Verifying Signed Container Images with Cosign

  • Published on Mar 22, 2026
  • 2 minute(s) read
Prev Next

Container image signing ensures the authenticity and integrity of distributed artifacts. This document describes how to verify that a container image provided by PlainID has been cryptographically signed and has not been tampered with by using the cosign tool and PlainID’s public signing key.

This guide explains how to verify that a container image provided by PlainID is signed using the cosign tool.

Important

PlainID doesn't publish digests to the public transparency log (Sigstore Rekor).
Verification is done using a public signing key.

This includes:

Containerized components, such as:

  • PAA Container Images (Agent, PIP Operator, PDP Runtime, IDP and Secret Management)
  • Access File Authorizer
  • SQL PDP Modifier
  • Envoy/Istio
    • Sidecar image (authz-envoy-sidecar)
    • Operator image (authz-operator)
  • JSON Masking

Additional components are being onboarded continuously. Refer to the updated services in our Technical Release Notes for the latest component updates or contact PlainID Support.

Container image signing is currently available for PlainID containerized components. Other artifact types, like binaries, archives, and static file bundles, of standalone PAA package and other Authorizers, are outside the scope of this capability.

When you verify a signed container image distributed by PlainID, you confirm that:

  • The image was signed by PlainID.
  • The image has not been modified since signing.
  • The signature matches the image digest stored in the registry.

Because the transparency log is disabled, verification relies entirely on our public key.

Prerequisites

Verification Using a Public Key

Verification using a public key means that the container image signature is validated against PlainID’s published cosign public key. This model relies entirely on the possession and integrity of this public key.

The verification process performs the following high-level steps:

  • Retrieves the image signature from the registry.
  • Validates the signature cryptographically using the provided public key.
  • Confirms that the signature references the exact image digest.
  • Validates the claims embedded in the signature payload.

The public key must be obtained from a trusted PlainID source (like in the official CDN URL shown below). If the public key is compromised or replaced, signature verification guarantees are invalidated.

Image Digest and Verification by Container Image Digest

Use the image’s digest to verify that the image is signed. Verifying by digest ensures you are validating the exact binary content that will run.

To get the image digest:

docker pull plainid/authz-access-file:5.2609.1
docker inspect --format='{{index .RepoDigests 0}}' plainid/authz-access-file:5.2609.1

Example output:

plainid/authz-access-file@sha256:3de25a86dab87cabae15fdbebe8527c1285ada12784ed1e32a930bcd1d171140

To verify the Signature:

cosign verify \
  --insecure-ignore-tlog=true \
  --key https://cdn.plainid.io/public/cosign.pub \
  plainid/authz-access-file@sha256:3de25a86dab87cabae15fdbebe8527c1285ada12784ed1e32a930bcd1d171140

Example output:

WARNING: Skipping tlog verification is an insecure practice that lacks transparency and auditability verification for the signature.

Verification for index.docker.io/plainid/authz-access-file@sha256:3de25a86dab87cabae15fdbebe8527c1285ada12784ed1e32a930bcd1d171140 --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - The signatures were verified against the specified public key

[{"critical":{"identity":{"docker-reference":"index.docker.io/plainid/authz-access-file"},"image":{"docker-manifest-digest":"sha256:3de25a86dab87cabae15fdbebe8527c1285ada12784ed1e32a930bcd1d171140"}}}]

By verifying container image signatures with cosign and PlainID’s public key, you ensure that the image you are deploying is authentic, unmodified, and issued by PlainID. This verification step should be incorporated into security and deployment workflows to maintain supply chain integrity, especially when transparency log validation is not used.

For more information, see Sigstore's documentation:

Related articles

Copyright and Trademark

© 2025 PlainID LTD. All rights reserved.

All intellectual property rights in, related to or derived from this material will remain with PlainID Ltd. Reproduction, modification, recompilation or transfer in whole or in part without written permission is prohibited. This material is made available as-is, without any implied warranties, all of which are hereby disclaimed, and PlainID Ltd. shall have no liability in relation hereto. All brand names, product names and trademarks are the property of their respective owners.

Terms of Use Privacy Policy