Skip to content

Sign container images with cosign#7119

Merged
bashofmann merged 2 commits intoqdrant:devfrom
bashofmann:cosign
Aug 25, 2025
Merged

Sign container images with cosign#7119
bashofmann merged 2 commits intoqdrant:devfrom
bashofmann:cosign

Conversation

@bashofmann
Copy link
Contributor

@bashofmann bashofmann commented Aug 22, 2025

This allows users to securely verify that a Qdrant container image was created by us

Once merged and after the next release, a container image can be verified like this:

cosign verify qdrant/qdrant:v1.16.0 --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity-regexp='https://github.com/qdrant/.*'

All the details: https://docs.sigstore.dev/cosign/signing/signing_with_containers/

All Submissions:

  • Contributions should target the dev branch. Did you create your branch from dev?
  • Have you followed the guidelines in our Contributing document?
  • Have you checked to ensure there aren't other open Pull Requests for the same update/change?

@bashofmann
Sign container images with cosign
9c2f6d3 
This allows users to securely verify that a Qdrant container image was created by us
@bashofmann bashofmann requested a review from timvisee August 22, 2025 14:04
coderabbitai[bot]

This comment was marked as resolved.

Sign in to view

coderabbitai[bot]

This comment was marked as resolved.

Sign in to view

timvisee
timvisee reviewed Aug 25, 2025
View reviewed changes
.github/workflows/docker-image.yml
Comment on lines +59 to +61

DIGEST=$(docker buildx imagetools inspect ${DOCKERHUB_TAG} --format '{{ json .Manifest.Digest }}' | cut -d '"' -f 2)
cosign sign --yes "${DOCKERHUB_TAG}@${DIGEST}"
Copy link
Member

@timvisee timvisee Aug 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it correct that we sign after pushing the image? Then, where is the signature kept?

Copy link
Member

@timvisee timvisee Aug 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, this is correct. The docker tag includes the registry host, and cosign attaches the signature for us.

@qdrant qdrant deleted a comment from coderabbitai bot Aug 25, 2025
@bashofmann bashofmann merged commit 4e8e9da into qdrant:dev Aug 25, 2025
16 checks passed
timvisee pushed a commit that referenced this pull request Aug 26, 2025
@bashofmann @timvisee
Sign container images with cosign (#7119)
fca6ea5 
* Sign container images with cosign

This allows users to securely verify that a Qdrant container image was created by us

* Add contents read permission
@timvisee timvisee mentioned this pull request Aug 26, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@timvisee timvisee timvisee approved these changes

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bashofmann @timvisee