Skip to main content
logoTetrate Istio SubscriptionVersion: Next

Image Verification

Tetrate signs TID images using cosign, which is a sigstore project aiming to improve supply chain security. Image signing is the process of adding a signature to a docker image to check its authenticity and integrity. This signature can be verified by using cosign to verify that the image is not tampered with or modified in any way after releasing the build.

The images published to the destination repository are signed using the trustee’s identity: trustee@tetrate-istio-subscription.iam.gserviceaccount.com.

tip

Tetrate have established https://tis.tetrate.io/trustee as a helper to get the correct parameters for the cosign-verify command.

Verification

  1. Install cosign

    Install cosign from sigstore

  2. Run cosign

    Verify Certificate signature using cosign CLI. You will need credentials from Tetrate to access Tetrate's private repository.

    export REGISTRY="<TIS registry>"
    export TIS_PASS="<tis-password>"

    echo $TIS_PASS | docker login $REGISTRY -u token --password-stdin

    cosign verify $(curl -fsSL https://tis.tetrate.io/trustee) <IMAGE>

    For example

    cosign verify $(curl -fsSL https://tis.tetrate.io/trustee) $REGISTRY/istio-fips/proxyv2:1.20.0-tetratefips0

  3. Check cosign output

    Successful verification will result in following output in stdout screen

    The following checks were performed on each of these signatures:
    - The cosign claims were validated
    - Existence of the claims in the transparency log was verified offline
    - The code-signing certificate was verified using trusted certificate authority certificates

    Example output

    $ cosign verify $(curl -fsSL https://tis.tetrate.io/trustee) $REGISTRY/istio-fips/proxyv2:1.20.0-tetratefips0

    Verification for <registry>/istio-fips/proxyv2:1.20.0-tetratefips0 --
    The following checks were performed on each of these signatures:
      - The cosign claims were validated
      - Existence of the claims in the transparency log was verified offline
      - The code-signing certificate was verified using trusted certificate authority certificates

