How to verify container signatures for Sourcegraph releases

Sourcegraph publishes cryptographic signatures for all container images included in each release. These signatures can be used to verify the authenticity and integrity of the downloaded images.

To verify signatures for a specific release, use the Sourcegraph CLI (src). This tool validates that all images in the release were signed by Sourcegraph and displays the SHA256 hashes of the verified images.

Prerequisites

  1. Install src following the Quickstart.

  2. Install cosign following the Installation Guide.

Verification Process

  1. Determine the Sourcegraph version to verify. Use either a recent release or your instance's current version.

    Note: Signature verification is available only for Sourcegraph release 5.11.4013 and later.

    To find your instance's current version, check your deployment or view the Settings page on your Sourcegraph instance (version shown in bottom left corner).

    Version location in settings

  2. Run the verification command:

    BASH:TERMINAL
    # Verify signatures for Sourcegraph release 5.11.6271
$ src signature verify -v 5.11.6271 -d sourcegraph-digests/

Verifying signatures for all 40 images in the Sourcegraph 5.11.6271 release...

✅ sourcegraph/batcheshelper@sha256:f77538c3ff985abd5fdb1cc1eb7068418cb84e0d0df629d353bdf0910e232e86
✅ sourcegraph/bundled-executor@sha256:5ba1d2c4a3df2620532400de736df81d52d7b07deb07ca26832edbe78f566cfd
✅ sourcegraph/cody-gateway@sha256:bfeeb0d2bb45543553dc950678da5ed6de052a85cd25a6b3b0b5690e425ee57c

[...]

🟢 Verified signatures and digests for 40 images

Verified digests have been written to 'sourcegraph-digests/sourcegraph-5.11.6271/verified-digests.txt'.

Your Sourcegraph deployment may not use all of these images. Please check your deployment to confirm which images are used.

  3. After verification completes, find the validated image digests in sourcegraph-digests/sourcegraph-<version>/.

Important: The verification process checks all containers in a Sourcegraph release. Your instance typically uses only a subset of these containers. Review your deployment configuration to identify which containers are relevant to your deployment.