|
| 1 | +# How to verify container signatures for Sourcegraph releases |
| 2 | + |
| 3 | +Sourcegraph publishes cryptographic signatures for all container images included in each release. These signatures can be used to verify the authenticity and integrity of the downloaded images. |
| 4 | + |
| 5 | +To verify signatures for a specific release, use the Sourcegraph CLI (`src`). This tool validates that all images in the release were signed by Sourcegraph and displays the SHA256 hashes of the verified images. |
| 6 | + |
| 7 | +## Prerequisites |
| 8 | + |
| 9 | +1. Install `src` following the [Quickstart](../quickstart.mdx). |
| 10 | + |
| 11 | +2. Install `cosign` following the [Installation Guide](https://docs.sigstore.dev/cosign/system_config/installation/). |
| 12 | + |
| 13 | +## Verification Process |
| 14 | + |
| 15 | +1. Determine the Sourcegraph version to verify. Use either a [recent release](../../CHANGELOG.mdx) or your instance's current version. |
| 16 | + |
| 17 | + > **Note:** Signature verification is available only for Sourcegraph release 5.11.4013 and later. |
| 18 | +
|
| 19 | + To find your instance's current version, check your deployment or view the Settings page on your Sourcegraph instance (version shown in bottom left corner). |
| 20 | + |
| 21 | +  |
| 22 | + |
| 23 | +2. Run the verification command: |
| 24 | + |
| 25 | + ```bash:terminal |
| 26 | + # Verify signatures for Sourcegraph release 5.11.6271 |
| 27 | + $ src signature verify -v 5.11.6271 -d sourcegraph-digests/ |
| 28 | +
|
| 29 | + Verifying signatures for all 40 images in the Sourcegraph 5.11.6271 release... |
| 30 | +
|
| 31 | + ✅ sourcegraph/batcheshelper@sha256:f77538c3ff985abd5fdb1cc1eb7068418cb84e0d0df629d353bdf0910e232e86 |
| 32 | + ✅ sourcegraph/bundled-executor@sha256:5ba1d2c4a3df2620532400de736df81d52d7b07deb07ca26832edbe78f566cfd |
| 33 | + ✅ sourcegraph/cody-gateway@sha256:bfeeb0d2bb45543553dc950678da5ed6de052a85cd25a6b3b0b5690e425ee57c |
| 34 | +
|
| 35 | + [...] |
| 36 | +
|
| 37 | + 🟢 Verified signatures and digests for 40 images |
| 38 | +
|
| 39 | + Verified digests have been written to 'sourcegraph-digests/sourcegraph-5.11.6271/verified-digests.txt'. |
| 40 | +
|
| 41 | + Your Sourcegraph deployment may not use all of these images. Please check your deployment to confirm which images are used. |
| 42 | + ``` |
| 43 | +3. After verification completes, find the validated image digests in `sourcegraph-digests/sourcegraph-<version>/`. |
| 44 | + |
| 45 | +**Important:** The verification process checks all containers in a Sourcegraph release. Your instance typically uses only a subset of these containers. Review your deployment configuration to identify which containers are relevant to your deployment. |
0 commit comments