Skip to content
Latchkey

What Is a Public Key? Explained

A public key is the shareable half of a cryptographic key pair, used to verify signatures and encrypt messages to the keys owner.

A public key is meant to be handed out. It is the counterpart to a private key, and unlike its secret partner, it is safe - in fact useful - to publish widely. People use your public key to verify your signatures and to encrypt data only you can read. In CI, public keys are how a pipeline confirms that an artifact, image, or commit really came from a trusted signer.

What a public key is

A public key is one half of a key pair, derived from the private key but safe to share. It verifies what the private key signs and encrypts data that only the private key can decrypt. Distributing it does not compromise security, because it cannot be used to sign or decrypt.

What a public key does

Two complementary jobs to the private key: verification and encryption. You verify a signature with the signers public key to confirm authorship and integrity. You encrypt data with a recipients public key so only they, holding the private key, can read it.

Why it is safe to publish

The math is one-way: knowing a public key does not reveal the private key. So you can post it in a repo, a key server, or a certificate. The whole point of public-key cryptography is that broad distribution of the public key enables verification without ever exposing the secret.

Public keys in CI

A pipeline verifies signed artifacts using a trusted public key: confirming a signed commit, a signed release, or a signed container image came from the expected signer. SSH deploy keys and signature verification steps both rely on having the correct public key configured as trusted.

Verifying a signature with a public key
# Verify a signed image with a public key in CI
steps:
  - run: cosign verify --key cosign.pub \
      ghcr.io/acme/app:1.4.0

Latchkey note

Verifying signatures with a public key is a plain CLI step that runs the same on Latchkey runners, so adding a signature-verification gate to your pipeline needs no Latchkey-specific setup.

Key takeaways

  • A public key is the shareable half of a key pair, used to verify signatures and encrypt to its owner.
  • It cannot sign or decrypt, so publishing it is safe and is the intended use.
  • CI uses public keys to verify signed commits, releases, and images came from a trusted signer.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →