Download signed images from Docker Hub

You are currently viewing version 1.4 of the Apigee hybrid documentation.This version is end of life. You should upgrade to a newer version. For more information, seeSupported versions.

To ensure the integrity of all runtime container images published and downloaded for production systems, image signing support is now available for all Apigee hybrid images using Docker Hub. All hybrid runtime images are publicly available for download from the Google Docker Hub account.

Hybrid images are signed with Docker Content Trust, a feature that lets users verify the integrity and publisher of every image built and running in a Docker registry. These signatures allow client-side or runtime verification of specific image tags against publisher keys, ensuring that the image is exactly what the publisher created and pushed for publication.

Download signed container images

If you are using a Kubernetes cluster without internet access to deploy your hybrid runtime services, you will need to download the container images to a local container registry and then access the registry from your Kubernetes cluster.

To download a signed container image, you should haveDocker installed and use thedocker pull command as follows. Be sure to append the correct tag to each image name. For example, the tag forapigee-synchronizer is1.3.6, as shown below.

Namespace:apigee-system

docker pull google/apigee-kube-rbac-proxy:v0.4.1docker pull google/apigee-operators:1.3.6docker pull google/apigee-installer:1.3.6

Namespace:apigee

docker pull google/apigee-authn-authz:1.3.6docker pull google/apigee-cassandra-backup-utility:1.3.6docker pull google/apigee-connect-agent:1.3.6docker pull google/apigee-hybrid-cassandra-client:1.3.6docker pull google/apigee-hybrid-cassandra:1.3.6docker pull google/apigee-mart-server:1.3.6docker pull google/apigee-prom-prometheus:v2.9.2docker pull google/apigee-runtime:1.3.6docker pull google/apigee-stackdriver-logging-agent:1.6.8docker pull google/apigee-stackdriver-prometheus-sidecar:0.7.5docker pull google/apigee-synchronizer:1.3.6docker pull google/apigee-udca:1.3.6docker pull google/apigee-watcher:1.3.6

Verify container image signer and signatures

To verify that an image has been signed, run the following command:

docker trust inspect --pretty $IMAGE_NAME:$IMAGE_TAG

The output of this command will let you know whether the tagged image is signed, the name of the signers, and a list of signers and keys. For example:

docker trust inspect --pretty google/apigee-mart-server:1.3.6Signatures for google/apigee-mart-server:1.3.6SIGNED TAG          DIGEST                                       SIGNERSbeta2a607b0e7acba41544e5db8e74b039e9314fdcfdc6f1acf73094d3179fc2af322   asf-adminList of signers and their keys for google/apigee-mart-server:1.3.6SIGNER              KEYSasf-admin           7d4abdbb7bfdAdministrative keys for google/apigee-mart-server:1.3.6Repository Key:       80f86b047965f6dec0c056b1938a7f8cfb894ba8014fba36a18d0923173d394aRoot Key:     6f2d60f90a0d78dd6254d3d47613a4dd6eb0880f83411e6f8b122b84dbef69ca

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-18 UTC.