RSS
 

Verify VMware Tanzu Application Catalog signatures

The VMware Tanzu Application Catalog (Tanzu Application Catalog) artifacts (container images, container image metadata bundles, helm chart, and helm chart metadata bundles) are signed using Sigstore Cosign. The artifacts along with their signatures are pushed to your registry.

Signing helps you verify the VAC artifacts. This ensures that:

  • The artifacts that you downloaded comes from VMware.
  • They have not been tampered/modified/altered in any form.

How to verify signatures?

Install the Cosign tool and execute:

$ cosign verify --key https://app-catalog.vmware.com/.well-known/cosign.pub ARTIFACT_REFERENCE --insecure-ignore-tlog

  1. ARTIFACT_REFERENCE can be:

    • A container image.

      Example: registry.pivotal.io/tac-for-tanzu-advanced/containers/nginx:1.21.5-ubuntu-18-r7

    • A container image metadata bundle.

      Example: registry.pivotal.io/tac-for-tanzu-advanced/containers/nginx:1.21.5-ubuntu-18-r7-metadata

    • A Helm chart.

      Example: registry.pivotal.io/tac-for-tanzu-advanced/charts/nginx:9.8.0

    • A Helm chart metadata bundle.

      Example: registry.pivotal.io/tac-for-tanzu-advanced/charts/nginx:9.8.0-metadata

    Note

    ARTIFACT_REFERENCE can be tags or digests.

  2. –insecure-ignore-tlog: Use this option to ignore transparency log verification only. The OCI signatures are part of the OCI registry and they are not uploaded to any public service for the transparency log.
check-circle-line exclamation-circle-line close-line
Scroll to top icon