PodArmor docs
Getting started

Verify a Cosign signature

Confirm an image came from PodArmor and hasn't been tampered with.

Every image PodArmor publishes is signed using Cosign keyless mode (OIDC against GitHub Actions). To verify, you'll need:

  • The signing-identity regex PodArmor uses (we publish it on this page or via your account contact)
  • The OIDC issuer, which is the standard GitHub Actions one
cosign verify <image-ref> \
  --certificate-identity-regexp '<podarmor-signing-identity-regex>' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com'

Reach out to your PodArmor contact for the exact identity regex value to drop in. It pins the verification to PodArmor's signing identity so a stolen image manifest can't be re-signed by someone else and pass the check.

A successful run prints the signature transparency-log entry plus the GitHub Actions identity that signed it. Failure means either:

  • the image was tampered with after we signed it (extraordinarily unlikely if you pulled from our ECR), or
  • you've pinned to a tag that was rebuilt under a slightly older signing setup — pull :latest for the same upstream + -r{epoch} and retry

Wiring into CI

The most useful place to run cosign verify is in your CI before you allow an image to deploy. A minimal GitHub Actions step:

- name: Verify PodArmor signature
  run: |
    cosign verify ${{ env.IMAGE_REF }} \
      --certificate-identity-regexp '${{ secrets.PODARMOR_SIGNING_IDENTITY }}' \
      --certificate-oidc-issuer 'https://token.actions.githubusercontent.com'

Store the identity regex as a GitHub Actions secret rather than hardcoding it in your workflow — that way the value lives alongside your other supply-chain config, not in a publicly-readable repo file.

If the verification fails, the step exits non-zero and the workflow halts before deploy. That's the property you want — supply-chain attacks fail closed.

On this page