Security

Verify Zensu release bundles

Every self-hosted release bundle is cosign-signed and inventoried, so you can prove exactly what you are running — fully offline, without trusting a download or reaching the internet.

Cosign public verifier key

This is the public verifier key that signs every air-gap bundle. It ships inside the bundle and is published here out-of-band so you can compare the two before you trust anything. Download it directly at /cosign.pub.

-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEdEg62u6N9tJ4tEuPhqmUYRp/M1fi
xOTvFROuMMpSwO9rm4EBw+4PCx7PfsW/VkHokCtGH6Iyob3Gs0oc9Jy2dA==
-----END PUBLIC KEY-----

SHA-256 of cosign.pub: 9dbf8ce15cdf1da7f5d81001bc4ea8221e7994978c59853d8424ad29fff74ba9

Verify offline

Verify the bundled SHA256SUMS against the key — no transparency log, no network:

cosign verify-blob --key cosign.pub --new-bundle-format \
  --bundle SHA256SUMS.cosign.bundle \
  --insecure-ignore-tlog=true SHA256SUMS

Supply-chain posture

  • The air-gap bundle ships a cosign-signed SHA256SUMS — key-based, no transparency log, so it verifies fully offline against the bundled cosign.pub.
  • syft generates an SPDX SBOM per image, so your supply-chain review has a complete component inventory before anything is loaded.
  • The installer verifies checksums before doing anything and aborts on a mismatch; the public verifier key is published out-of-band on zensu.dev/security.

Report a vulnerability

Found a security issue in Zensu? Please email with the details and we will follow up.