Onboard
Introduction
Users
Teams
Introduction
IntroductionPromote an image in Amazon ECRRetrieve an object from Amazon S3Store an object on Amazon S3Copy Docker images with CraneDownload a file from JFrog ArtifactoryMove or copy an image from JFrog ArtifactoryUpload a file to JFrog ArtifactoryGet artifact detailsManage artifact labelsRegister a build artifactRegister a deployed environment artifact
IntroductionCreate or update a functionInvoke a function
IntroductionRun an AWS CodePipelineRun a Bamboo projectRun a Bitbucket pipelineRun a CloudBees CI jobRun a CircleCI workflowRun a GitHub Actions workflowRun a GitLab pipelineRun a Harness pipelineRun a Jenkins® jobRun a JFrog pipelineBuild and publish Docker images with KanikoRun a TeamCity project
IntroductionMigrate from v1 to v2
IntroductionAWS credentialsECR credentialsEKS credentialsGit global credentialsOCI credentials
IntroductionRun Ansible PlaybookDeploy with Argo WorkflowsDeploy with AWS CodeDeployDeploy a binary with Amazon EC2Deploy to ECSRender an Amazon ECS task definitionDeploy with AWS Elastic BeanstalkDeploy with HerokuDeploy with OctopusDeploy with OpenShiftDeploy with SpinnakerDeploy with Tosca
Publish evidence items
Fetch secrets from CyberArk Conjur
IntroductionHelm chart installHelm chart packageHelm chart publishHelm chart uninstall
IntroductionCreate a Kubernetes namespaceCreate/update a Kubernetes resourceDeploy to a Kubernetes cluster
IntroductionVerify with NewRelic
Execute remote commands via SSH
IntroductionAnchoreAquasecJFrog XraySnyk ContainerSonatype (Nexus) ContainerTrivy
IntroductionStackhawkZAP
IntroductionCheckmarxCheckovCoverity on PolarisFind Security BugsGitHub Security ScannerGosecGrypeMendNexus IQnjsscanSnykSonarQube bundledSonarQube
IntroductionBlack DuckMendSnyk
IntroductionGitleaksTruffleHog ContainerTruffleHog CodeTruffleHog S3
IntroductionCreate a change requestUpdate or close a change requestGet a change request current stateQuery a change request approval
Publish test results
Multi-workflows dispatch
Introduction
Get started with feature flags
Create flags in code
Manage multiple SDK keys in your application
Create and manage flags in the UI
Namespaces and labels
Configure feature flags
Feature management custom roles
Flag approval requests and reviews
Audit history
Get started with configuration as code
Set up configuration as code
Configuration as code reference
Configuration-as-Code examples
Flag impressions and activity status
Flag health
Code references
Set up code references
Properties and custom properties
Target groups
Enabling secret mode
IntroductionAndroid / Android TV / Fire TVC/C++ (client-side)C/C++ (server-side)GoJavaJavaScript (browser) / Chromecast / TizenJavaScript SSR.NET/C#Node.jsiOS / tvOSPHPPythonReact NativeRuby
IntroductionClient-side AndroidClient-side C ClientClient-side C++ ClientClient-side JavaClient-side JavaScript (browser)Client-side .NET/C# clientClient-side Objective-CClient-side React NativeClient-side SwiftServer-side CServer-side C++Server-side GoServer-side JavaServer-side .NET/C#Server-side NodeJSServer-side PythonServer-side PHPServer-side RubyBoth client-side and server-side JavaScript SSR
IntroductionAndroid appAngular appDjango appGin appJava Spring Boot app.NET Core appReact appSwift iOS app

Verify signature and SLSA attestation for public images

2 minute read

CloudBees signs all public action images and generates Supply Chain Levels for Software Artifacts (SLSA) provenance attestations to ensure image integrity and authenticity. This page provides procedures for verifying signatures and SLSA provenance attestations for CloudBees CloudBees Unify action images.

Image verification provides the following benefits:

  • Confirms that the images originate from CloudBees.

  • Detects tampering or unauthorized modifications.

  • Validates the build provenance and supply chain security.

  • Meets compliance and security policy requirements.

Prerequisites

Before verifying the action images, install Cosign

Verify signature using public keys

CloudBees uses the following Cosign public key (base64 encoded) for signing action images.

