To verify the security and integrity of the container image, you can validate the container signature.
During verification, use this public key:
-----BEGIN PUBLIC KEY----- MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1ivoAvFrHGi9lm01ecsBN1juDOp5 6kGA7G5M0WnOS2zc5qNPQSN1fzwOc/EgEIskERJY/NMmCjq0rcZzzKgfxQ== -----END PUBLIC KEY-----
Prerequisites
Procedure
Results
An example of a successful verification:
Verification for docker.io/cbartifactory/cb-containers-sensor:<sensor-version> --
The following checks were performed on each of these signatures:
- The cosign claims were validated
- Existence of the claims in the transparency log was verified offline
- The signatures were verified against the specified public key
[
{
"critical": {
"identity": {
"docker-reference": "docker.io/cb/cbartifactory/cb-containers-sensor"
},
"image": {
"docker-manifest-digest": "sha256:a1a0dfe211c0fdcbcae68fccb7629e79f3d9775891584daddc8aff5050237911"
},
"type": "cosign container image signature"
},
"optional": {
"Bundle": {
"SignedEntryTimestamp": "MEUCIBiIc38wiBow7FT09ylanYEki248tu4kYcJYr3dSwRUkAiEA9R9pK6SnTaTNhPKmK592n0keUGj8mdxTIA1Fc75j7i4=",
"Payload": {
"body": "eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiJlZTliNjJiNzI3MjY0NGU0OTQ2M2YxNDllNmU2MGM5NjkxNzc3ODY3YjUwNWE1OTUwOWVhOGNjN2UyYWI4N2ZiIn19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FUUNJQU5VY0FlVStYRk9CaEh1TUpRN2x2NVoycllNa1p3eHk1SnlsNWhWNm1BSkFpQWo1S3p0NVA2ZlkxN1drQ01xQXF2eno5dE1zVFpvOUZPN1hPcis2aHo4N0E9PSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCUVZVSk1TVU1nUzBWWkxTMHRMUzBLVFVacmQwVjNXVWhMYjFwSmVtb3dRMEZSV1VsTGIxcEplbW93UkVGUlkwUlJaMEZGTVdsMmIwRjJSbkpJUjJrNWJHMHdNV1ZqYzBKT01XcDFSRTl3TlFvMmEwZEJOMGMxVFRCWGJrOVRNbnBqTlhGT1VGRlRUakZtZW5kUFl5OUZaMFZKYzJ0RlVrcFpMMDVOYlVOcWNUQnlZMXA2ZWt0blpuaFJQVDBLTFMwdExTMUZUa1FnVUZWQ1RFbERJRXRGV1MwdExTMHRDZz09In19fX0=",
"integratedTime": 1699443190,
"logIndex": 48394752,
"logID": "c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d"
}
}
}
}
]
