Help Center/ SoftWare Repository for Container/ User Guide (Enterprise Edition)/ Image Signatures/ Verifying an Image Signature
Updated on 2025-04-30 GMT+08:00
View PDF
Share

Verifying an Image Signature

Scenarios

To verify image signatures, you need to install the swr-cosign add-on. This section describes how to install the add-on.

Installing swr-cosign

  1. Log in to the CCE console.
  2. In the navigation pane, choose Add-ons.
  3. In the search box, enter cosign.
  4. Locate the Container Image Signature Verification add-on in the search result and click Install.
  5. Set the following parameters:

    • Cluster: Select the cluster where the image will be used. Only K8s V1.23 or later clusters are supported.

    Before verifying image signatures in a namespace of a cluster, you need to add the policy.sigstore.dev/include:true label for the namespace.

    • Version: Select an add-on version.
    • Specifications:
      • Single: The add-on can be used only in one repository.
      • HA: The add-on can be used in two repositories.
      • Custom: You can customize the number of repositories, CPU quota, and container quota.
      Table 1 swr-cosign specifications

      Parameter

      Description

      Add-on Specifications

      The value can be Single, HA, or Custom.

      Pods

      Number of pods that will be created to match the selected add-on specifications.

      If you selected Custom for Specifications, you can adjust the number of pods as needed.

      Containers

      If you selected Custom for Specifications, you can adjust the container specifications as needed.
    • Parameters
      • KMS Key: Select a key created in Creating an Asymmetric Key.
      • Signature Verification Image: Click and select the images whose signatures need to be verified.
      Table 2 swr-cosign parameters

      Parameter

      Description

      KMS Key

      Select a key. Only EC_P256, EC_P384, and SM2 keys are supported.

      You can create a key using KMS.

      Signature Verification Image

      Enter a regular expression. For example, if you enter docker.io/**, the signatures of all the images in the docker.io repository will be verified. To verify the signatures of all images, enter **.

  6. Click Install.

    After the installation is complete, select the cluster and click Add-ons in the navigation pane. On the displayed page, you can see the installed swr-cosign.

Verifying an Image Signature

Log in to the CCE console and click the name of a cluster where swr-cosign has been installed. In the navigation pane, choose Workloads and click Create Workload. Select a namespace with the policy.sigstore.dev/include:true label and an unsigned image. Select an image access credential and continue to create the workload. The image will fail the signature verification because it has no signature.

Parent topic: Image Signatures