-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAyVSe3nBo3xW/napuhINE
JJBPjAPO+1ioaF9mXPASa5lRdts55BYUydKvyM07G5sXkpA8YTCq+8fOXODGpAVT
3D/ub5clqx0awa3X/PWNZpVXb8gyW2pPkSW+o4rKUE0KzljPoXVaRYVZD7ebcV0F
2sFYHXYWG5NeDZRS3qzvPxsLg6c0yq3PHLkvv9WPCXqQGnsbCgCMKEYlVoj18/zI
pwl7WeKwRDGmcFYtXGLEqHaXu/DFjjsWtzCQR/kpDR8KEBmkJz/3hoAUHZLJ9ga9
jLGxoEke/aEoGbvu0xV5Df/QicaX0Ht7DiY4AfHYWRsQ5079ljxnfsguVfrBIpFA
j9fbJmcHkoMR+Gai+etS5QflbxHgL9bcpNNM7XJLjuaK0HNzgMoFz433WTCW/o77
i662A8b6xqPjD+qwYlCaEfGKdVxC+ejm0uP2XyZipIzohc3kJLAj33QGbnNYaKSN
CNFf7OPlucH5nZncbSWunqpQRgWywmBvBc55OmtRMD6xbFUyr8BjsxnZyXQsCvTL
9Q1BbmaSbDz43Kb6+xayFE1V6LYb7oMcRat0oQlOmeNa6TkA5ILiznqbLQGgc6ME
JVMebRCiufnDbccCMBTzbxCQp3K+RpU8ejDxtjmPhTfT7TL24i/qDSMwaiNulPEM
J0W+m0FPvkwHtsuZ5fVAVSUCAwEAAQ==
-----END PUBLIC KEY-----

To verify the signature of a CloudBees action image:

  1. Save the public key to a file (for example, cloudbees-slsa-key.pub):

    cat > cloudbees-slsa-key.pub <<EOF
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAyVSe3nBo3xW/napuhINE
JJBPjAPO+1ioaF9mXPASa5lRdts55BYUydKvyM07G5sXkpA8YTCq+8fOXODGpAVT
3D/ub5clqx0awa3X/PWNZpVXb8gyW2pPkSW+o4rKUE0KzljPoXVaRYVZD7ebcV0F
2sFYHXYWG5NeDZRS3qzvPxsLg6c0yq3PHLkvv9WPCXqQGnsbCgCMKEYlVoj18/zI
pwl7WeKwRDGmcFYtXGLEqHaXu/DFjjsWtzCQR/kpDR8KEBmkJz/3hoAUHZLJ9ga9
jLGxoEke/aEoGbvu0xV5Df/QicaX0Ht7DiY4AfHYWRsQ5079ljxnfsguVfrBIpFA
j9fbJmcHkoMR+Gai+etS5QflbxHgL9bcpNNM7XJLjuaK0HNzgMoFz433WTCW/o77
i662A8b6xqPjD+qwYlCaEfGKdVxC+ejm0uP2XyZipIzohc3kJLAj33QGbnNYaKSN
CNFf7OPlucH5nZncbSWunqpQRgWywmBvBc55OmtRMD6xbFUyr8BjsxnZyXQsCvTL
9Q1BbmaSbDz43Kb6+xayFE1V6LYb7oMcRat0oQlOmeNa6TkA5ILiznqbLQGgc6ME
JVMebRCiufnDbccCMBTzbxCQp3K+RpU8ejDxtjmPhTfT7TL24i/qDSMwaiNulPEM
J0W+m0FPvkwHtsuZ5fVAVSUCAwEAAQ==
-----END PUBLIC KEY-----
EOF

  2. Run the Cosign verification command with the saved public key:

    cosign verify --key cloudbees-slsa-key.pub <container image repository>/<image name>:<image tag or sha> --private-infrastructure

    Example output on successful verification:

    Verification for <container image repository>/<image name>:<image tag or sha> --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - The signatures were verified against the specified public key

Verify SLSA provenance attestation

Use Cosign to verify the provenance attestation and build metadata for CloudBees action images.

If you haven’t saved the public key, create the cloudbees-slsa-key.pub file as described in Verify signature using public keys.

Run the following Cosign verification-attestation command:

Replace /actions/bamboo-actions:main-3c71c4bf17943fdfdf75b26bf632799d26758682 with the image and tag for which you want to verify the SLSA attestation. This process can also be used to verify other public artifacts, not just public action images such as the Edge Runner or Smart Test CLI.

 
❯ cosign verify-attestation --key ~/cosign-cbp.pub public.ecr.aws/cloudbees/actions/bamboo-actions:main-3c71c4bf17943fdfdf75b26bf632799d26758682 --private-infrastructure --type slsaprovenance1

