Docker Image and Helm Chart Validation Using Cosign

Prerequisites: Install the latest version of cosign as described in the AppViewX SIGN+ Guide.

Validate a Docker Image

  1. Download the Image Key file (<image-name>.pub) from AppViewX release portal respective release version.
    Note: To get the release portal credentials, contact [email protected].
  2. Validate the Image Using following command: 
    cosign verify --key <Image Key file> <Image uri>

    Example: cosign verify --key my-app-image-key.pub registry.example.com/appviewx/my-service@sha256:abc123...

Validate a Helm Chart

  1. Download the helm chart signature file (.sig) from release portal.
  2. Add the repo to your local Helm configuration using the following command: 
    helm repo add crypto-mesh --username <your username> --password <your password or access token> <helm repo URL>
  3. Update your local Helm repo cache using the following command: 
    helm repo update
  4. Pull a specific version of a chart using the following command: 
    helm pull <repo-name>/<chart-name> --version <version of the chart>

    This downloads the helm chart as <chartname>.tgz file

  5. Validate the helm chart using following command: 
    cosign verify-blob --key <keyfile> --signature <Helm chart signature file .sig> <CHART_TGZ file>