Including image signatures in airgap bundles

@Evans_Mungai and I were chatting with a team that’s evaluating Replicated today and I was explaining how I include image signatures in airgap bundles using additionalImages. He mentioned he’d never seen my approach before so I thought I’d share it here.

A few months back I was working with a Replicated customer with two requirements that I hadn’t considered together before: signed images (enforced by Kyverno) and airgap installs. I was wondering how I’d solve this because I wasn’t even sure the signature would still be valid once I loaded the image into the new registry. It turns out that wasn’t a problem, the signature is valid since the image contents are the same.

Now I have very useful bits of knowledge:

  1. I just need the existing image and signature inside the airgap
  2. I can derive the signature image name/tag based on the image name/tag. The signature for the image is at

This left me with a fairly standard situation for Replicated airgap builds. I have an image (the signature) that isn’t referenced by my manifests but needs to be in the airgap bundle. That’s a known scenario with a known solution: additionalImages in my Replicated Application object.

Sure enough, when I set additionalImages with my signatures:


I get an airgap bundle with the images and their signatures in it. The images land in the registry, the policy finds them, and my application runs as expected.