Skip to main content

Verifying Signature

In order to ensure the authenticity and integrity of the Cimon image, it is signed using the cosign and sigstore tools. Therefore, verifying the signature proves that it was signed by our provided key, which gives confidence in the provided artifact.

Here are the steps you need to take to verify the signature:

  1. Install cosign, which is the CLI tool of Sigstore. You can do that through one of the following ways:

    1. go install
    2. Fetch the version manually -
  2. Write the public key of Cimon distribution:

Cimon Public Key
cat << EOF >>
-----END PUBLIC KEY-----
  1. Run cosign on Cimon release to verify signature existence and the claims
Verifying Cimon Signature
$ cosign verify --key --insecure-ignore-tlog cycodelabs/cimon:v0

Verification for --
The following checks were performed on each of these signatures:
- The cosign claims were validated
- The signatures were verified against the specified public key

[{"critical":{"identity":{"docker-reference":""},"image":{"docker-manifest-digest":"sha256:eaebb6eb8004b24b6db635ef2ae044963132b4268576c7d5af1d4431532d5066"},"type":"cosign container image signature"},"optional":{"ref":"refs/tags/v0.10.9","repo":"CycodeLabs/cimon","sha":"395d4f6010d2281b63b4d34463693aca0ca9720e","workflow":"Release"}}]