Skip to main content

Verifying ESS releases against Cosign

Cosign ESS Verification Key

ESS does not use Cosign transaction log to be able to support airgapped deployment. We are instead relying on a public key that you can ask if you need to run image verification in your cluster.

ESS Verification Key can be shared with customers, please reach to your Custom Success Manager for more information.

Verifying manually

To verify a container against ESS Keys, you will have to run the following command :

  • Operator : cosign verify registry.gitlab.element.io/engineering/ess/operator/element-kubernetes-operator:<version> --key cosign.pub --insecure-ignore-tlog=true
  • Updater : cosign verify registry.gitlab.element.io/engineering/ess/operator/element-kubernetes-updater:<version> --key cosign.pub --insecure-ignore-tlog=true

Verifying automatically

You will have to setup and configure your SIGStore Admission Policy to use ESS Public Key.