Attest and verify artifacts

In this example, we will attest SBOMs. The workflow is similar for attesting signatures/attestations.

Set image

We can follow the steps from this section to set the image. Let's ensure the IMAGE variable is set.

echo $IMAGE

set-image-variable

Generate SBOM for the image

SBOM section decrypts the below command & its output in great detail. It explains more about SBOMs as well.

trivy i --format cosign-vuln $IMAGE > image.sbom

sbom-trivy-cosign-vuln-format

Attest and push the sbom to OCI registry

We will attest the generated image.sbom as the source of truth, sign it with the private key & push it to the registry.

cosign attest --key cosign.key --predicate image.sbom $IMAGE

cosign-attest-sbom-cli

We can see the attested artifact uploaded to the registry. In this case, it's dockerhub.

cosign-attest-sbom-ui

Verify the sbom of the image from registry

In the future, whenever we want to validate the SBOM of the image, we can verify it with the below command.

cosign verify-attestation --key cosign.pub $IMAGE

cosign-verify-attestation

Extract artifact from the registry

The above command verifies & returns the uploaded artifact data in base64 format. We can decode it to query the artifact (in this case, the SBOM file).

cosign verify-attestation --key cosign.pub $IMAGE | jq -r .payload | base64 -d | jq .

cosign-verify-attestation-decode-payload

Last update: 2023-08-25 05:13:20
Created: 2022-11-19 06:59:59