We will be deprecating DCT signing for docker artifacts (mattermost/mattermost-team-edition:x.x.x , mattermost/mattermost-enterprise-edition:x.x.x) in favor of Cosign. Starting November, 2024, we will drop DCT signing and only use Cosign. If you rely on artifact verification using DCT, now is the time to transition to Cosign.
Verifying Mattermost Images with Cosign
To ensure the authenticity and integrity of Mattermost images, follow these simple steps to verify using Cosign:
-
Install Cosign: If you don’t already have Cosign installed, you can install it using the instructions in this documentation.
-
Verify the Image: Mattermost provides a public key to verify the signatures - Cosign Public Key. Use the following commands to verify the Mattermost images:
-
Cosign verify --key https://releases.mattermost.com/Cosign_public.key mattermost/mattermost-team-edition:9.9.2 -
Cosign verify --key https://releases.mattermost.com/Cosign_public.key mattermost/mattermost-enterprise-edition:9.9.2 -
Check the Verification Results: After running the commands, Cosign will output the verification results. Ensure the signatures are valid and match the expected public key.
Expected output
-
The Cosign claims were validated
-
Existence of the claims in the transparency log was verified offline
-
The signatures were verified against the specified public key
By following these steps, you can confidently verify that the Mattermost images are genuine and have not been tampered with.
Note: The examples use version 9.9.2. Replace it with the version you are verifying.