Verification for public.ecr.aws/cloudbees/actions/bamboo-actions:main-3c71c4bf17943fdfdf75b26bf632799d26758682 --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - The signatures were verified against the specified public key
{"payloadType":"application/vnd.in-toto+json","payload":"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInByZWRpY2F0ZVR5cGUiOiJodHRwczovL3Nsc2EuZGV2L3Byb3ZlbmFuY2UvdjEiLCJzdWJqZWN0IjpbeyJuYW1lIjoiMDIwMjI5NjA0NjgyLmRrci5lY3IudXMtZWFzdC0xLmFtYXpvbmF3cy5jb20vYWN0aW9ucy9iYW1ib28tYWN0aW9ucyIsImRpZ2VzdCI6eyJzaGEyNTYiOiIzZmFiNGQ4MWFhNGNmMTY4NThhMzA5ZjU2M2RjNmI3Y2Y5OTYxZmIwYWNhZDdiM2IzMTlmZjM5ZDgwMzI0YzI0In19XSwicHJlZGljYXRlIjp7ImJ1aWxkRGVmaW5pdGlvbiI6eyJidWlsZFR5cGUiOiJodHRwczovL2dpdGh1Yi5jb20vY2FsY3VsaS1jb3JwL3Nsc2EtYXR0ZXN0YXRpb24vYmxvYi9tYWluL2J1aWxkdHlwZXMvY2xvdWRiZWVzL3YxIiwiZXh0ZXJuYWxQYXJhbWV0ZXJzIjp7ImJhc2VfcmVmIjoibWFpbiIsImNvbW1pdFNoYSI6IjNjNzFjNGJmMTc5NDNmZGZkZjc1YjI2YmY2MzI3OTlkMjY3NTg2ODIiLCJyZXBvc2l0b3J5IjoiaHR0cHM6Ly9naXRodWIuY29tL2NhbGN1bGktY29ycC9iYW1ib28tYWN0aW9ucy5naXQifX0sInJ1bkRldGFpbHMiOnsiYnVpbGRlciI6eyJpZCI6Imh0dHBzOi8vZ2l0aHViLmNvbS9jYWxjdWxpLWNvcnAvc2xzYS1hdHRlc3RhdGlvbi9ibG9iL21haW4vYWN0aW9uLnlhbWwiLCJ2ZXJzaW9uIjp7ImNpX2J1aWxkZXIiOiJDbG91ZEJlZXMgVW5pdHkgUGxhdGZvcm0gdjAuMC40NDMiLCJjb250YWluZXJfYnVpbGRlciI6ImNoYWluZ3VhcmQtZGV2L2thbmlrbyB2MS4yNS4wIn19LCJtZXRhZGF0YSI6eyJpbnZvY2F0aW9uSUQiOiJodHRwczovL2Nsb3VkYmVlcy5pby9jbG91ZGJlZXMvOTJiMDI1NDQtZTZlNC0xMWVhLTk4MWYtNDIwMTBhODNhZTFhL2NvbXBvbmVudHMvYjM1Y2QzN2ItMDcwZi00YmQyLWEwYjMtNmRlMTFlMmVmNDM2L3J1bi9iMjJjNGJhNi1lNjQ4LTRiYTMtOTVkNi1mNDAwNjUzMTBmZjYiLCJzdGFydGVkT24iOiIyMDI2LTA1LTIyVDE1OjU3OjMzWiIsImZpbmlzaGVkT24iOiIyMDI2LTA1LTIyVDE1OjU3OjMzWiJ9fX19","signatures":[{"keyid":"","sig":"oNmELk442x9IhhwOsFE5cNya8O6pYTUzbEFv/i/34RjoF7wEYoMie8wIs5MqAQOQ7fFKeTfRiplVWJTp/68za4iUhgdZ1RLPMeu1RNdfMz3CRYUyKSHGfzFoSp4QeQ11qEJRHyuVnLrttk1qSMr56CytLzcAj249eoUZHGaflDLruqT7/sNxtaPu2wO71beVBl1cIz/8exLQccYHQ1Dwjduvo/zWkGinq1M7pWmxXYpr4bd2BVlFgQILZJ+lrGeBXWLMqCHpWtE5uySftqZB6L1k9jmz82pZSOxRc5XP9GiS+1CsAajI/sPOA9AtTEvcVylGXmjxoUsrgEJ+LDj1hlwwcQias78Xk2IHb410CkiQrpKcVRkoW5WesMiSQg7VrGtUjUk+heRf1mZz4EV5bfNlfmbneZm7N8gUsdy1j7WQx5lkM9fhlTjbpax87Id8OBpmVGzYLdZxoyuLafzKOXzS/J1aqpaLdeBa/Qo+hDc7i6VUImyp633IRnA+3LTqsaPAhqRc7t+7QjZj4/WV0bBtC6MIeIyQSKXK3XyZrstylNHVnoaG5Yj6P5JrkVd6SZqhKL19u+XWRst9iiSgBBwwk0DPMNcLbFJ2T51iJOmJ8jo9rlv9Wkakwfadeluzx4Js4d9380PGDd5Mlhq+wL+i4Q0yc8Gb102aK7a3xzI="}]}

Troubleshoot

The following are common issues in the signature verification process:

Public key verification fails

Problem: The public key file may be corrupted or incorrectly formatted.

Solution: Perform the following steps to resolve the public key verification issue:

  • Re-download and decode the public key.

  • Verify the public key file contains the complete PEM-formatted key with header and footer.

  • Ensure there are no extra whitespace or line break issues in the key file.

Connection timeout or network errors

Problem: Network connectivity issues or firewall restrictions preventing access to verification services.

Solution: Perform the following steps to resolve connection or network issue:

  • Verify network connectivity to public.ecr.aws for image pulls.

  • Check firewall rules and proxy configurations.

SAML single sign-on (SSO)