Image Signing and Validation

This page describes how to use Cosign to validate the provenance of Istio image artifacts.

Cosign is a tool developed as part of the sigstore project, which simplifies signing and validation of signed Open Container Initiative (OCI) artifacts, such as container images.

Starting with Istio 1.12, we sign all officially published container images as part of our release process. End users can then verify these images using the process described below.

This process is suitable for either manual execution or integration with build or deployment pipelines for automated verification of artifacts.


Before you begin, please do the following:

  1. Download the latest Cosign build for your architecture, as well as its signature.

  2. Validate the cosign binary signature:

    $ openssl dgst -sha256 \
        -verify <(curl -ssL \
        -signature <(cat /path/to/cosign.sig | base64 -d) \
  3. Make the binary executable (chmod +x) and move to a location on the PATH

Validating Image

To validate a container image, do the following:

$ ./cosign-binary verify --key ""

This process will work for any released image or release candidate built with the Istio build infrastructure.

An example with output:

$ cosign verify --key ""

Verification for --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - The signatures were verified against the specified public key
  - Any certificates were verified against the Fulcio roots.

[{"critical":{"identity":{"docker-reference":""},"image":{"docker-manifest-digest":"sha256:c37fd83f6435ca0966d653dc6ac42c9fe5ac11d0d5d719dfe97de84acbf7a32d"},"type":"cosign container image signature"},"optional":null}]
Was this information useful?
Do you have any suggestions for improvement?

Thanks for your feedback!