content/en/docs/ops/best-practices/image-signing-validation/index.md
This page describes how to use Cosign to validate the provenance of Istio image artifacts.
Cosign is a tool developed as part of the sigstore project, which simplifies signing and validation of signed Open Container Initiative (OCI) artifacts, such as container images.
Starting with Istio 1.12, we sign all officially published container images as part of our release process. End users can then verify these images using the process described below.
This process is suitable for either manual execution or integration with build or deployment pipelines for automated verification of artifacts.
Before you begin, please do the following:
Download the latest Cosign build for your architecture, as well as its signature.
Validate the cosign binary signature:
{{< text bash >}}
$ openssl dgst -sha256
-verify <(curl -ssL https://raw.githubusercontent.com/sigstore/cosign/main/release/release-cosign.pub)
-signature <(cat /path/to/cosign.sig | base64 -d)
/path/to/cosign-binary
{{< /text >}}
Make the binary executable (chmod +x) and move to a location on the PATH
To validate a container image, do the following:
{{< text bash >}} $ ./cosign-binary verify --key "https://istio.io/misc/istio-key.pub" {{< istio_docker_image "pilot" >}} {{< /text >}}
This process will work for any released image or release candidate built with the Istio build infrastructure.
An example with output:
{{< text bash >}} $ cosign verify --key "https://istio.io/misc/istio-key.pub" gcr.io/istio-release/pilot:1.12.0
Verification for gcr.io/istio-release/pilot:1.12.0 -- The following checks were performed on each of these signatures:
[{"critical":{"identity":{"docker-reference":"gcr.io/istio-release/pilot"},"image":{"docker-manifest-digest":"sha256:c37fd83f6435ca0966d653dc6ac42c9fe5ac11d0d5d719dfe97de84acbf7a32d"},"type":"cosign container image signature"},"optional":null}] {{< /text >}}