Verification of Argo CD signatures¶
All Argo CD container images are signed by cosign. Checksums are created for the CLI binaries and then signed to ensure integrity.
Prerequisites¶
- Cosign installation instructions
- Obtain or have a copy of
argocd-cosign.pub, which can be located in the assets section of the release page
Once you have installed cosign, you can use argocd-cosign.pub to verify the signed assets or container images.
Verification of container images¶
cosign verify --key argocd-cosign.pub quay.io/argoproj/argocd:<VERSION>
Verification for quay.io/argoproj/argocd:<VERSION> --
The following checks were performed on each of these signatures:
* The cosign claims were validated
* The signatures were verified against the specified public key
...
Verification of signed assets¶
cosign verify-blob --key cosign.pub --signature $(cat argocd-<VERSION>-checksums.sig) argocd-$VERSION-checksums.txt
Verified OK
Admission controllers¶
Cosign is compatible with several types of admission controllers. Please see the Cosign documentation for supported controllers