Skip to content

Cosign Verification

This guide demonstrates how to verify signed artifacts (i.e., container images, Helm charts) hosted on ocir.immuta.com using Cosign from Sigstore.

Cosign installation

To verify a signed artifact or blob, install Cosign before proceeding.

Verify

  1. Create a file named immuta-cosign.pub with the following content:

    immuta-cosign.pub
    -----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIGUDdu5dgqxQTlbNt0bCIl+zCN65
JC/PmmaC08Eb/UbpkSDmcn/t9Jh+w6Chwkkcp1olcOS1BqCaWrbtViu6Xg==
-----END PUBLIC KEY-----

  2. Verify artifact signature. 

    cosign verify \
    --key ./immuta-cosign.pub \
    ocir.immuta.com/stable/<artifact-name>:2024.2.3

Frequently asked question

How can I list all container images referenced in the IEHC?

Yq installation

The following step presumes command-line tool yq is installed.

  1. List all container images by rendering the chart templates locally.

    helm template <release-name> oci://ocir.immuta.com/stable/immuta-enterprise \
    --values immuta-values.yaml \
    --version 2024.2.3 \
| yq '..|.image? | select(.)' | sort -u