Skip to content
ContainerForge

News

Guides

Containers

Verifying Image Signatures

Container images are signed using the attest-build-provenance action.

Using GitHub CLI

Section titled “Using GitHub CLI”

To verify that the image was built by GitHub CI:

Terminal window
gh attestation verify --repo trueforge-org/containers oci://oci.trueforge.org/containerforge/${APP}:${TAG}

Using Cosign

Section titled “Using Cosign”

You can also verify with cosign:

Terminal window
cosign verify-attestation --new-bundle-format --type slsaprovenance1 \
    --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
    --certificate-identity-regexp "https://github.com/trueforge-org/containerforge/blob/main/.github/workflows/app-builder.yaml" \
    oci.trueforge.org/containerforge/${APP}:${TAG}
Powered by TrueForge
© All rights reserved, The TrueForge Project