docker image verify

Author: allanbrondum

source/mainnet/docs/installation/downloads.rst

@@ -195,7 +195,11 @@ For the system requirements to run a node, see :ref:`System requirements to run
 
    .. dropdown:: Linux-Docker |mainnet-node-version|
 
-      To learn how to run a node with Ubuntu, see :ref:`Run a node on a server with Ubuntu <run-node-ubuntu>`. To upgrade your Docker node either restart the service if you are using the `:latest` image tag, or change the image tag to the new version. See :ref:`Running/upgrading a node<running-a-node>` for details.
+      To learn how to run a node with Docker, see :ref:`Run a node with Docker <run-a-node>`.
+
+      To upgrade your Docker node either restart the service if you are using the `:latest` image tag, or change the image tag to the new version. See :ref:`Running/upgrading a node<running-a-node>` for details.
+
+      See :ref:`Verify Concordium Node Docker Image<verify-docker-image>` for how the verify the signature on the Docker image.
 
    .. dropdown:: Windows |mainnet-node-version|
 
@@ -230,6 +234,8 @@ For the system requirements to run a node, see :ref:`System requirements to run
 
       To upgrade your Docker node either restart the service if you are using the `:latest` image tag, or change the image tag to the new version. See :ref:`Running/upgrading a node<running-a-node>` for details.
 
+      See :ref:`Verify Concordium Node Docker Image<verify-docker-image>` for how the verify the signature on the Docker image.      
+
    .. dropdown:: Windows |testnet-node-version|
 
       To run a node on Windows, `download a Testnet Windows Installer package <https://distribution.concordium.software/windows/Signed/Node-8.0.3-1.msi>`_. **Please be aware that you should backup your configuration, as the installer will overwrite the current configuration with a standard configuration.**

source/mainnet/docs/installation/verification-instructions.rst

@@ -7,6 +7,23 @@ Verification instructions
 
 To find instructions on how to verify the integrity of the file you have downloaded, navigate to the respective section that outlines the steps needed for that specific file.
 
+.. _verify-docker-image:
+
+Verify Concordium Node Docker Image
+===================================
+
+The Docker images are signed with Sigstore Cosign. To verify
+the signature run ``cosign verify`` with the ``certificate-oidc-issuer`` and ``certificate-identity`` as specified (important):
+
+.. code-block:: console
+    :substitutions:
+
+    $cosign verify concordium/mainnet-node:|mainnet-node-version| \ 
+        --certificate-identity=https://github.com/Concordium/concordium-node/.github/workflows/release.yaml@refs/heads/main \
+        --certificate-oidc-issuer=https://token.actions.githubusercontent.com
+
+This verifies that the image was build and signed by Concordium. You can replace the image with ``testnet-node`` and the tag with the tag you want to run.
+
 Concordium Desktop Wallet
 =========================
 

source/mainnet/docs/network/nodes/run-node.rst

@@ -42,7 +42,9 @@ Running/upgrading a node
 ========================
 
 Concordium provides two Docker images, a `mainnet <https://hub.docker.com/r/concordium/mainnet-node>`_ one and a `testnet <https://hub.docker.com/r/concordium/testnet-node>`_ one.
-These images are designed to be used together with docker-compose, or a similar driver. This guide provides a sample configuration using ``docker-compose``.
+The images are signed with Sigstore Cosign and the signature can be verified by following :ref:`Verify Concordium Node Docker Image<verify-docker-image>`.      
+
+The images are designed to be used together with docker-compose, or a similar driver. This guide provides a sample configuration using ``docker-compose``.
 
 The node requires a database which must be stored on the host system so that it persists when the docker container is stopped. It is up to the user to select the location of the database on their host system. In the guide the location used is ``/var/lib/concordium-mainnet`` or ``/var/lib/concordium-testent`` but any location to which the user that runs the Docker command has access to will do.