Out-of-band verification value for Stolonic-signed releases.
Stolonic signs every released container image with a single Cosign key.
The SHA-256 of that key's public half is published on this page so you
can verify the cosign.pub file you download from GitHub
against an independent channel before trusting any signed
Stolonic artifact.
cosign.pub# 1. Download Stolonic's public key from the GitHub release page
curl -O https://github.com/stolonic-ab/stolonic/releases/latest/download/cosign.pub
# 2. Compute its SHA-256 locally
shasum -a 256 cosign.pub
# 3. The output MUST match the value above. If it doesn't, STOP.verify-release.sh. The cosign.pub on the
release page may have been tampered, or this page may be wrong —
either way, contact security@stolonic.com
and quote both values before continuing.
Once cosign.pub matches the value above, follow the
end-to-end customer verification recipe:
docs/security/image-verification.md
If Stolonic rotates this key (planned annually, or in response to a compromise), this page is updated within 24 hours of the new key becoming the production signing key. The previous SHA is preserved below the current one with the date of rotation, so customers can reconcile older releases.
Suspected key compromise, supply-chain incident, or trust anchor mismatch: security@stolonic.com. PGP/encrypted reports accepted on request.