This page explains how to verify the digital signatures of K2view Fabric and Studio container images and Fabric packages.
Signature verification allows customers to confirm that an artifact:
Verification is performed locally using standard open-source tooling.
K2view signs the cryptographic digest of each image and package.
A digest is a unique hash that represents the exact contents of an artifact:
Each image and each package has its own unique signature.
Signatures are not shared across versions or builds.
K2view uses Cosign, an industry-standard signing tool widely adopted in the Kubernetes ecosystem.
Install the following tools on the system where verification will be performed:
cosign
(install guide)
Docker
(or a compatible OCI runtime)
jq
(download jq)
K2view container images include embedded metadata (image labels) that specify:
This metadata allows each image to be verified independently.
Pull the container image from the K2view container registry to your local environment.
docker pull <IMAGE_NAME:IMAGE_TAG>
Export the full image name and tag as an environment variable to simplify the verification commands that follow.
export image=<IMAGE_NAME:IMAGE_TAG>
Extract the immutable digest of the image you downloaded.
docker inspect --format='{{.Id}}' "$image" | tr -d '\n' > "digest.txt"
Inspect the image labels to locate the signature metadata.
signature_bundle="$(docker inspect "$image" | jq -r '.[].Config.Labels["org.opencontainers.image.signature.bundle"]')"
public_key="$(docker inspect "$image" | jq -r '.[].Config.Labels["org.opencontainers.image.signature.key"]')"
Download the public key and signature bundle using the URLs provided in the image labels.
curl -fsS "https://support.k2view.com/signatures/public-keys/${public_key}" -o "pub.key"
curl -fsS "$signature_bundle" -o "signature.bundle"
Verify the image digest against the signature bundle using the public key.
A successful verification confirms the image was signed by K2view and has not been modified.
cosign verify-blob --key "pub.key" --bundle "signature.bundle" "digest.txt"
Verified OK
Any other output indicates that the image should not be trusted.
Fabric packages do not support embedded metadata.
For this reason, K2view provides additional metadata files alongside each package that specify:
Download the Fabric package provided by K2view.
Export the full package name as an environment variable to simplify the verification commands that follow.
export=<PACKAGE_NAME>
Extract the immutable digest of the package you downloaded.
sha256sum "$package" | awk '{print $1}' > "digest.txt"
Download the public key and signature bundle.
curl -fsS "https://support.k2view.com/signatures/bundles/${package}_publickey.json" -o "publickey.json"
public_key_url=$(jq -r '.publicKey' "publickey.json")
curl -fsS "$public_key_url" -o "pub.key"
curl -fsS "https://support.k2view.com/signatures/bundles/${package}_signature.bundle" -o "signature.bundle"
Verify the package digest against the signature bundle using the public key.
A successful verification confirms the package was signed by K2view and has not been modified.
cosign verify-blob --key "pub.key" --bundle "signature.bundle" "digest.txt"
Verified OK
Any other output indicates that the package should not be trusted.
If verification fails, stop deployment and contact K2view Support.