Skip to main content Skip to complementary content
Qlik Resources
Loading SearchUnify's search If you need assistance with your product, please contact Qlik Support.
Qlik Customer Portal
Loading SearchUnify's search If you need assistance with your product, please contact Qlik Support.
Qlik Customer Portal

Security option: Verifying Dynamic Engine artifact signatures

From v0.22 (R2025-06), you can validate the authenticity of Dynamic Engine artifacts (images and Helm charts) by verifying their digital signatures before deployment.

Information noteNote: As of Dynamic Engine v0.22, artifact signatures are not yet available for resources pulled from public registries, such as reloader and docker-registry.

Before you begin

  • Use Dynamic Engine v0.22 (R2025-06) onwards.
  • Access the list of required artifacts and details for your Dynamic Engine version in changelog:
    • Name: the functional name of the chart or service
    • Version: the x.y.z version of an artifact
    • Path: a string with the coordinates of the artifacts, for example, ghcr.io/talend/job-controller
  • Official Dynamic Engine public key, valid from June 2025:
    -----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEk6LwoCuQitMxk4RCWfCAN1lpJk5p+
91oaQHTYrZnvSLqEP59vw/dz2F/7xaoHkFqEG+9Yv6DwG01Apty1A9KMw==
-----END PUBLIC KEY-----

About this task

Qlik provides digital signatures for all official images and Helm charts from Dynamic Engine v0.22 onwards. All artifacts are signed at build time with an asymmetric key pair: the private key is used for signing, and the public key is made available for signature verification.

Signature validation can be automated using admission controllers from the Kubernetes community, such as PolicyController, Kyverno, connaisseur, or Gatekeeper. In this example, the Cosign tool is used to perform manual verification.

Procedure

  1. Install the Cosign tool if you do not have it.
  2. Save the official public key to a local file. 
    cat <<EOF > dynamic-engine.pub
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEk6LwoCuQitMxk4RCWfCAN1lpJk5p+
91oaQHTYrZnvSLqEP59vw/dz2F/7xaoHkFqEG+9Yv6DwG01Apty1A9KMw==
-----END PUBLIC KEY-----
EOF
  3. Verify the artifact signature using Cosign. 
    cosign verify --key dynamic-engine.pub <artifact-path>:<version>

    Replace <artifact-path> and <version> with their values from changelog. For example: 

    cosign verify --key dynamic-engine.pub ghcr.io/talend/job-controller:2.14.1

Results

After confirming the authenticity of your Dynamic Engine artifact, you ensure that only validated artifacts are deployed.

Did this page help you?

If you find any issues with this page or its content – a typo, a missing step, or a technical error – please let us know!

Leave your feedback here