Signature verification

Every Rasid image carries a Sigstore Cosign signature and an in-toto attestation. Both are issued by Rasid’s self-hosted signing chain — Fulcio at fulcio.rasid.cc and Rekor at rekor.rasid.cc. Verification touches only Rasid-operated infrastructure.

Install Cosign

Cosign is a small Go binary. Install with your package manager, or grab a release from the upstream Sigstore project (Apache 2.0).

Verify by signature

cosign verify images.rasid.cc/postgres:17 \
  --key https://rasid.cc/.well-known/rasid-cosign.pub

The --key flag points Cosign at Rasid’s published verification key. The signature is co-recorded on Rasid’s Rekor transparency log, so a successful verification means the signature is both cryptographically valid AND publicly logged.

If the command exits 0, the image was signed by Rasid. If it exits non-zero, do not run it.

Verify the build attestation

cosign verify-attestation images.rasid.cc/postgres:17 \
  --type slsaprovenance \
  --key https://rasid.cc/.well-known/rasid-cosign.pub

This proves not just that we signed the image, but the SLSA-level-3 build provenance attached to it. The attestation is in-toto v1.0 with SLSA provenance v1.0.

Verify offline

For air-gapped environments, see the enterprise tier — we ship offline bundles with Rasid’s verification key and Rekor transparency-log entries pre-fetched, so verification works without any network access.