LinuxCommandLibrary
GitHubF-DroidGoogle Play Store

apptainer-verify

Verify cryptographic signatures on container images

TLDR

Verify a container image using the default PGP keyring
$ apptainer verify [path/to/image.sif]
copy
Verify a container image using a specific public key file
$ apptainer verify --key [path/to/public.pem] [path/to/image.sif]
copy
Verify a container image using a certificate file
$ apptainer verify --certificate [path/to/certificate.pem] [path/to/image.sif]
copy
Verify all objects in the image
$ apptainer verify -a [path/to/image.sif]
copy
Verify a specific object group within the image
$ apptainer verify -g [group_id] [path/to/image.sif]
copy
Verify a specific object by ID within the image
$ apptainer verify -i [object_id] [path/to/image.sif]
copy
Output verification results in JSON format
$ apptainer verify -j [path/to/image.sif]
copy
Verify using only local keys in the keyring
$ apptainer verify -l [path/to/image.sif]
copy
Verify legacy (insecure) signatures
$ apptainer verify --legacy-insecure [path/to/image.sif]
copy

SYNOPSIS

apptainer verify [options] image.sif

DESCRIPTION

apptainer verify validates the cryptographic signatures on SIF container images. This confirms that the image has not been tampered with and was signed by a trusted party.Verification can use PGP public keys, X.509 certificates, or keys fetched from a keyserver. The command exits with a non-zero status if verification fails.

PARAMETERS

--key file

Path to a public key file for verification
--certificate file
Path to a certificate file for verification
-a, --all
Verify all objects in the SIF image
-g, --group-id id
Verify only a specific object group
-i, --sif-id id
Verify only a specific object by ID
-j, --json
Output results in JSON format
-l, --local
Only verify with local key(s) in keyring
-u, --url string
Specify a URL for a key server
--legacy-insecure
Enable verification of (insecure) legacy signatures
--certificate-intermediates file
Path to pool of intermediate certificates
--certificate-roots file
Path to pool of root certificates
--ocsp-verify
Enable online revocation check for certificates

CAVEATS

Verification requires the public key or certificate corresponding to the signing key. Unsigned containers will fail verification. Keys from untrusted sources should not be used for verification.

SEE ALSO

apptainer(1), apptainer-sign(1), gpg(1)

Copied to clipboard
Kai