Verify CloudBees action image signatures and SLSA attestations

2 minute read

CloudBees signs all public action images and generates Supply Chain Levels for Software Artifacts (SLSA) provenance attestations to enable verification of image integrity, authenticity, and build provenance. Verify signatures and attestations to confirm that images originate from CloudBees and meet your supply chain security requirements.

Prerequisites

Before you begin, install Cosign.

Verify an image signature

CloudBees uses an RSA Cosign public key to sign all public action images. Save the public key locally and use it to verify the signature of any CloudBees action image.

To verify an image signature:

  1. Save the CloudBees public key to a file (for example, cloudbees-slsa-key.pub):

    cat > cloudbees-slsa-key.pub <<EOF -----BEGIN PUBLIC KEY----- MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAyVSe3nBo3xW/napuhINE JJBPjAPO+1ioaF9mXPASa5lRdts55BYUydKvyM07G5sXkpA8YTCq+8fOXODGpAVT 3D/ub5clqx0awa3X/PWNZpVXb8gyW2pPkSW+o4rKUE0KzljPoXVaRYVZD7ebcV0F 2sFYHXYWG5NeDZRS3qzvPxsLg6c0yq3PHLkvv9WPCXqQGnsbCgCMKEYlVoj18/zI pwl7WeKwRDGmcFYtXGLEqHaXu/DFjjsWtzCQR/kpDR8KEBmkJz/3hoAUHZLJ9ga9 jLGxoEke/aEoGbvu0xV5Df/QicaX0Ht7DiY4AfHYWRsQ5079ljxnfsguVfrBIpFA j9fbJmcHkoMR+Gai+etS5QflbxHgL9bcpNNM7XJLjuaK0HNzgMoFz433WTCW/o77 i662A8b6xqPjD+qwYlCaEfGKdVxC+ejm0uP2XyZipIzohc3kJLAj33QGbnNYaKSN CNFf7OPlucH5nZncbSWunqpQRgWywmBvBc55OmtRMD6xbFUyr8BjsxnZyXQsCvTL 9Q1BbmaSbDz43Kb6+xayFE1V6LYb7oMcRat0oQlOmeNa6TkA5ILiznqbLQGgc6ME JVMebRCiufnDbccCMBTzbxCQp3K+RpU8ejDxtjmPhTfT7TL24i/qDSMwaiNulPEM J0W+m0FPvkwHtsuZ5fVAVSUCAwEAAQ== -----END PUBLIC KEY----- EOF
  2. Run the Cosign verification command, replacing <image-repository>/<image-name>:<tag-or-sha> with the image you want to verify:

    cosign verify --key cloudbees-slsa-key.pub <image-repository>/<image-name>:<tag-or-sha> --private-infrastructure

    On successful verification, the output includes:

    Verification for <image-repository>/<image-name>:<tag-or-sha> -- The following checks were performed on each of these signatures: - The cosign claims were validated - The signatures were verified against the specified public key

Verify a SLSA provenance attestation

Use Cosign to verify the SLSA provenance attestation and build metadata for a CloudBees action image. This process can also be used to verify other public CloudBees artifacts, such as the Edge Runner or Smart Test CLI.

If you have not yet saved the public key file, complete step 1 of Verify an image signature before continuing.

To verify a SLSA provenance attestation, run the following command, replacing the image and tag with the image you want to verify:

cosign verify-attestation --key cloudbees-slsa-key.pub <image-repository>/<image-name>:<tag-or-sha> --private-infrastructure --type slsaprovenance1

On successful verification, Cosign outputs the checks performed and a JSON payload containing the provenance data.

Troubleshooting

The following covers common issues encountered during image verification.

Public key verification fails

Problem: The public key file may be corrupted or incorrectly formatted.

Solution: Re-save the public key from the source above. Verify the file contains the complete PEM-formatted key, including the header and footer lines. Ensure there are no extra whitespace characters or line break issues in the key file.

Connection timeout or network errors

Problem: Network connectivity issues or firewall restrictions prevent access to verification services.

Solution: Verify network connectivity to public.ecr.aws. Check firewall rules and proxy configurations that may be blocking outbound access.