Verify a signature

Every image and chart is signed with cosign using GitHub OIDC. There is no public key to distribute. Verification checks that the artifact was produced by a QuenchWorks GitHub Actions workflow and recorded in the Sigstore transparency log.

Install cosign

Use your package manager, or grab a release binary from the cosign project:

brew install cosign            # macOS

go install github.com/sigstore/cosign/v2/cmd/cosign@latest   # from source

Verify an image

Point cosign at the image by its version tag (images have no :latest) and assert the signer identity. Swap redis:8.8.0 for any image and the version shown on its page:

cosign verify ghcr.io/quenchworks/images/redis:8.8.0 \
  --certificate-identity-regexp 'https://github.com/quenchworks/.+' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com

A valid result prints the certificate subject, which is the exact workflow that built the image, along with the Rekor log entry. If the signature is missing or the identity does not match, cosign exits non-zero.

Verify a chart

Charts are OCI artifacts, so the same command works against the chart’s version tag:

cosign verify ghcr.io/quenchworks/charts/redis:0.0.5 \
  --certificate-identity-regexp 'https://github.com/quenchworks/.+' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com

To verify a specific build instead of the tag, pass an @sha256:... digest. See Pin by digest for how to resolve one.