Improve this page on GitHub

Verifying authenticity of Codefresh pipeline-created artifacts

Verify integrity of container images generated by Codefresh pipelines

Organizations deploying container images created by Codefresh pipelines using Codefresh as the OIDC provider for keyless or key-based signing can verify both the signature and the identity of the signer.

For more information, see Signing container images with Sigstore.

For detailed information on keyless signing, including its architecture, read our blog on the same.

Verify authenticity of container images with keyless signing

Verify the authenticity of all container images created by Codefresh pipelines using the cosign command:

cosign verify --certificate-oidc-issuer "https://oidc.codefresh.io" --certificate-identity/--certificate-identity-regexp "<certificate-identity>" <image-tag>

where:

  • --certificate-oidc-issuer is always set to "https://oidc.codefresh.io".
  • <certificate-identity>is the identity of the certificate, specified using one of the following flags:
    • --certificate-identity for the full identity of the certificate.
    • --certificate-identity-regexp for specifying a regular expression to match various parts of the identity.
  • <image-tag> is the name of the container image to verify.

If the certificate identity doesn’t match the expected identity, cosign exits with an error:

Cosign certificate identity validation error

Cosign certificate identity validation error

On successful verification, cosign displays details about the signature, such as the digest and the base64-encoded content of the signing certificate, as in the example below.

Successful cosign certificate identity validation

Successful cosign certificate identity validation

Examples of identity verification commands

Full identity verification

cosign verify --certificate-oidc-issuer "https://oidc.codefresh.io" --certificate-identity "https://g.codefresh.io/ilia-codefresh/sigstore-blog/keyless-signature:628a80b693a15c0f9c13ab75/6612ad6384ef42f18019b7e9" ilmedcodefresh/python-flask-sample-app:cosign-keyless-demo.

Regex verification for a specific immutable account ID

Using a regex, this command verifies identities for images created by any pipeline for a specific account-id:

cosign verify --certificate-oidc-issuer "https://oidc.codefresh.io" --certificate-identity-regexp "https://g.codefresh.io/.*:628a80b693a15c0f9c13ab75/.*" ilmedcodefresh/python-flask-sample-app:cosign-keyless-demo

Regex verification for a specific account name

Using a regex, this command verifies identities for images created for a specific account name:

cosign verify --certificate-oidc-issuer "https://oidc.codefresh.io" --certificate-identity-regexp "https://g.codefresh.io/ilia-codefresh/.*" ilmedcodefresh/python-flask-sample-app:cosign-keyless-demo

Verify authenticity of container images with key-based signing

cosign verify --key <public-key-file-path> <image-tag>

where:

  • <public-key-file-path> is the file path to the public key used to verify the signed container image.
  • <image-tag> is the name of the container image to verify.

OIDC in pipelines
Build step in pipelines