Verify Docker Image Signature
All LiteLLM Docker images are signed with cosign. Every release is signed with the same key introduced in commit 0112e53.
Verify using the pinned commit hash (recommended):
A commit hash is cryptographically immutable, so this is the strongest way to ensure you are using the original signing key:
cosign verify \
--key https://raw.githubusercontent.com/BerriAI/litellm/0112e53046018d726492c814b3644b7d376029d0/cosign.pub \
ghcr.io/berriai/litellm:v1.91.0-rc.1Verify using the release tag (convenience):
Tags are protected in this repository and resolve to the same key. This option is easier to read but relies on tag protection rules:
cosign verify \
--key https://raw.githubusercontent.com/BerriAI/litellm/v1.91.0-rc.1/cosign.pub \
ghcr.io/berriai/litellm:v1.91.0-rc.1Expected output:
The following checks were performed on each of these signatures:
- The cosign claims were validated
- The signatures were verified against the specified public key
What's Changed
- fix(guardrails): match policy-pipeline block response to direct guardrail attachment by @yassin-berriai in #31421
- feat(prometheus): add requested_model label to spend and requests metrics by @yucheng-berri in #31410
- fix(ui): stop listing bedrock_mantle models under the Bedrock provider by @mateo-berri in #31478
- fix(mcp): stop logging tool-call input in MCP client by @ryan-crabbe-berri in #31393
- feat(mcp): shared OAuth token foundation - challenge, store seam, expiry-aware cache, single-flight refresh by @tin-berri in #31275
- fix(passthrough): schedule spend logging via durable logging worker by @mateo-berri in #31485
- fix(websearch): wrap agentic loop response in fake stream for streaming requests by @mateo-berri in #31484
- feat(guardrails): add headroom guardrail for message compression by @krrish-berri-2 in #31407
- fix(websearch): sync tool_choice when converting web_search tools by @shivamrawat1 in #31375
- fix(passthrough): forward all multipart files with repeated field names by @shivamrawat1 in #31391
- fix(cost): preserve Anthropic server_tool_use web search usage in cost tracking by @mateo-berri in #31355
- fix(otel): point AgentOps OTLP exporter at otlp.agentops.ai by @yucheng-berri in #31490
- feat(mcp): migrate authorization_code MCP to the v2 resolver (single-replica) [1/2] by @tin-berri in #31473
- fix(pass-through): stop pass-through route registry growing every reload (PERF-13) by @yassin-berriai in #31314
- fix(bedrock): normalize Messages system role and adaptive-thinking for Claude Invoke by @mateo-berri in #31364
- perf(proxy): bound event-loop blocking from oversized requests by @yassin-berriai in #31497
- fix(proxy): cancel upstream LLM stream when client disconnects during time-to-first-token by @yassin-berriai in #31499
- fix(pass_through): log pre-call guardrail blocks at WARNING, not ERROR with a traceback by @yassin-berriai in #31500
- fix(proxy/auth): honor user_api_key_cache_ttl for management-object cache writes by @yassin-berriai in #31504
- feat(prometheus): add per-team litellm_team_members_metric gauge by @yassin-berriai in #31506
- fix(redis): loop-scope async Lua script registration by @yassin-berriai in #31501
- style: unify ruff format width on 120 by @mateo-berri in #31518
- chore: ignore ruff-format reformat commits in git blame by @mateo-berri in #31520
- fix(vertex_ai): append rawPredict suffix for custom api_base on /v1/m… by @shivamrawat1 in #31529
- feat(mcp): cross-replica single-flight refresh for the v2 per-user OAuth store [2/2] by @tin-berri in #31493
- chore: remove unused keys from model cost map by @mateo-berri in #31528
- fix(agents): show an agent's attached virtual key in the UI by @ryan-crabbe-berri in #29619
- fix(router): persist global retry_policy via /config/update by @ryan-crabbe-berri in #29540
- chore: update Next.js build artifacts (2026-06-28 00:38 UTC, node v20… by @shivamrawat1 in #31539
- chore(ci): promote internal staging to main by @shivamrawat1 in #31542
Full Changelog: v1.91.0-dev.2...v1.91.0-rc.1