Skip to content

Verification of Argo CD signatures

All Argo CD container images are signed by cosign. Checksums are created for the CLI binaries and then signed to ensure integrity.


Once you have installed cosign, you can use to verify the signed assets or container images.

Verification of container images

cosign verify --key<VERSION>

Verification for<VERSION> --
The following checks were performed on each of these signatures:
  * The cosign claims were validated
  * The signatures were verified against the specified public key

Verification of signed assets

cosign verify-blob --key --signature $(cat argocd-<VERSION>-checksums.sig) argocd-$VERSION-checksums.txt
Verified OK

Admission controllers

Cosign is compatible with several types of admission controllers. Please see the Cosign documentation for supported controllers