Verify Docker Image Signature
All LiteLLM Docker images are signed with cosign. Every release is signed with the same key introduced in commit 0112e53.
Verify using the pinned commit hash (recommended):
A commit hash is cryptographically immutable, so this is the strongest way to ensure you are using the original signing key:
cosign verify \
--key https://raw.githubusercontent.com/BerriAI/litellm/0112e53046018d726492c814b3644b7d376029d0/cosign.pub \
ghcr.io/berriai/litellm:v1.88.0-rc.1Verify using the release tag (convenience):
Tags are protected in this repository and resolve to the same key. This option is easier to read but relies on tag protection rules:
cosign verify \
--key https://raw.githubusercontent.com/BerriAI/litellm/v1.88.0-rc.1/cosign.pub \
ghcr.io/berriai/litellm:v1.88.0-rc.1Expected output:
The following checks were performed on each of these signatures:
- The cosign claims were validated
- The signatures were verified against the specified public key
What's Changed
- fix(ci): restore real Bedrock batch S3 bucket/role in oai_misc_config by @mateo-berri in #29245
- fix(guardrails): persist disable_global_guardrails on keys by @ryan-crabbe-berri in #29233
- test(e2e): cover Team Admin view + member + key flows by @ryan-crabbe-berri in #29072
- docs: hand-written CLAUDE.md; remove AGENTS.md, point GEMINI.md at it by @mateo-berri in #29252
- fix(teams): expose keys_count on /v2/team/list and wire UI Resources badge by @michelligabriele in #28502
- fix(anthropic): stop injecting unsupported output_config.effort=xhigh for Claude Code on Sonnet/Opus 4.6 by @mateo-berri in #29304
- test(e2e): cover Internal Viewer nav, key, and team-info gating by @ryan-crabbe-berri in #29075
- test(e2e): cover Internal User key modal, team info, key page by @ryan-crabbe-berri in #29074
- test(e2e): cover navbar Logout flow as proxy admin by @ryan-crabbe-berri in #29076
- fix(mcp): resolve key.access_group_ids → MCP servers (ungated) by @ryan-crabbe-berri in #29195
- fix(router): enforce deployment budgets for dynamically added models by @Sameerlite in #29273
- fix(proxy): map stripped batch body.model to proxy alias for auth by @Sameerlite in #29264
- feat(mcp): support stateless and stateful clients via session-id routing by @Sameerlite in #26857
- fix(bedrock): support tool search results + chat annotations by @Sameerlite in #29120
- fix(mcp): ignore stale ids on key save by @Sameerlite in #29128
- feat(a2a): well-known agent-card discovery + LangGraph Platform mode by @Sameerlite in #28860
- fix(proxy): link passthrough success spans to the SERVER root OTEL span by @ryan-crabbe-berri in #29315
- [internal copy of #29089] fix: duplicate claude code traces by @mateo-berri in #29311
- feat(otel): typed semconv-aligned OpenTelemetry instrumentation by @yassin-berriai in #28909
- tests(proxy_server): surface current behavior in tests by @yuneng-berri in #29309
- test(e2e): cover Internal User create-key flow when in no teams by @ryan-crabbe-berri in #29083
- test(e2e): assert internal-user navbar identity is scoped to that user by @ryan-crabbe-berri in #29077
- feat(otel): add team_metadata, http.route, and model names to inference spans by @yassin-berriai in #29319
- feat(context_management): compact_20260112 polyfill for non-Anthropic providers by @Sameerlite in #28868
- feat(enterprise): add RESEND_FROM_EMAIL for self-hosted Resend sends by @shivamrawat1 in #28830
- Revert Bedrock CI back to the reactivated AWS account (888602223428) by @mateo-berri in #29326
- fix(mcp): preserve source_url in GET /v1/mcp/server list responses by @shivamrawat1 in #29249
- fix(mcp): preserve omitted fields on PUT /v1/mcp/server partial updates by @shivamrawat1 in #29253
- fix(ci): make litellm_internal_staging green (logging test + Bedrock Opus 4.7 self-heal) by @mateo-berri in #29344
- refactor(proxy/auth): normalize Bearer prefix in safe-hash helper by @yuneng-berri in #29343
- test(reasoning-effort-grid): cover Claude Opus 4.8 across provider routes by @mateo-berri in #29327
- fix(guardrails): return HTTP 400 for litellm content filter blocks by @shivamrawat1 in #28418
- fix(proxy): restrict vector store index create/delete to proxy admins by @shivamrawat1 in #29202
- feat(pass_through): extend passthrough_managed_object_ids to Azure by @Sameerlite in #29160
- fix(proxy): enforce allowed_passthrough_routes for auth=true pass-thr… by @shivamrawat1 in #29256
- feat(mcp/auth): additive key access-group grants + opt-in member assignment by @ryan-crabbe-berri in #29313
- fix(reset_budget): write only {spend, budget_reset_at} and stop pre-zeroing counter by @yuneng-berri in #29358
- test(e2e): cover PROXY_LOGOUT_URL redirect on Logout by @ryan-crabbe-berri in #29080
- fix(ui): break logout redirect loop across dev and proxy origins by @yuneng-berri in #29360
- fix(openai-moderation): wire streaming flags through to unified dispatcher by @michelligabriele in #27324
- chore(ci): build ui by @yuneng-berri in #29366
- fix(v3 limiter): cap no-max_tokens TPM floor at smallest configured limit by @michelligabriele in #28805
- fix(e2e): tolerate trailing slash in SERVER_ROOT_PATH login redirect by @yuneng-berri in #29369
- chore(deps): bump deps by @yuneng-berri in #29373
- chore(ci): promote internal staging to main by @yuneng-berri in #29372
Full Changelog: v1.88.0-dev.1...v1.88.0-rc.1