Skip to content

Signature Verification

Verifying a Cosign signature

All binaries and container images are signed by Cosign.

You need the following tool:

Verifying signed container images

  1. Use the following command for keyless verification: 

    cosign verify aquasec/trivy:<version> \
--certificate-identity-regexp 'https://github\.com/aquasecurity/trivy/\.github/workflows/.+' \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com"

  2. You should get the following output 

    Verification for index.docker.io/aquasec/trivy:latest --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - Existence of the claims in the transparency log was verified offline
  - The code-signing certificate was verified using trusted certificate authority certificates

  ....

Verifying signed binaries

  1. Download the required tarball, associated signature and certificate files
  2. Use the following command for keyless verification: 
    cosign verify-blob <path to binray> \
--certificate <path to cert> \
--signature <path to sig> \
--certificate-identity-regexp 'https://github\.com/aquasecurity/trivy/\.github/workflows/.+' \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com"
  3. You should get the following output 
    Verified OK

For example:

$ wget "https://github.com/aquasecurity/trivy/releases/download/v0.45.0/trivy_0.45.0_Linux-32bit.tar.gz"
$ wget "https://github.com/aquasecurity/trivy/releases/download/v0.45.0/trivy_0.45.0_Linux-32bit.tar.gz.pem"
$ wget "https://github.com/aquasecurity/trivy/releases/download/v0.45.0/trivy_0.45.0_Linux-32bit.tar.gz.sig"
$ cosign verify-blob trivy_0.45.0_Linux-32bit.tar.gz \
  --certificate trivy_0.45.0_Linux-32bit.tar.gz.pem \
  --signature trivy_0.45.0_Linux-32bit.tar.gz.sig \
  --certificate-identity-regexp 'https://github\.com/aquasecurity/trivy/\.github/workflows/.+' \
  --certificate-oidc-issuer "https://token.actions.githubusercontent.com" 

Vetified OK

Verifying a GPG signature

RPM and Deb packages are also signed by GPG.

Verifying RPM

The public key downloaded here.

  1. Download the public key 
    curl https://aquasecurity.github.io/trivy-repo/rpm/public.key \ 
--output pub.key
  2. Import the key 
    rpm --import pub.key

  3. Verify that the key has been imported 

    rpm -q --queryformat "%{SUMMARY}\n" $(rpm -q gpg-pubkey)
    You should get the following output 
    gpg(trivy)

  4. Download the required binary 

    curl -L https://github.com/aquasecurity/trivy/releases/download/<version>/<file name>.rpm \
--output trivy.rpm

  5. Check the binary with the following command 
    rpm -K trivy.rpm
    You should get the following output 
    trivy.rpm: digests signatures OK