGN_EXPERIMENTAL=1
is used to allow verification of images signed in
KEYLESS
mode. To learn more about keyless signing, please refer to
Keyless Signatures.
--certificate-github-workflow-name string
contains the workflow claim
from the GitHub OIDC Identity token that contains the name of the executed
workflow. For the names of workflows used to build Cilium images, see the
build-images
workflows under Cilium workflows.
--certificate-github-workflow-ref string
contains the ref claim from
the GitHub OIDC Identity token that contains the git ref that the workflow
run was based upon.