All OCI images published from this repository are signed with cosign keyless signing via GitHub Actions OIDC. SBOM attestations are attached to every image.
brew install cosignThe --certificate-identity must exactly match the GitHub Actions workflow URL for the signing repository.
Replace <app> with the app directory name (e.g. goose) and <tag> with the version tag (e.g. v0.9.17).
cosign verify \
--certificate-identity=https://github.com/projectbluefin/testhub/.github/workflows/build.yml@refs/heads/main \
--certificate-oidc-issuer=https://token.actions.githubusercontent.com \
ghcr.io/projectbluefin/testhub/<app>:<tag>Exit 0 means the signature is valid. Output is JSON containing the certificate details (workflow ref, commit SHA, build timestamp).
Replace <app> and <tag> as above.
cosign verify-attestation \
--type spdxjson \
--certificate-identity=https://github.com/projectbluefin/testhub/.github/workflows/build.yml@refs/heads/main \
--certificate-oidc-issuer=https://token.actions.githubusercontent.com \
ghcr.io/projectbluefin/testhub/<app>:<tag> \
| jq '.payload | @base64d | fromjson'Output is the full SPDX document listing all packages and dependencies in the image.