Verifying ESS releases against Cosign

Cosign ESS Verification Key

ESS does not use Cosign transaction log to be able to support airgapped deployment. We are instead relying on a public key that you can ask if you need to run image verification in your cluster.

The ESS ~~Verification~~Cosign ~~Key~~public ~~can~~key beis ~~shared~~the ~~with~~following ~~customers,~~one ~~please~~:

~~reach~~

-----BEGIN toPUBLIC yourKEY-----
CustomMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1Lc+7BqkqD+0XYft05CeXto/Ga1Y
SuccessDKNk3o48PIJ2JMrq3mzw13/m5rzlGjdgJCs6yctf4+UdACZx5WSiIWTFbQ==
Manager-----END forPUBLIC moreKEY-----
information.

Verifying manually

To verify a container against ESS Keys, you will have to run the following command :

Operator : cosign verify registry.gitlab.element.io/engineering/ess/operator/element-kubernetes-operator:<version> --key cosign.pub --insecure-ignore-tlog=true
Updater : cosign verify registry.gitlab.element.io/engineering/ess/operator/element-kubernetes-updater:<version> --key cosign.pub --insecure-ignore-tlog=true

Verifying automatically

You will have to setup and configure your SIGStore Admission Policy to use ESS Public Key.