Verify a signature

Every image and chart is signed with cosign using GitHub OIDC. There is no public key to distribute. Verification checks that the artifact was produced by a QuenchWorks GitHub Actions workflow and recorded in the Sigstore transparency log.

Install cosign

Use your package manager, or grab a release binary from the cosign project:

brew install cosign            # macOS
go install github.com/sigstore/cosign/v2/cmd/cosign@latest   # from source

Verify an image

Point cosign at the image and assert the signer identity:

cosign verify ghcr.io/quenchworks/images/redis \
  --certificate-identity-regexp 'https://github.com/quenchworks/.+' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com

A valid result prints the certificate subject, which is the exact workflow that built the image, along with the Rekor log entry. If the signature is missing or the identity does not match, cosign exits non-zero.

Verify a chart

Charts are OCI artifacts, so the same command works once you have the digest:

cosign verify ghcr.io/quenchworks/charts/redis@sha256:<digest> \
  --certificate-identity-regexp 'https://github.com/quenchworks/.+' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com

See Pin by digest for how to get that digest.