Skip to main content
logoTetrate Istio SubscriptionVersion: Next

Image Signing

Tetrate signs TID images using cosign, which is a sigstore project aiming to improve supply chain security. The latest versions can be found here. In general, image signing is the process of adding a signature to a docker image to check its authenticity and integrity. This signature can be verified by using cosign to verify that the image is not tampered with or modified in any way after releasing the build. Tetrate uses keyless signing methods as it does not involve creating and distributing x509 certificates.

Verification

  1. Download cosign from sigstore

  1. Verify Certificate signature using cosign CLI.
export IMAGE="docker image name"

cosign verify  $IMAGE  --certificate-oidc-issuer https://accounts.google.com --certificate-identity='image-signing-keyless-sa@tid-testing.iam.gserviceaccount.com'

Successful verification will result in following output in stdout screen

The following checks were performed on each of these signatures:
- The cosign claims were validated
- Existence of the claims in the transparency log was verified offline
- The code-signing certificate was verified using trusted certificate authority certificates
note

--certificate-oidc-issuer & --certificate-identity are the OIDC issuer and service account used to sign the images.

Example Usage

cosign verify  containers.istio.tetratelabs.com/pilot:1.18.5-tetrate-v0-debug  --certificate-oidc-issuer https://accounts.google.com --certificate-identity='image-signing-keyless-sa@tid-testing.iam.gserviceaccount.com'

Verification for containers.istio.tetratelabs.com/pilot:1.18.5-tetrate-v0-debug --
The following checks were performed on each of these signatures:
- The cosign claims were validated
- Existence of the claims in the transparency log was verified offline
- The code-signing certificate was verified using trusted certificate authority certificates

