CloudBees signs all public action images and generates Supply Chain Levels for Software Artifacts (SLSA) provenance attestations to enable verification of image integrity, authenticity, and build provenance. Verify signatures and attestations to confirm that images originate from CloudBees and meet your supply chain security requirements.
Prerequisites
Before you begin, install Cosign.
Verify an image signature
CloudBees uses an RSA Cosign public key to sign all public action images. Save the public key locally and use it to verify the signature of any CloudBees action image.
To verify an image signature:
-
Save the CloudBees public key to a file (for example,
cloudbees-slsa-key.pub):cat > cloudbees-slsa-key.pub <<EOF -----BEGIN PUBLIC KEY----- MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAyVSe3nBo3xW/napuhINE JJBPjAPO+1ioaF9mXPASa5lRdts55BYUydKvyM07G5sXkpA8YTCq+8fOXODGpAVT 3D/ub5clqx0awa3X/PWNZpVXb8gyW2pPkSW+o4rKUE0KzljPoXVaRYVZD7ebcV0F 2sFYHXYWG5NeDZRS3qzvPxsLg6c0yq3PHLkvv9WPCXqQGnsbCgCMKEYlVoj18/zI pwl7WeKwRDGmcFYtXGLEqHaXu/DFjjsWtzCQR/kpDR8KEBmkJz/3hoAUHZLJ9ga9 jLGxoEke/aEoGbvu0xV5Df/QicaX0Ht7DiY4AfHYWRsQ5079ljxnfsguVfrBIpFA j9fbJmcHkoMR+Gai+etS5QflbxHgL9bcpNNM7XJLjuaK0HNzgMoFz433WTCW/o77 i662A8b6xqPjD+qwYlCaEfGKdVxC+ejm0uP2XyZipIzohc3kJLAj33QGbnNYaKSN CNFf7OPlucH5nZncbSWunqpQRgWywmBvBc55OmtRMD6xbFUyr8BjsxnZyXQsCvTL 9Q1BbmaSbDz43Kb6+xayFE1V6LYb7oMcRat0oQlOmeNa6TkA5ILiznqbLQGgc6ME JVMebRCiufnDbccCMBTzbxCQp3K+RpU8ejDxtjmPhTfT7TL24i/qDSMwaiNulPEM J0W+m0FPvkwHtsuZ5fVAVSUCAwEAAQ== -----END PUBLIC KEY----- EOF -
Run the Cosign verification command, replacing
<image-repository>/<image-name>:<tag-or-sha>with the image you want to verify:cosign verify --key cloudbees-slsa-key.pub <image-repository>/<image-name>:<tag-or-sha> --private-infrastructureOn successful verification, the output includes:
Verification for <image-repository>/<image-name>:<tag-or-sha> -- The following checks were performed on each of these signatures: - The cosign claims were validated - The signatures were verified against the specified public key
Verify a SLSA provenance attestation
Use Cosign to verify the SLSA provenance attestation and build metadata for a CloudBees action image. This process can also be used to verify other public CloudBees artifacts, such as the Edge Runner or Smart Test CLI.
| If you have not yet saved the public key file, complete step 1 of Verify an image signature before continuing. |
To verify a SLSA provenance attestation, run the following command, replacing the image and tag with the image you want to verify:
cosign verify-attestation --key cloudbees-slsa-key.pub <image-repository>/<image-name>:<tag-or-sha> --private-infrastructure --type slsaprovenance1
On successful verification, Cosign outputs the checks performed and a JSON payload containing the provenance data.
Troubleshooting
The following covers common issues encountered during image verification.
Public key verification fails
Problem: The public key file may be corrupted or incorrectly formatted.
Solution: Re-save the public key from the source above. Verify the file contains the complete PEM-formatted key, including the header and footer lines. Ensure there are no extra whitespace characters or line break issues in the key file.