Verify the image signature

The Airlock Microgateway images are signed using Cosign, which can be verified easily by running the following command.

cosign verify --key https://raw.githubusercontent.com/airlock/microgateway/main/cosign/cosign.pub <image-reference>

List of images:

Microgateway Operator – quay.io/airlock/microgateway-operator
Microgateway CNI plugin – quay.io/airlock/microgateway-cni
Microgateway Engine – quay.io/airlock/microgateway-engine
Microgateway Session Agent – quay.io/airlock/microgateway-session-agent

Verifying the image signature with the cosign.pub key can be automated by a policy controller such as sigstore policy-controller, Kyverno, or Connaisseur.

For more information, see:
Sigstore policy-controller setup documentation
Kyverno policy controller setup documentation for Cosign-generated signatures
Connaisseur policy controller setup documentation for Cosign-generated signatures