autonomy bundle verify¶
Verify supply-chain integrity of a bundle (cosign + BLAKE3)
Synopsis¶
Runs the 4-step, fail-closed supply-chain verification pipeline for the
bundle OCI image at <ref>:
Step 1 — Signatures cosign verify for the image (always), lock sidecar
(<tag>-lock, if --require-lock), and policy sidecar
(<tag>-policy, if --require-policy).
Step 2 — OCI digests Resolves the live image manifest digest and compares
it against agent_artifact.digest in the lock file.
SHA-256 of the pulled policy bundle is compared
against policy_bundle.digest in the lock file.
Step 3 — Fingerprint Recomputes the BLAKE3 behavioral fingerprint of the
lock file and verifies it matches the stored value.
Step 4 — Semver Parses the version tag from policy_bundle.ref and
compares it with policy_bundle_version in the
bundle's manifest.json. major.minor must match.
The command is fail-closed: it exits non-zero if any step fails.
AUTONOMY_TRUST_TIME (env var, default "true"):
true — the autonomy.signed-at annotation must be present in the image
signature and not older than --max-age (default 8760h / 1 year).
false — timestamp check skipped entirely (weakened; see sign docs).
Usage¶
autonomy bundle verify <ref> [flags]
Examples¶
# Verify image only
autonomy bundle verify robot-behavior:1.2.3 --pub-key ./keys/cosign.pub
# Verify image + lock + policy (strict)
autonomy bundle verify robot-behavior:1.2.3 \
--pub-key ./keys/cosign.pub --require-lock --require-policy
Options¶
--allow-insecure-registry allow plain HTTP registry (auto-detected for localhost)
--max-age duration maximum age of the signed-at annotation (default 8760h / 1 year)
--pub-key string path to cosign public key in SPKI PEM format (required)
--require-lock also verify the cosign signature and digest of the lock sidecar artifact
--require-policy also verify the cosign signature, digest, and semver of the policy sidecar artifact
See also¶
autonomy bundle— Manage AutonomyOps bundles (pull, push, inspect, verify)