All ActiveState Containers contain verifiable signatures and attestations such as SBOMs. Verifying signatures and attestations is a common best practice in CI/CD pipelines to verify that the installed image is the correct image, similar to how a checksum can be used to confirm data integrity.
This guide outlines how you can use Cosign to download and verify container image signatures and attestations.
Verify Container Image Signatures
You must have cosign
and jq
installed. For installation, see these docs:
Run the following to verify your container with cosign:
cosign verify <image-name> --certificate-identity=https://github.com/ActiveState/images/.github/workflows/sign-images.yml@refs/heads/main --certificate-oidc-issuer=https://token.actions.githubusercontent.com
Replace the <image-name>
with the link to your image as found in your dockerfile. For example, activestate/python:latest
.
If the cosign verify
command has worked successfully, your terminal should say the following, followed by JSON formatted metadata about the image:
The following checks were performed on each of these signatures:
- The cosign claims were validated
- Existence of the claims in the transparency log was verified offline
- The code-signing certificate was verified using trusted certificate authority certificates
To use Cosign to verify a container image’s SBOM, run the following command:
cosign verify-attestation --type=spdxjson <image-name> --certificate-identity=https://github.com/ActiveState/images/.github/workflows/sign-images.yml@refs/heads/main --certificate-oidc-issuer=https://token.actions.githubusercontent.com
cosign download attestation --predicate-type=https://spdx.dev/Document <image-name> | jq -r .payload | base64 -d | jq .predicate
To use Cosign to verify a container image’s VEX file, run the following command:
cosign verify-attestation --type=openvex <image-name> --certificate-identity=https://github.com/ActiveState/images/.github/workflows/sign-images.yml@refs/heads/main --certificate-oidc-issuer=https://token.actions.githubusercontent.com
cosign download attestation --predicate-type=https://openvex.dev/ns activestate/python:latest | jq -r .payload | base64 -d | jq .predicate
To see our full catalog of containers, check out our page on DockerHub.