[{"critical":{"identity":{"docker-reference":"containers.istio.tetratelabs.com/pilot"},"image":{"docker-manifest-digest":"sha256:e77342709f2ad9c0759f25dc63e51ce0cf5654aeecbd6cb7805bebcbb8463c08"},"type":"cosign container image signature"},"optional":{"1.3.6.1.4.1.57264.1.1":"https://accounts.google.com","Bundle":{"SignedEntryTimestamp":"MEYCIQC9rNthTT0/J5OnlXYwremJPSU60JUJHxVUcrAPj9FvvwIhAOVpHST0U7ssmdHj9ZFr6exll0w2vW3g19shqDRzblgI","Payload":{"body":"eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiJhZjljMzA4YTNmOGFjOGY3NTIyYTJjMDliNTgyMDJmM2RhZDMxM2NhYWMyN2Q0NWUzMjJlODY1MTZmYzI2Y2M4In19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FWUNJUURSVGVSTG1Wa29jUW9Md1ViQWkyMWozb2ZSMWUzUnpZR3FmZ255VUN0eHNBSWhBUHM4bkRUWHlOaXVqVnhoRW92MnJjZUtkaFpqNU9mVkUrSFYvUTJ4RGxKOSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVTTVha05EUVc1MVowRjNTVUpCWjBsVlEyOW1PU3N6Y3pORFZGbzFhM051VUU1M1NHaE9RMmRXWlVSRmQwTm5XVWxMYjFwSmVtb3dSVUYzVFhjS1RucEZWazFDVFVkQk1WVkZRMmhOVFdNeWJHNWpNMUoyWTIxVmRWcEhWakpOVWpSM1NFRlpSRlpSVVVSRmVGWjZZVmRrZW1SSE9YbGFVekZ3WW01U2JBcGpiVEZzV2tkc2FHUkhWWGRJYUdOT1RXcE5lRTFVUlROTlZHTjRUMFJGZVZkb1kwNU5hazE0VFZSRk0wMVVZM2xQUkVWNVYycEJRVTFHYTNkRmQxbElDa3R2V2tsNmFqQkRRVkZaU1V0dldrbDZhakJFUVZGalJGRm5RVVZrV0dGeE9VaG9WMDFHVVdWYWRrbFJVa2gyVVVSRllXbHVRVkZLUlRoUGQzTnNUV3NLWldrM1oyMTBWVmhLWlZGQ1RWZzFTMUZUZFhwM2RXaDFka05zV1VSRlRWZHRaMFEwUzNoWVNFY3hWREZtZHk4NVdXRlBRMEZhYjNkblowZFhUVUUwUndwQk1WVmtSSGRGUWk5M1VVVkJkMGxJWjBSQlZFSm5UbFpJVTFWRlJFUkJTMEpuWjNKQ1owVkdRbEZqUkVGNlFXUkNaMDVXU0ZFMFJVWm5VVlZGV1c1aENuQmlSa2hDUTFncmNHbFdXa1JOV2tkUFdGRkpRbEEwZDBoM1dVUldVakJxUWtKbmQwWnZRVlV6T1ZCd2VqRlphMFZhWWpWeFRtcHdTMFpYYVhocE5Ga0tXa1E0ZDFObldVUldVakJTUVZGSUwwSkZRWGRRYjBVNFlWY3hhRm95VlhSak1teHVZbTFzZFZwNU1YSmFXR3h6V2xoT2VreFlUbWhSU0ZKd1drTXhNQXBhV0U0d1lWYzFia3h0YkdoaVV6VnVZekpXZVdSdGJHcGFWMFpxV1RJNU1XSnVVWFZaTWpsMFRVTnJSME5wYzBkQlVWRkNaemM0ZDBGUlJVVkhNbWd3Q21SSVFucFBhVGgyV1ZkT2FtSXpWblZrU0UxMVdqSTVkbG95ZUd4TWJVNTJZbFJCY2tKbmIzSkNaMFZGUVZsUEwwMUJSVWxDUWpCTlJ6Sm9NR1JJUW5vS1QyazRkbGxYVG1waU0xWjFaRWhOZFZveU9YWmFNbmhzVEcxT2RtSlVRMEpwWjFsTFMzZFpRa0pCU0ZkbFVVbEZRV2RTT0VKSWIwRmxRVUl5UVU0d09RcE5SM0pIZUhoRmVWbDRhMlZJU214dVRuZExhVk5zTmpRemFubDBMelJsUzJOdlFYWkxaVFpQUVVGQlFtazVOVXRUYzBGQlFVRlJSRUZGWTNkU1VVbG9Da0ZPY2pscVRVbERaazFFYjJsWVUzcG1XVWR1VG5CdGJtWXlkbWxOZFUxdVEwcGlZVGhRVHpKSlZWQnBRV2xCZWxJeFEzQldUR1JrZW01cEt6ZEVPVlVLU25SbWFUbExkbFJaY2xGM2F6Z3JUbEJDZVRKVVVGRkhlWHBCUzBKblozRm9hMnBQVUZGUlJFRjNUbkJCUkVKdFFXcEZRWGwyVmt0cGJXeGFLemxHV2dwNFVuaFdlbUpFYVVrdk4xWkJhM3B3VG5wNU9EZ3hWV0pNUmxCUWJIZFJOR1I1VjBjNVoydDNZVXhwY25GS1MyaHlNMWRLUVdwRlFTdE5kMmxtTVcxckNuQk9hSGR0VjBSSVNFOHllbGx6VkV4a2RtOU1hM2RoTUZCQ2FIVlJNREJUU0VGb09TOVlUVE40ZFVncmRtNHpZMmRJVVRsd1NuVnNDaTB0TFMwdFJVNUVJRU5GVWxSSlJrbERRVlJGTFMwdExTMEsifX19fQ==","integratedTime":1700241493,"logIndex":50622243,"logID":"c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d"}},"Issuer":"https://accounts.google.com","Subject":"image-signing-keyless-sa@tid-testing.iam.gserviceaccount.com"}},{"critical":{"identity":{"docker-reference":"containers.istio.tetratelabs.com/pilot"},"image":{"docker-manifest-digest":"sha256:e77342709f2ad9c0759f25dc63e51ce0cf5654aeecbd6cb7805bebcbb8463c08"},"type":"cosign