All ActiveState Containers contain verifiable signatures and attestations such as SBOMs. Verifying signatures and attestations is a common best practice in CI/CD pipelines to verify that the installed image is the correct image, similar to how a checksum can be used to confirm data integrity.
This guide outlines how you can use Cosign to download and verify container image signatures and attestations.
You must have cosign and jq installed. For installation, see these docs:
Run the following to verify your continer with cosign:
cosign verify <image-name> --certificate-identity=https://github.com/ActiveState/images/.github/workflows/sign-images.yml@refs/heads/main --certificate-oidc-issuer=https://token.actions.githubusercontent.com
Replace the <image-name> with the link to your image as found in your dockerfile. For example, docker.io/activestate/python:latest.
If the cosign verify command has worked successfully, your terminal should say the following, followed by JSON formatted metadata about the image:
The following checks were performed on each of these signatures:
- The cosign claims were validated
- Existence of the claims in the transparency log was verified offline
- The code-signing certificate was verified using trusted certificate authority certificates
To see our full catalog see our DockerHub.