    [{"critical":{"identity":{"docker-reference":"<registry>/proxyv2"},"image":{"docker-manifest-digest":"sha256:cb113b4815a1f85c48a676167d9d12842ae85f3f11d03f367852c40075741bf5"},"type":"cosign container image signature"},"optional":{"1.3.6.1.4.1.57264.1.1":"https://accounts.google.com","Bundle":{"SignedEntryTimestamp":"MEYCIQC2i7U2Jzt+wJKROFfHPF+h7qPkYKtZjly+Z2WUWALKegIhAI+iCHjrwzThf3Y5MyMO896jbzQibvtTcFBASFkfRnpC","Payload":{"body":"eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiJhZDZhOGY2NzdiNjQ4MjZlYWZmMmVjOWQ3YWI5Njc0MjFiYjAzNjVhOTJhNjdkMTE2MjRjNDAxMTEzMGIwMzliIn19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FUUNJRnZ1RWdJa053RlpNL2Q1YUg5Z2VnMUlDQ3JLNElxTTBCM1hGVzR1TnVyZ0FpQmNCWFdRdnNDN1pHUTFFdHMrZGpkY1lKTEJ6Y0luUjh0a0M5bWtrS01QaUE9PSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVTTRla05EUVc1cFowRjNTVUpCWjBsVlRsVlNSRzVsVURRM2RrTmFNbEpYV21wT1UxSkpTbFJUVEUwd2QwTm5XVWxMYjFwSmVtb3dSVUYzVFhjS1RucEZWazFDVFVkQk1WVkZRMmhOVFdNeWJHNWpNMUoyWTIxVmRWcEhWakpOVWpSM1NFRlpSRlpSVVVSRmVGWjZZVmRrZW1SSE9YbGFVekZ3WW01U2JBcGpiVEZzV2tkc2FHUkhWWGRJYUdOT1RXcE5lRTFxUlhoTlJGVjZUV3BKZUZkb1kwNU5hazE0VFdwRmVFMUVWVEJOYWtsNFYycEJRVTFHYTNkRmQxbElDa3R2V2tsNmFqQkRRVkZaU1V0dldrbDZhakJFUVZGalJGRm5RVVZRYUVVNGVXTTRVRkprWkVONWJ6TTVRek42TVdWWGQwZ3ZaVUU1VG1wc2RsWnBNMWdLVkRSdWRXWXJUMVUyU1d0eVEzSm9aMDlPUlZBMlJsbENNbE1yV2xjMFpuWmxTRzh2Tld4MGFYQklTR2htUWxkMFpqWlBRMEZhWTNkblowZFVUVUUwUndwQk1WVmtSSGRGUWk5M1VVVkJkMGxJWjBSQlZFSm5UbFpJVTFWRlJFUkJTMEpuWjNKQ1owVkdRbEZqUkVGNlFXUkNaMDVXU0ZFMFJVWm5VVlZZZVdsVkNsaHViVzVGTVZwS1EzSlRiVzlXTUZaQ2JrVmpTM0J2ZDBoM1dVUldVakJxUWtKbmQwWnZRVlV6T1ZCd2VqRlphMFZhWWpWeFRtcHdTMFpYYVhocE5Ga0tXa1E0ZDFOQldVUldVakJTUVZGSUwwSkVOSGRRU1VVMlpFaEtNV016VW14YVZVSXdXbGhTZVZsWVVteE1WMng2WkVkc2RreFlUakZaYms1cVkyMXNkd3BrUjJ4MlltazFjRmxYTUhWYU0wNXNZMjVhY0ZreVZtaFpNazUyWkZjMU1FeHRUblppVkVGd1FtZHZja0puUlVWQldVOHZUVUZGUWtKQ2RHOWtTRkozQ21ONmIzWk1Na1pxV1RJNU1XSnVVbnBNYldSMllqSmtjMXBUTldwaU1qQjNTM2RaUzB0M1dVSkNRVWRFZG5wQlFrTkJVV1JFUW5SdlpFaFNkMk42YjNZS1RESkdhbGt5T1RGaWJsSjZURzFrZG1JeVpITmFVelZxWWpJd2QyZFphMGREYVhOSFFWRlJRakZ1YTBOQ1FVbEZaWGRTTlVGSVkwRmtVVVJrVUZSQ2NRcDRjMk5TVFcxTldraG9lVnBhZW1ORGIydHdaWFZPTkRoeVppdElhVzVMUVV4NWJuVnFaMEZCUVZsNFdGaExPSGhCUVVGRlFYZENSMDFGVVVOSlIzSTNDbmxaVFM4MFdEaDJVMDVaWkROWVYzQjFXWGh2YTFKaFltdGlkWGxKVUZORlRFVjFUbE5xYkRaQmFVRTVTWE52ZDAxeU5UZHlTWGx1VDA5b1IzSlJVRTRLTlZoSlpUTmthVVpSU2psS1EyZGpiblZMY2trMWVrRkxRbWRuY1docmFrOVFVVkZFUVhkT2NFRkVRbTFCYWtWQmIydFBiQzgzZGtScmJtaHhlbUpET0FwWlIyUTRhR1pwYlRaRlJUTkdhR0ZzZHpaYVFtUmFlVVpyZVdOR05qUnlZMGw2ZGpVMGFGQnJjMVpvZWtOWGJtWkJha1ZCWjNaVlVqRmtZMEpVZURsTUNuRjNRV3MxWTI0eFpsQXZVMWRaWVZwNWRqTjBkMk15UlVGVkwySndXR3c1Tm5WTmEwUjZhRFpMZVVoNVNWSlVNVTV0Vkc4S0xTMHRMUzFGVGtRZ1EwVlNWRWxHU1VOQlZFVXRMUzB0TFFvPSJ9fX19","integratedTime":1702272741,"logIndex":55782018,"logID":"c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d"}},"Issuer":"https://accounts.google.com","Subject":"trustee@tetrate-istio-subscription.iam.gserviceaccount.com"}}]

    To check the Subject

    $ cosign verify $(curl -fsSL https://tis.tetrate.io/trustee) $REGISTRY/istio-fips/proxyv2:1.20.0-tetratefips0 | jq -r '.[].optional.Subject'

    Verification for <registry>.tetrate.io/istio-fips/proxyv2:1.20.0-tetratefips0 --
    The following checks were performed on each of these signatures:
      - The cosign claims were validated
      - Existence of the claims in the transparency log was verified offline
      - The code-signing certificate was verified using trusted certificate authority certificates
    trustee@tetrate-istio-subscription.iam.gserviceaccount.com

Conclusion

By using cosign to verify Tetrate's images, you can confidently ascertain that the integrity of the image is maintained, reflecting Tetrate's commitment to secure and reliable software distribution.