Verifying ActiveState Containers with Cosign

All ActiveState Containers contain verifiable signatures and attestations such as SBOMs. Verifying signatures and attestations is a common best practice in CI/CD pipelines to verify that the installed image is the correct image, similar to how a checksum can be used to confirm data integrity.

This guide outlines how you can use Cosign to download and verify container image signatures and attestations.

Prerequisites

Verify Container Image Signatures

Verify SBOM

Download SBOM

Verify VEX File

Download VEX File

Prerequisites

You must have cosign and jq installed. For installation, see these docs:

Verify Container Image Signatures

Run the following to verify your container with cosign:

cosign verify <image-name> --certificate-identity=https://github.com/ActiveState/images/.github/workflows/sign-images.yml@refs/heads/main --certificate-oidc-issuer=https://token.actions.githubusercontent.com

Replace the <image-name> with the link to your image as found in your dockerfile. For example, activestate/python:latest.

If the cosign verify command has worked successfully, your terminal should say the following, followed by JSON formatted metadata about the image:

The following checks were performed on each of these signatures:
    - The cosign claims were validated
    - Existence of the claims in the transparency log was verified offline
    - The code-signing certificate was verified using trusted certificate authority certificates

Verify SBOM

To use Cosign to verify a container image’s SBOM, run the following command:

cosign verify-attestation --type=spdxjson <image-name> --certificate-identity=https://github.com/ActiveState/images/.github/workflows/sign-images.yml@refs/heads/main --certificate-oidc-issuer=https://token.actions.githubusercontent.com

Download SBOM

cosign download attestation --predicate-type=https://spdx.dev/Document <image-name> | jq -r .payload | base64 -d | jq .predicate

Verify VEX File

To use Cosign to verify a container image’s VEX file, run the following command:

cosign verify-attestation --type=openvex <image-name> --certificate-identity=https://github.com/ActiveState/images/.github/workflows/sign-images.yml@refs/heads/main --certificate-oidc-issuer=https://token.actions.githubusercontent.com

Download VEX File

cosign download attestation --predicate-type=https://openvex.dev/ns activestate/python:latest | jq -r .payload | base64 -d | jq .predicate

To see our full catalog of containers, check out our page on DockerHub.