skopeo-standalone-verify - Verify an image signature.
skopeo standalone-verify manifest docker-reference
key-fingerprint signature
Verify a signature using local files; the digest will be printed on success.
This is primarily a debugging tool, useful for special cases, and usually
should not be a part of your normal operational workflow. Additionally,
consider configuring a signature verification policy file, as per
containers-policy.json(5).
manifest Path to a file containing the image manifest
docker-reference A docker reference expected to identify the image in the
signature
key-fingerprint Expected identity of the signing key
signature Path to signature file
Note: If you do use this, make sure that the image can not be changed at
the source location between the times of its verification and use.
--help,
-h
Print usage statement
$ skopeo standalone-verify busybox-manifest.json registry.example.com/example/busybox 1D8230F6CDB6A06716E414C1DB72F2188BB46CC8 busybox.signature
Signature verified, digest sha256:20bf21ed457b390829cdbeec8795a7bea1626991fda603e0d01b4e7f60427e55
This command is intended for use with local signatures e.g. OpenPGP ( other
signature formats may be added in the future ), as per
containers-signature(5). Furthermore, this command does
not interact
with the artifacts generated by Docker Content Trust (DCT). For more
information, please see
containers-signature(5)
⟨
https://github.com/containers/image/blob/main/docs/containers-signature.5.md⟩.
skopeo(1),
containers-signature(5),
containers-policy.json(5)
Antonio Murdaca
[email protected] ⟨mailto:
[email protected]⟩,
Miloslav Trmac
[email protected] ⟨mailto:
[email protected]⟩, Jhon
Honce
[email protected] ⟨mailto:
[email protected]⟩