Verifying Signature
In order to ensure the authenticity and integrity of the Cimon image, it is signed using the cosign and sigstore tools. Therefore, verifying the signature proves that it was signed by our provided key, which gives confidence in the provided artifact.
Here are the steps you need to take to verify the signature:
-
Install cosign, which is the CLI tool of Sigstore. You can do that through one of the following ways:
go install github.com/sigstore/cosign/v2/cmd/cosign@v2.2.3
- Fetch the version manually - https://github.com/sigstore/cosign/releases/tag/v2.2.3.
-
Write the public key of Cimon distribution:
Cimon Public Key
cat << EOF >> cimon.pub
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEm1mmcCICdlB5j78efKNbPK8Q0UeO
rDH1UNxhD2ibPuzUDV3OzpL8wVtTnWW1jLGMi7fKiZPfP+pB2BpdUPaMSg==
-----END PUBLIC KEY-----
EOF
- Run cosign on Cimon release to verify signature existence and the claims
Verifying Cimon Signature
$ cosign verify --key cimon.pub --insecure-ignore-tlog cycodelabs/cimon:v0
Verification for index.docker.io/cycodelabs/cimon:v0 --
The following checks were performed on each of these signatures:
- The cosign claims were validated
- The signatures were verified against the specified public key
[{"critical":{"identity":{"docker-reference":"index.docker.io/cycodelabs/cimon"},"image":{"docker-manifest-digest":"sha256:eaebb6eb8004b24b6db635ef2ae044963132b4268576c7d5af1d4431532d5066"},"type":"cosign container image signature"},"optional":{"ref":"refs/tags/v0.10.9","repo":"CycodeLabs/cimon","sha":"395d4f6010d2281b63b4d34463693aca0ca9720e","workflow":"Release"}}]