All Jaeger releases are cryptographically signed. Users should verify signatures before using release artifacts to ensure they have not been tampered with.
| Artifact Type | Signing Method |
|---|---|
| Git tags | GPG signed (git tag -s) |
| Binary archives | GPG detached signatures (.asc files) |
| Container images | Verify image digest from official Docker Hub and Quay.io repositories |
| SBOM | Included with each release |
Jaeger container images are published to official repositories on Docker Hub and Quay.io. To verify that you are using the intended image:
- Pull images from the official Jaeger organization repositories on Docker Hub or Quay.io.
- Use image digests (for example,
jaegertracing/all-in-one@sha256:<digest>) rather than mutable tags where possible. - Compare the digest you deploy with the expected digest published in your deployment configuration, automation, or release notes.
-
Import the Jaeger GPG public key: The Jaeger public key (
C043A4D2B3F2AC31) is available on all major key servers. See SECURITY.md for the full key block.gpg --keyserver keyserver.ubuntu.com --recv-keys C043A4D2B3F2AC31
-
Download the release artifact and its signature:
# Example for version v1.55.0 wget https://github.com/jaegertracing/jaeger/releases/download/v1.55.0/jaeger-1.55.0-linux-amd64.tar.gz wget https://github.com/jaegertracing/jaeger/releases/download/v1.55.0/jaeger-1.55.0-linux-amd64.tar.gz.asc -
Verify the signature:
gpg --verify jaeger-1.55.0-linux-amd64.tar.gz.asc jaeger-1.55.0-linux-amd64.tar.gz
You can verify the signature of any Jaeger Git tag using the following commands:
git fetch --tags
git tag -v v1.55.0