container image signature"},"optional":{"1.3.6.1.4.1.57264.1.1":"https://accounts.google.com","Bundle":{"SignedEntryTimestamp":"MEYCIQCU28iXi1TEKEPx4bzDLqXlrreDEK+B5hFoYzHuqjr5nQIhAIAVKCIK0bu7VXHfPShSB/ryEidKpWbR3Jwk1Cq9NpB/","Payload":{"body":"eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiJhZjljMzA4YTNmOGFjOGY3NTIyYTJjMDliNTgyMDJmM2RhZDMxM2NhYWMyN2Q0NWUzMjJlODY1MTZmYzI2Y2M4In19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FUUNJRllUTWl1Q01ocnJBcDd6T01FL0JETEhTOWg5cytRRGxBb1FpRlVUdEpnQUFpQlpQU0F3cFZjcmdqemh4cFZHRk5XOFlRV3dBM1lKVjVVc0w1VUp2SVN4NEE9PSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVTTVSRU5EUVc1eFowRjNTVUpCWjBsVlYwZGpaQ3QyTkZJM1luTm1SbnB6YjB0MlJpdDRVVEpJZVZwamQwTm5XVWxMYjFwSmVtb3dSVUYzVFhjS1RucEZWazFDVFVkQk1WVkZRMmhOVFdNeWJHNWpNMUoyWTIxVmRWcEhWakpOVWpSM1NFRlpSRlpSVVVSRmVGWjZZVmRrZW1SSE9YbGFVekZ3WW01U2JBcGpiVEZzV2tkc2FHUkhWWGRJYUdOT1RXcE5lRTFVUlROTlZHTjRUMFJKZWxkb1kwNU5hazE0VFZSRk0wMVVZM2xQUkVsNlYycEJRVTFHYTNkRmQxbElDa3R2V2tsNmFqQkRRVkZaU1V0dldrbDZhakJFUVZGalJGRm5RVVZrY213d05EQkliMjlTY0VoM1dVVjBRa3hTVkVKU1Z6azFja1Z1VTFWWlJHbEJiVTBLTUVadVJqTTVMMWh0YkVvclZXeENSalZxUVZaT1lVOTFTU3MyVlZaemNVMXJVWEpEZVRCU09UZDBRelpCVURZeEwwdFBRMEZhYTNkblowZFdUVUUwUndwQk1WVmtSSGRGUWk5M1VVVkJkMGxJWjBSQlZFSm5UbFpJVTFWRlJFUkJTMEpuWjNKQ1owVkdRbEZqUkVGNlFXUkNaMDVXU0ZFMFJVWm5VVlZxYTFwSkNrcGFXa2x3TXpZemVHRlBTVkZXYTJoQk9XcHlSME5CZDBoM1dVUldVakJxUWtKbmQwWnZRVlV6T1ZCd2VqRlphMFZhWWpWeFRtcHdTMFpYYVhocE5Ga0tXa1E0ZDFObldVUldVakJTUVZGSUwwSkZRWGRRYjBVNFlWY3hhRm95VlhSak1teHVZbTFzZFZwNU1YSmFXR3h6V2xoT2VreFlUbWhSU0ZKd1drTXhNQXBhV0U0d1lWYzFia3h0YkdoaVV6VnVZekpXZVdSdGJHcGFWMFpxV1RJNU1XSnVVWFZaTWpsMFRVTnJSME5wYzBkQlVWRkNaemM0ZDBGUlJVVkhNbWd3Q21SSVFucFBhVGgyV1ZkT2FtSXpWblZrU0UxMVdqSTVkbG95ZUd4TWJVNTJZbFJCY2tKbmIzSkNaMFZGUVZsUEwwMUJSVWxDUWpCTlJ6Sm9NR1JJUW5vS1QyazRkbGxYVG1waU0xWjFaRWhOZFZveU9YWmFNbmhzVEcxT2RtSlVRMEpwVVZsTFMzZFpRa0pCU0ZkbFVVbEZRV2RTTjBKSWEwRmtkMEl4UVU0d09RcE5SM0pIZUhoRmVWbDRhMlZJU214dVRuZExhVk5zTmpRemFubDBMelJsUzJOdlFYWkxaVFpQUVVGQlFtazVOVXRrVVVGQlFVRlJSRUZGV1hkU1FVbG5DbVZNTWtKd05qbHVUMVpyTUVVeFZGcHFOVnA2V1dwa00ycFJSbE5sY1ZBM2RqUlpaVEYxTkRJNU56aERTVVJWUjFack1XMU9OazVwVldSVlNtOXNkV1FLVjBKWUwzUkhkRU5qT0c4NVpXVm5Rek5vV1VOa1ZXaE1UVUZ2UjBORGNVZFRUVFE1UWtGTlJFRXlaMEZOUjFWRFRVRmtkbkJaYjNOTGNISTFXa0ZGUXdwTVlUVTNUemh0V0hvM1ZtZEJlVUZLVGxZeE0weHlURTVoUzNoVVkwaDBNRXhMTW1WdmRsbGhaMGRvVDJwa1JGRndkMGw0UVVsMFZYUlJUVXhaVlVSa0NrMTJObXB3Y2toaE5qY3hheTlxWlU1S1ltWjNSbGxJWjFGMFdXVTJPSHB4UkdGamJsQTRTVTEwYmpKUU5HdFlWVGc1WjBKRlFUMDlDaTB0TFMwdFJVNUVJRU5GVWxSSlJrbERRVlJGTFMwdExTMEsifX19fQ==","integratedTime":1700241504,"logIndex":50622262,"logID":"c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d"}},"Issuer":"https://accounts.google.com","Subject":"image-signing-keyless-sa@tid-testing.iam.gserviceaccount.com"}}]