How it works
Agate uses cosign’s keyful signing mode. A private key signs each image at build time, and the corresponding public key is published athttps://os.fpt.icu/cosign.pub. You verify by providing that public key and the image reference — cosign checks the signature stored in the registry against the key.
The images are also tracked on Artifact Hub, where you can find additional metadata and provenance information.
Verify the image
Install cosign
Install cosign from the official releases page or via your package manager.Confirm the installation:
- Homebrew
- Go install
- RPM (Fedora)
Obtain the public key
The Agate cosign public key is hosted at
https://os.fpt.icu/cosign.pub. You can reference it directly in the verify command, or download it locally for offline use:Verify the image
Run the verification command for the registry you are using.If you downloaded the key file locally, replace the URL with the local path:
- Quay.io (primary)
- GitHub (mirror)
Interpret the output
A successful verification prints JSON output containing the image digest, the certificate metadata, and the signature payload. The key lines to look for are a zero exit code and output that includes the verified image digest. Any failure — such as a key mismatch or an unsigned image — results in a non-zero exit and an error message.If verification fails, do not rebase. The image may be corrupted or may not have been signed by the expected key.