Forrest logo
back to the cosign tool

cosign:tldr:4647f

cosign: Verify a container against a public key.
$ cosign verify -key ${cosign-pub} ${image}
try on your machine

The command cosign verify -key ${cosign-pub} ${image} is used to verify the authenticity of a container image using a public key with the help of the cosign tool.

Here's a breakdown of the command:

  • cosign: This is the name of the command-line tool used for signing and verifying container images. It is part of the sigstore project, which aims to improve software supply chain security and transparency.

  • verify: This is a subcommand within cosign used to verify the integrity and authenticity of a container image.

  • -key ${cosign-pub}: This flag specifies the public key used for verifying the image. The ${cosign-pub} is a placeholder that should be replaced with the actual filename or path to the public key file.

  • ${image}: This is another placeholder that should be replaced with the name or identifier of the container image file you want to verify.

By running this command, cosign will utilize the provided public key to verify the signature of the specified container image. If the verification is successful, it confirms that the image has not been tampered with since it was signed.

This explanation was created by an AI. In most cases those are correct. But please always be careful and never run a command you are not sure if it is safe.
back to the cosign tool