The Tines tunnel image can be verified with cosign. Verifying this way guarantees that the image was built in our Github actions from our main, protected branch.
cosign verify \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-identity-regexp '^https://github.com/tines/tines/\.github/workflows/[^@]+@refs/heads/main$' \
"tines/tines-tunnel:latest" You should then get a response:
Verification for index.docker.io/tines/tines-tunnel:latest --
The following checks were performed on each of these signatures:
- The cosign claims were validated
- Existence of the claims in the transparency log was verified offline
- The code-signing certificate was verified using trusted certificate authority certificates