This repository contains the public signing keys for Docker Hardened Images. These keys are used to verify the authenticity and integrity of Docker Hardened Images and their attestations.
The keyring provides cryptographic verification for Docker Hardened Images, ensuring:
- Supply chain security: Verify image signatures and provenance
- Attestation validation: Confirm authenticity of SBOMs and VEX metadata
- Trust: Ensure images haven't been tampered with
| Version | Status | Key File |
|---|---|---|
| latest | enabled | dhi-latest.pub |
| 2 | enabled | dhi-2.pub |
| 1 | disabled | dhi-1.pub |
To verify images and attestations, you can run the following commands:
# log into dhi.io
$ docker login dhi.io
# verify the signature on the image index
$ cosign verify dhi.io/alpine-base:3.22 \
--key https://dhi.io/keyring/latest.pub \
--experimental-oci11# list all available attestations
$ regctl artifact list dhi.io/golang:1-debian12-dev \
--platform linux/arm64
# verify the signature on any of the provided attestations
$ cosign verify dhi.io/golang@sha256:... \
--key https://dhi.io/keyring/latest.pub \
--experimental-oci11This project is licensed under the Apache License 2.0. See LICENSE.txt for details.
- Docker Hardened Images Catalog: dhi.io
- Docker Hardened Images: docker.com/products/hardened-images
- Catalog Repository: github.com/docker-hardened-images/catalog
- Commercial Support: docker.com/support
- Issue Tracker: GitHub Issues
- Discussions: GitHub Discussions
Docker Hardened Images - Building secure containers, together.