Verify Veirox Connect signatures before install
Every release of the Veirox connector image and Helm chart
is signed by our CI using cosign keyless
(via Sigstore's Fulcio CA and Rekor transparency log).
Verifying before install proves:
- The artifact came from the Veirox GitHub repo's release
workflow, not from a compromised account or typo-squatted
registry. - The signature is logged in the public Rekor transparency log —
the signing event is auditable.
Prerequisites
# macOS brew install cosign # Linux (deb) curl -LO "https://github.com/sigstore/cosign/releases/latest/download/cosign-linux-amd64" sudo install -m 0755 cosign-linux-amd64 /usr/local/bin/cosign # Verify cosign version
You need cosign v2.4+ for keyless identity regex verification.
Verify the image
VERSION=0.2.0 # the tag you're about to pull
cosign verify docker.io/msrashed/veirox-connector:${VERSION}-k8s \
--certificate-identity-regexp "^https://github.com/veirox-cloud/veirox-cli/\.github/workflows/release\.yml@" \
--certificate-oidc-issuer https://token.actions.githubusercontent.com
Expected output (shortened):
Verification for docker.io/msrashed/veirox-connector:0.2.0-k8s --
The following checks were performed on each of these signatures:
- The cosign claims were validated
- Existence of the claims in the transparency log was verified offline
- The signatures were verified against the specified public keys
[
{
"critical": {
"identity": { ... },
"image": { "docker-manifest-digest": "sha256:..." },
"type": "cosign container image signature"
},
"optional": {
"Bundle": { ... },
"Issuer": "https://token.actions.githubusercontent.com",
"Subject": "https://github.com/veirox-cloud/veirox-cli/.github/workflows/release.yml@refs/tags/v0.2.0"
}
}
]
If the verification fails:
no matching signatures: the image isn't signed (old release, or
pulled from a fake registry).certificate identity ... did not match: the signer identity
doesn't match our release workflow. Do not use this image.issuer ... did not match: likewise.
Verify the Helm chart
VERSION=0.2.0
# Pull the chart to a temp dir
helm pull oci://ghcr.io/msrashed2018/charts/veirox-connector --version "$VERSION" -d /tmp
# Get its digest
CHART_DIGEST=$(cosign triangulate ghcr.io/msrashed2018/charts/veirox-connector:${VERSION} --type=digest)
# Verify
cosign verify "ghcr.io/msrashed2018/charts/veirox-connector@${CHART_DIGEST}" \
--certificate-identity-regexp "^https://github.com/veirox-cloud/veirox-cli/\.github/workflows/release\.yml@" \
--certificate-oidc-issuer https://token.actions.githubusercontent.com
Verify the attestations (SBOM + SLSA provenance)
Images come with two attestations attached to the manifest:
SPDX SBOM
cosign verify-attestation docker.io/msrashed/veirox-connector:${VERSION}-k8s \
--certificate-identity-regexp "^https://github.com/veirox-cloud/veirox-cli/" \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--type spdxjson \
| jq -r '.payload' | base64 -d | jq '.predicate.Data' -r | jq '.packages | length'
Or use the helper script:
docker buildx imagetools inspect docker.io/msrashed/veirox-connector:${VERSION}-k8s \
--format '{{ json .SBOM }}' | jq '.SPDX.packages | map(.name) | sort | unique'
SLSA provenance
cosign verify-attestation docker.io/msrashed/veirox-connector:${VERSION}-k8s \
--certificate-identity-regexp "^https://github.com/veirox-cloud/veirox-cli/" \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--type slsaprovenance
Pin by digest
Once verified, pin your deployment by digest, not by tag — tags
can be re-pushed silently; digests cannot.
Get the digest:
docker buildx imagetools inspect docker.io/msrashed/veirox-connector:0.2.0-k8s \
--format '{{ .Manifest.Digest }}'
# → sha256:abc123...
Pin in values:
image: repository: docker.io/msrashed/veirox-connector tag: 0.2.0-k8s@sha256:abc123... # tag@digest
Keyless identity reference
The signer identity for every release is:
https://github.com/veirox-cloud/veirox-cli/.github/workflows/release.yml@refs/tags/v<VERSION>
Issued by:
https://token.actions.githubusercontent.com
If we ever rename the workflow, move the repo, or switch the CI
provider, the identity string changes — that's a breaking change
for anyone relying on this regex, and will be documented in
CHANGELOG.md with a migration note.
One-liner for CI pipelines
# exits non-zero if verification fails cosign verify docker.io/msrashed/veirox-connector:0.2.0-k8s \ --certificate-identity-regexp "^https://github.com/veirox-cloud/veirox-cli/\.github/workflows/release\.yml@" \ --certificate-oidc-issuer https://token.actions.githubusercontent.com \ > /dev/null
Put this as a pre-install gate in your pipeline. If the signature
check fails, the install does not proceed.
Related
- SBOM review — what's in the SBOM and how to
use it for vulnerability tracking - INSTALL-helm.md — the Helm install flow
that uses the verified artifacts