Verifying Image Signatures

Prerequisites

You will need to install cosign.

Verify Signed Container Images

Since version 1.13, all Cilium container images are signed using cosign.

Let’s verify a Cilium image’s signature using the cosign verify command:

$ COSIGN_EXPERIMENTAL=1 cosign verify --certificate-github-workflow-repository cilium/cilium --certificate-oidc-issuer https://token.actions.githubusercontent.com --certificate-github-workflow-name "Image Release Build" --certificate-github-workflow-ref refs/tags/[RELEASE TAG] quay.io/cilium/cilium:v1.13 | jq

Note

COSIGN_EXPERIMENTAL=1 is used to allow verification of images signed in KEYLESS mode. To learn more about keyless signing, please refer to Keyless Signatures.

--certificate-github-workflow-name string contains the workflow claim from the GitHub OIDC Identity token that contains the name of the executed workflow. For the names of workflows used to build Cilium images, see the build-images workflows under Cilium workflows.

--certificate-github-workflow-ref string contains the ref claim from the GitHub OIDC Identity token that contains the git ref that the workflow run was based upon.