Verification of Argo CD signatures¶
All Argo CD container images are signed by cosign. Checksums are created for the CLI binaries and then signed to ensure integrity.
- Cosign installation instructions
- Obtain or have a copy of
argocd-cosign.pub, which can be located in the assets section of the release page
Once you have installed cosign, you can use
argocd-cosign.pub to verify the signed assets or container images.
Verification of container images¶
cosign verify --key argocd-cosign.pub quay.io/argoproj/argocd:<VERSION> Verification for quay.io/argoproj/argocd:<VERSION> -- The following checks were performed on each of these signatures: * The cosign claims were validated * The signatures were verified against the specified public key ...
Verification of signed assets¶
cosign verify-blob --key cosign.pub --signature $(cat argocd-<VERSION>-checksums.sig) argocd-$VERSION-checksums.txt Verified OK
Cosign is compatible with several types of admission controllers. Please see the Cosign documentation for supported controllers