From b6b2611dbbd59f7b5c806e3008973869dffcac2f Mon Sep 17 00:00:00 2001
From: priyawadhwa <priyawadhwa@google.com>
Date: Tue, 6 Apr 2021 05:34:22 -0700
Subject: [PATCH] Update README to include verification instructions (#715)

---
 README.md | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/README.md b/README.md
index df1ad5ccc..0be2b7cf1 100644
--- a/README.md
+++ b/README.md
@@ -17,6 +17,24 @@ It improves the signal to noise of scanners (e.g. CVE) and reduces the burden of
 
 These images are built using the [bazel](https://bazel.build) tool, but they can also be used through other Docker image build tooling.
 
+## How do I verify distroless images?
+
+All distroless images are signed by [cosign](https://github.com/sigstore/cosign).
+We recommend verifying any distroless image you use before building your image.
+
+Once you've installed cosign, you can use the [distroless public key](cosign.pub) to verify any distroless image with:
+
+```
+cat cosign.pub
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWZzVzkb8A+DbgDpaJId/bOmV8n7Q
+OqxYbK0Iro6GzSmOzxkn+N2AKawLyXi84WSwJQBK//psATakCgAQKkNTAA==
+-----END PUBLIC KEY-----
+
+
+cosign verify -key cosign.pub $IMAGE_NAME
+```
+
 ### Entrypoints
 
 Note that distroless images by default do not contain a shell.