To verify the security and integrity of the container image, you can validate the container signature.
During verification, use this public key:
-----BEGIN PUBLIC KEY----- MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1ivoAvFrHGi9lm01ecsBN1juDOp5 6kGA7G5M0WnOS2zc5qNPQSN1fzwOc/EgEIskERJY/NMmCjq0rcZzzKgfxQ== -----END PUBLIC KEY-----
Prerequisites
Procedure
Results
An example of a successful verification:
Verification for docker.io/cbartifactory/cb-containers-sensor:<sensor-version> -- The following checks were performed on each of these signatures: - The cosign claims were validated - Existence of the claims in the transparency log was verified offline - The signatures were verified against the specified public key [ { "critical": { "identity": { "docker-reference": "docker.io/cb/cbartifactory/cb-containers-sensor" }, "image": { "docker-manifest-digest": "sha256:a1a0dfe211c0fdcbcae68fccb7629e79f3d9775891584daddc8aff5050237911" }, "type": "cosign container image signature" }, "optional": { "Bundle": { "SignedEntryTimestamp": "MEUCIBiIc38wiBow7FT09ylanYEki248tu4kYcJYr3dSwRUkAiEA9R9pK6SnTaTNhPKmK592n0keUGj8mdxTIA1Fc75j7i4=", "Payload": { "body": "eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiJlZTliNjJiNzI3MjY0NGU0OTQ2M2YxNDllNmU2MGM5NjkxNzc3ODY3YjUwNWE1OTUwOWVhOGNjN2UyYWI4N2ZiIn19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FUUNJQU5VY0FlVStYRk9CaEh1TUpRN2x2NVoycllNa1p3eHk1SnlsNWhWNm1BSkFpQWo1S3p0NVA2ZlkxN1drQ01xQXF2eno5dE1zVFpvOUZPN1hPcis2aHo4N0E9PSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCUVZVSk1TVU1nUzBWWkxTMHRMUzBLVFVacmQwVjNXVWhMYjFwSmVtb3dRMEZSV1VsTGIxcEplbW93UkVGUlkwUlJaMEZGTVdsMmIwRjJSbkpJUjJrNWJHMHdNV1ZqYzBKT01XcDFSRTl3TlFvMmEwZEJOMGMxVFRCWGJrOVRNbnBqTlhGT1VGRlRUakZtZW5kUFl5OUZaMFZKYzJ0RlVrcFpMMDVOYlVOcWNUQnlZMXA2ZWt0blpuaFJQVDBLTFMwdExTMUZUa1FnVUZWQ1RFbERJRXRGV1MwdExTMHRDZz09In19fX0=", "integratedTime": 1699443190, "logIndex": 48394752, "logID": "c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d" } } } } ]