A docker CLI plugin for verifying signed attestations on images.
This plugin uses the OpenPubkey signed-attestations library to verify OpenPubkey tokens inside signed in-toto attestations.
To build with Go and install as a docker CLI plugin:
$ go build -o ~/.docker/cli-plugins/docker-verify cmd/docker-verify/main.go
$ docker verify IMAGE --repo-owner-id OWNER_ID
OWNER_ID is the Github ID of the organization or user that owns the source repository. This must match
the owner in the OIDC ID token from the GitHub Actions run.
$ docker verify openpubkey/demo:main --repo-owner-id 145685596