Quickstart

Pull a hardened image, verify its signature, and you’re running on a clean base. No account required.

1. Pull an image

docker pull images.rasid.cc/postgres:17

The public catalogue at images.rasid.cc is Apache 2.0. No signup, no token, no rate-limit games.

2. Verify the signature

Install Sigstore Cosign, then verify the image was signed by Rasid:

cosign verify images.rasid.cc/postgres:17 \
  --key https://rasid.cc/.well-known/rasid-cosign.pub

The signature is recorded on Rasid’s self-hosted transparency log at rekor.rasid.cc. Cosign verifies against both the published public key and the Rekor entry. If the verification succeeds, the image was built and signed by Rasid. If it fails, do not run the image.

3. Drop it into your stack

Use it as a base image, a runtime, or a side-car. The interface matches the upstream image — same env vars, same entrypoints, same ports.

FROM images.rasid.cc/postgres:17
COPY ./schema.sql /docker-entrypoint-initdb.d/

Next

• Read Image lifecycle to learn how we patch and when we rotate tags.
• Read Consuming the SBOM to wire SBOMs into your supply-chain pipeline.
• Read CI/CD integration for sample pipelines.