You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I can't find the public key to verify the integrity of any Bitnami image!
Expected to be able to run this against any bitnami image
cosign verify --key bitnami.pub <image>
We understand you are using notation, but please share your public key to verify the integrity of images with cosign
REFERENCE
cosign verify --key <key path>|<key url>|<kms uri><image uri> [<image uri> ...]
# verify cosign claims and signing certificates on the image with the transparency log
cosign verify <IMAGE># verify multiple images
cosign verify <IMAGE_1><IMAGE_2> ...
# additionally verify specified annotations
cosign verify -a key1=val1 -a key2=val2 <IMAGE># verify image with an on-disk public key
cosign verify --key cosign.pub <IMAGE># verify image with an on-disk public key, manually specifying the# signature digest algorithm
cosign verify --key cosign.pub --signature-digest-algorithm sha512 <IMAGE># verify image with an on-disk signed image from 'cosign save'
cosign verify --key cosign.pub --local-image <PATH># verify image with local certificate and certificate chain
cosign verify --cert cosign.crt --cert-chain chain.crt <IMAGE># verify image using keyless verification with the given certificate# chain and identity parameters, without Fulcio roots (for BYO PKI):
cosign verify --cert-chain chain.crt --certificate-oidc-issuer https://issuer.example.com --certificate-identity [email protected]<IMAGE># verify image with public key provided by URL
cosign verify --key https://host.for/[FILE] <IMAGE># verify image with a key stored in an environment variable
cosign verify --key env://[ENV_VAR] <IMAGE># verify image with public key stored in Google Cloud KMS
cosign verify --key gcpkms://projects/[PROJECT]/locations/global/keyRings/[KEYRING]/cryptoKeys/[KEY] <IMAGE># verify image with public key stored in Hashicorp Vault
cosign verify --key hashivault://[KEY] <IMAGE># verify image with public key stored in a Kubernetes secret
cosign verify --key k8s://[NAMESPACE]/[KEY] <IMAGE># verify image with public key stored in GitLab with project name
cosign verify --key gitlab://[OWNER]/[PROJECT_NAME] <IMAGE># verify image with public key stored in GitLab with project id
cosign verify --key gitlab://[PROJECT_ID] <IMAGE>
What is the feature you are proposing to solve the problem?
Verifying the integrity of Bitnami Images (that it's the same ones built by Bitnami )
What alternatives have you considered?
I will consider to re-sign it, and pushing it to my private registry... but this is extra-step and overhead
The text was updated successfully, but these errors were encountered:
javsalgar
changed the title
Share Public key and Document How to verify bitnami container images integrity
[bitnami/*] Share Public key and Document How to verify bitnami container images integrity
Oct 7, 2024
I am afraid we do not sign our Bitnami public artifacts with cosign. This feature is part of our commercial offering Tanzu Application Catalog. Find more details below:
Name and Version
bitnami/any:x.y.z
What is the problem this feature will solve?
I can't find the public key to verify the integrity of any Bitnami image!
Expected to be able to run this against any bitnami image
We understand you are using notation, but please share your public key to verify the integrity of images with cosign
REFERENCE
What is the feature you are proposing to solve the problem?
Verifying the integrity of Bitnami Images (that it's the same ones built by Bitnami )
What alternatives have you considered?
I will consider to re-sign it, and pushing it to my private registry... but this is extra-step and overhead
The text was updated successfully, but these errors were encountered: