Package Signing and Verification
In this tutorial, we will sign a Zarf package and verify its signature to ensure package integrity and authenticity. We’ll generate a key pair, sign a package during creation, verify the signature, and deploy the signed package.
Package signing is a critical security practice, allowing you to verify that packages have not been tampered with and come from a trusted source.
Before beginning this tutorial you will need the following:
- Zarf binary installed on your $PATH: (Installing Zarf)
- The Zarf source code repository for creating the wordpress example package.
git clone https://github.com/zarf-dev/zarf.gitDo not change your working directory to the Zarf directory for the next steps.
First, we’ll generate a private/public key pair for signing packages:
zarf tools gen-keyYou’ll be prompted to enter a password to encrypt the private key. Choose a strong password and remember it.
This creates two files:
cosign.key- Your private signing key (keep this secure!)cosign.pub- Your public verification key (share this with others)
Now we’ll create a wordpress package from the Zarf examples directory:
zarf package create ./zarf/examples/wordpressThe path to the created package will be present in the logs:
INF writing package to disk path=zarf-package-wordpress-arm64-26.0.0.tar.zstTo sign the package, we’ll now use the key pair created earlier:
zarf package sign zarf-package-wordpress-arm64-26.0.0.tar.zst --signing-key cosign.key --signing-key-password <password>Your package (for example, zarf-package-wordpress-amd64-26.0.0.tar.zst) now contains a digital signature.
Let’s verify that our package signature is valid using the public key:
zarf package verify zarf-package-wordpress-amd64-26.0.0.tar.zst --key cosign.pubYou should see successful verification output:
2026-01-15 14:17:13 INF checksum verification status=PASSEDVerified OK2026-01-15 14:17:16 INF signature verification status=PASSED2026-01-15 14:17:16 INF verification complete status=SUCCESSNotice that verification checks both the signature and the package checksums. This confirms the package is authentic and has not been modified.
Step 6: Deploy with Signature Verification
Section titled “Step 6: Deploy with Signature Verification”Finally, we’ll deploy the package with signature verification enabled. If you have a Kubernetes cluster initialized (see Initializing a K8s Cluster), you can deploy:
zarf package deploy zarf-package-wordpress-amd64-26.0.0.tar.zst --key cosign.pub --verify --confirmThe --verify flag enforces signature verification. If the signature is invalid or the public key doesn’t match, Zarf will abort the deployment.
You should see the package being verified before deployment begins:
Verifying package signature...✔ Package signature verified successfullyDeploying package...Now that you understand the basics of package signing, you can:
- Learn about signing existing packages with
zarf package signin the Package Signing Reference - Explore cloud KMS options for production signing in the Package Signing Reference
- Integrate signature verification into your CI/CD pipelines
- Establish key management and rotation procedures for your organization
- Package Signing Reference - Comprehensive signing and verification documentation
- zarf package sign command - Command reference
- zarf package verify command - Command reference