To verify the security and integrity of the container image, you can validate the container signature.

During verification, use this public key:

-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1ivoAvFrHGi9lm01ecsBN1juDOp5
6kGA7G5M0WnOS2zc5qNPQSN1fzwOc/EgEIskERJY/NMmCjq0rcZzzKgfxQ==
-----END PUBLIC KEY-----

Prerequisites

Before you can verify the container image signing, you must download the cosign tool.

Procedure

  1. Download the containerized sensor image: cbartifactory/cb-containers-sensor using an image management tool, such as docker.
  2. Run the signature verification command using the public key above:
    cosign verify --key container-signing-key.pub cbartifactory/cb-containers-sensor:<sensor-version>

Results

An example of a successful verification:

Verification for docker.io/cbartifactory/cb-containers-sensor:<sensor-version> --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - Existence of the claims in the transparency log was verified offline
  - The signatures were verified against the specified public key
[
  {
    "critical": {
      "identity": {
        "docker-reference": "docker.io/cb/cbartifactory/cb-containers-sensor"
      },
      "image": {
        "docker-manifest-digest": "sha256:a1a0dfe211c0fdcbcae68fccb7629e79f3d9775891584daddc8aff5050237911"
      },
      "type": "cosign container image signature"
    },
    "optional": {
      "Bundle": {
        "SignedEntryTimestamp": "MEUCIBiIc38wiBow7FT09ylanYEki248tu4kYcJYr3dSwRUkAiEA9R9pK6SnTaTNhPKmK592n0keUGj8mdxTIA1Fc75j7i4=",
        "Payload": {
          "body": "eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiJlZTliNjJiNzI3MjY0NGU0OTQ2M2YxNDllNmU2MGM5NjkxNzc3ODY3YjUwNWE1OTUwOWVhOGNjN2UyYWI4N2ZiIn19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FUUNJQU5VY0FlVStYRk9CaEh1TUpRN2x2NVoycllNa1p3eHk1SnlsNWhWNm1BSkFpQWo1S3p0NVA2ZlkxN1drQ01xQXF2eno5dE1zVFpvOUZPN1hPcis2aHo4N0E9PSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCUVZVSk1TVU1nUzBWWkxTMHRMUzBLVFVacmQwVjNXVWhMYjFwSmVtb3dRMEZSV1VsTGIxcEplbW93UkVGUlkwUlJaMEZGTVdsMmIwRjJSbkpJUjJrNWJHMHdNV1ZqYzBKT01XcDFSRTl3TlFvMmEwZEJOMGMxVFRCWGJrOVRNbnBqTlhGT1VGRlRUakZtZW5kUFl5OUZaMFZKYzJ0RlVrcFpMMDVOYlVOcWNUQnlZMXA2ZWt0blpuaFJQVDBLTFMwdExTMUZUa1FnVUZWQ1RFbERJRXRGV1MwdExTMHRDZz09In19fX0=",
          "integratedTime": 1699443190,
          "logIndex": 48394752,
          "logID": "c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d"
        }
      }
    }
  }
]