Skip to content

Sign container images with cosign #7119

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Aug 25, 2025
Merged

Sign container images with cosign #7119

merged 2 commits into from
Aug 25, 2025

Conversation

bashofmann
Copy link
Contributor

This allows users to securely verify that a Qdrant container image was created by us

Once merged and after the next release, a container image can be verified like this:

cosign verify qdrant/qdrant:v1.16.0 --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity-regexp='https://github.com/qdrant/.*'

All the details: https://docs.sigstore.dev/cosign/signing/signing_with_containers/

All Submissions:

  • Contributions should target the dev branch. Did you create your branch from dev?
  • Have you followed the guidelines in our Contributing document?
  • Have you checked to ensure there aren't other open Pull Requests for the same update/change?

@bashofmann
Sign container images with cosign
9c2f6d3 
This allows users to securely verify that a Qdrant container image was created by us
@bashofmann bashofmann requested a review from timvisee August 22, 2025 14:04
coderabbitai[bot]

This comment was marked as resolved.

Sign in to view

coderabbitai[bot]

This comment was marked as resolved.

Sign in to view

timvisee
timvisee reviewed Aug 25, 2025
View reviewed changes
.github/workflows/docker-image.yml
Comment on lines +59 to +61

DIGEST=$(docker buildx imagetools inspect ${DOCKERHUB_TAG} --format '{{ json .Manifest.Digest }}' | cut -d '"' -f 2)
cosign sign --yes "${DOCKERHUB_TAG}@${DIGEST}"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it correct that we sign after pushing the image? Then, where is the signature kept?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, this is correct. The docker tag includes the registry host, and cosign attaches the signature for us.

@qdrant qdrant deleted a comment from coderabbitai bot Aug 25, 2025
@bashofmann bashofmann merged commit 4e8e9da into qdrant:dev Aug 25, 2025
16 checks passed
timvisee pushed a commit that referenced this pull request Aug 26, 2025
@bashofmann @timvisee
Sign container images with cosign (#7119)
fca6ea5 
* Sign container images with cosign

This allows users to securely verify that a Qdrant container image was created by us

* Add contents read permission
@timvisee timvisee mentioned this pull request Aug 26, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@timvisee timvisee timvisee approved these changes

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@bashofmann @timvisee