Install Now
skopeo-standalone-verify - Verify an image signature.
Contents
Description
Verify a signature using local files; the digest will be printed on success. This is primarily a
debugging tool, useful for special cases, and usually should not be a part of your normal operational
workflow. Additionally, consider configuring a signature verification policy file, as per containers-policy.json(5).
manifest Path to a file containing the image manifest
docker-reference A docker reference expected to identify the image in the signature
key-fingerprints Identities of trusted signing keys (comma separated), or "any" to trust any known key
when using a public key file
signature Path to signature file
Note: If you do use this, make sure that the image can not be changed at the source location between the
times of its verification and use.
Examples
$ skopeo standalone-verify busybox-manifest.json registry.example.com/example/busybox 1D8230F6CDB6A06716E414C1DB72F2188BB46CC8 busybox.signature
Signature verified, digest sha256:20bf21ed457b390829cdbeec8795a7bea1626991fda603e0d01b4e7f60427e55
Name
skopeo-standalone-verify - Verify an image signature.
Notes
This command is intended for use with local signatures e.g. OpenPGP ( other signature formats may be
added in the future ), as per containers-signature(5). Furthermore, this command does not interact with
the artifacts generated by Docker Content Trust (DCT). For more information, please see containers-signature(5) ⟨https://github.com/containers/image/blob/main/docs/containers-signature.5.md⟩.
Options
See also skopeo(1) for options placed before the subcommand name.
--help, -h
Print usage statement
--public-key-filepublickeyfile
File containing the public keys to use when verifying signatures. If this is not specified, keys from the
GPG homedir are used.
See Also
skopeo(1), containers-signature(5), containers-policy.json(5)
Synopsis
skopeostandalone-verifymanifestdocker-referencekey-fingerprintssignature
PNG Icons
