Skip to main content

Container Signing and Verification

Ory Polis container images are signed and can be verified using cosign.

Fetching public key

You can use oras (or a similar OCI artifacts tool) to fetch the public key or download it from the website here.

oras pull ghcr.io/boxyhq/cosign.pub:latest

Container verification

Note: This is supported for all versions >=1.6.0

Ory container images are hosted on Docker Hub. You can verify it by using the following command.

cosign verify --key cosign.pub ory/polis:<version>