Skip to main content
Verify

Verify your Kubernetes binary.

Confirm that every binary you download came from the Kubernetes project and was not tampered with in transit.

1. Why verify?

Every binary published by the Kubernetes project is paired with three files: a .sha256 checksum, a cosign .sig signature, and a .cert certificate. Verifying a binary against these files guarantees the file you have matches the file the Kubernetes release process produced.

2. Verify the sha256 checksum

The fastest check. Catches accidental corruption and most tampering. Replace linux/amd64 with your own platform/architecture as needed.

Linux

bash
curl -LO "https://dl.k8s.io/release/v1.36.1/bin/linux/amd64/kubectl"
curl -LO "https://dl.k8s.io/v1.36.1/bin/linux/amd64/kubectl.sha256"
echo "$(cat kubectl.sha256)  kubectl" | sha256sum --check

macOS

bash
curl -LO "https://dl.k8s.io/release/v1.36.1/bin/darwin/arm64/kubectl"
curl -LO "https://dl.k8s.io/v1.36.1/bin/darwin/arm64/kubectl.sha256"
echo "$(cat kubectl.sha256)  kubectl" | shasum -a 256 --check

Windows (PowerShell)

powershell
curl.exe -LO "https://dl.k8s.io/release/v1.36.1/bin/windows/amd64/kubectl.exe"
curl.exe -LO "https://dl.k8s.io/v1.36.1/bin/windows/amd64/kubectl.exe.sha256"
$(Get-FileHash -Algorithm SHA256 kubectl.exe).Hash.ToLower() -eq $(Get-Content kubectl.exe.sha256)

A successful check prints kubectl: OK on Linux/macOS or returns True on Windows.

3. Verify the cosign signature

For supply-chain verification, validate the cosign signature and certificate. This proves the binary was produced by the Kubernetes release pipeline.

Install cosign

bash
brew install cosign

Verify

bash
BINARY=kubectl
VERSION=v1.36.1
OS=linux
ARCH=amd64

curl -LO "https://dl.k8s.io/release/${VERSION}/bin/${OS}/${ARCH}/${BINARY}"
curl -LO "https://dl.k8s.io/release/${VERSION}/bin/${OS}/${ARCH}/${BINARY}.sig"
curl -LO "https://dl.k8s.io/release/${VERSION}/bin/${OS}/${ARCH}/${BINARY}.cert"

cosign verify-blob "${BINARY}" \
  --signature "${BINARY}.sig" \
  --certificate "${BINARY}.cert" \
  --certificate-identity-regexp '^https://github.com/kubernetes/kubernetes' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com

What success looks like

cosign prints Verified OK when the signature and certificate are valid and the certificate identity matches the expected Kubernetes release identity. Any other output should be treated as a verification failure.