Skip to content

Commit

Permalink
docs: image verification (#37)
Browse files Browse the repository at this point in the history 
Signed-off-by: Sertac Ozercan <[email protected]>
  • Loading branch information
@sozercan
sozercan authored Dec 13, 2023
1 parent 2acbbb6 commit 0ddd83e
Show file tree
Hide file tree
Showing 2 changed files with 25 additions and 3 deletions.
6 changes: 3 additions & 3 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,13 +15,13 @@ AIKit uses [LocalAI](https://localai.io/) under-the-hood to run inference. Local

- 🐳 No GPU, Internet access or additional tools needed except for [Docker](https://docs.docker.com/desktop/install/linux-install/)!
- 🀏 Minimal image size, resulting in less vulnerabilities and smaller attack surface with a custom [distroless](https://github.com/GoogleContainerTools/distroless)-based image
- πŸš€ Easy to use declarative configuration
- πŸš€ [Easy to use declarative configuration](./docs/specs.md)
- ✨ OpenAI API compatible to use with any OpenAI API compatible client
- πŸ–ΌοΈ [Multi-modal model support](#vision-with-llava)
- 🚒 Kubernetes deployment ready
- πŸ“¦ Supports multiple models with a single image
- πŸ–₯️ Supports GPU-accelerated inferencing with NVIDIA GPUs
- πŸ” Signed images for `aikit` and pre-made models
- πŸ–₯️ [Supports GPU-accelerated inferencing with NVIDIA GPUs](#nvidia)
- πŸ” [Signed images for `aikit` and pre-made models](./docs/cosign.md)

## Demos

Expand Down
22 changes: 22 additions & 0 deletions docs/cosign.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
# Image verification

AIKit and pre-made models are keyless signed with OIDC in GitHub Actions with [cosign](https://github.com/sigstore/cosign). You can verify the images with the following commands:

```bash
IMAGE=ghcr.io/sozercan/llama2:7b # update this with the image you want to verify
DIGEST=$(cosign triangulate ${IMAGE} --type digest)
cosign verify ${DIGEST} \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-identity-regexp 'https://github\.com/sozercan/aikit/\.github/workflows/.+'
```

You should see an output similar to the following:

```bash
Verification for ghcr.io/sozercan/llama2@sha256:d47fdba491a9a47ce4911539a77e0c0a12b2e14f5beed88cb8072924b02130b4 --
The following checks were performed on each of these signatures:
- The cosign claims were validated
- Existence of the claims in the transparency log was verified offline
- The code-signing certificate was verified using trusted certificate authority certificates
...
```

0 comments on commit 0ddd83e

Please sign in to comment.