Attestation & Verification
This page explains how to verify the container’s authenticity and inspect its Software Bill of Materials (SBOM).
Verifying the Container Signature
Section titled “Verifying the Container Signature”To cryptographically verify that the container image was signed by our CI/CD pipeline:
cosign verify subnoto/api-proxy:v0.1.0 \ --certificate-identity https://gitlab.com/subnoto/confidential-monorepo//.gitlab-ci.yml@refs/tags/v0.1.0 \ --certificate-oidc-issuer https://gitlab.com | jqThis verifies the container image signature and displays the signature payload in JSON format.
Verifying Attestations
Section titled “Verifying Attestations”To verify the SBOM attestation attached to the container:
cosign verify-attestation subnoto/api-proxy:v0.1.0 \ --certificate-identity https://gitlab.com/subnoto/confidential-monorepo//.gitlab-ci.yml@refs/tags/v0.1.0 \ --certificate-oidc-issuer https://gitlab.com \ --type=spdxjsonReplace v0.1.0 with the specific version tag you want to verify.
Important notes:
- The
--certificate-identitymust match the exact GitLab CI file path and tag reference - For different versions, update both the image tag and the certificate identity tag
- Only tagged releases are published to DockerHub
- Verification requires the
cosigntool (install from sigstore.dev)
Inspecting the SBOM
Section titled “Inspecting the SBOM”To download and inspect the SBOM (Software Bill of Materials) attestation:
cosign download attestation subnoto/api-proxy:latest | \ jq -r .payload | \ base64 -d | \ jq '.predicate | fromjson'This command:
- Downloads the attestation from the container registry
- Extracts the payload field
- Decodes the base64-encoded content
- Parses the double-encoded predicate JSON
The output will show a complete SPDX SBOM listing all packages and dependencies in the container.
Next Steps
Section titled “Next Steps”Once you’ve verified the container, see the Usage Guide to learn how to run and use the container.