Skip to content

Commit

Permalink
Merge pull request #1665 from GoogleContainerTools/loosebazooka-patch-1
Browse files Browse the repository at this point in the history
Update README.md
  • Loading branch information
loosebazooka authored Sep 6, 2024
2 parents 799e86c + d14cc03 commit 1f6301d
Showing 1 changed file with 2 additions and 22 deletions.
24 changes: 2 additions & 22 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -50,33 +50,13 @@ Any other tags are considered deprecated and are no longer updated

## How do I verify distroless images?

All distroless images are signed by [cosign](https://github.com/sigstore/cosign).
We recommend verifying any distroless image you use before building your image.

#### Keyless

Distroless images are signed with cosign in keyless mode, this is the only supported mechanism starting November 2023. You can verify the keyless signature of any distroless image with:
All distroless images are signed by [cosign](https://github.com/sigstore/cosign) with emphemeral keys (keyless) -- this is the only supported mechanism starting November 2023.
We recommend verifying any distroless image you use before building your image. You can verify the keyless signature of any distroless image with:

```
cosign verify $IMAGE_NAME --certificate-oidc-issuer https://accounts.google.com --certificate-identity [email protected]
```

#### Key (DEPRECATED)

Verifying using the distroless keys is deprecated in favor of keyless. These signing events are not uploaded to the transparency log. You can use the [distroless public key](cosign.pub) to verify any distroless image with:

Images built after November 2023 will not be verifiable with `cosign.pub`, use keyless signature verification

```
cat cosign.pub
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWZzVzkb8A+DbgDpaJId/bOmV8n7Q
OqxYbK0Iro6GzSmOzxkn+N2AKawLyXi84WSwJQBK//psATakCgAQKkNTAA==
-----END PUBLIC KEY-----
cosign verify --key cosign.pub $IMAGE_NAME --insecure-ignore-tlog
```

### Entrypoints

Note that distroless images by default do not contain a shell.
Expand Down

0 comments on commit 1f6301d

Please sign in to comment.