This repository publishes the public cryptographic material that lets anyone verify the authenticity and integrity of artifacts published by Amplify Software.
The Cosign public key used to verify the signatures of our Docker images.
All Docker images published by Amplify Software are signed with Sigstore Cosign. You can verify an image against this public key:
cosign verify \
--key https://raw.githubusercontent.com/AmplifySoftware/security/main/cosign.pub \
--insecure-ignore-tlog=true \
<image-reference>Replace <image-reference> with the full reference of the image you want to
verify. A successful verification proves the image was built and published by
Amplify Software and has not been modified since signing.
Security issues: security@amplifysoft.io