Minimus uses the Sigstore toolkit to sign its images to allow end-users to verify image provenance. Cosign is the Sigstore tool for signing and verifying container images. If you’re new to Sigstore, take a minute to learn the basics.

Prerequisites

Before you can begin, you’ll need to install the following:

  • Cosign - needed to verify and download image signatures and attestations
  • jq - a JSON processor needed to format the attestations

Verify image

Use Cosign to verify the signature of a Minimus image by running one of the below commands.

# first authenticate to the minimus registry
docker login reg.mini.dev -u minimus
Password: {minimus-token}

# verify an image
cosign verify \
    --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
    --certificate-identity=https://github.com/minimusio/images/.github/workflows/build.yaml@refs/heads/main \
    reg.mini.dev/{image:tag} | jq

The command checks whether reg.mini.dev/{image}is signed by a trusted identity (GitHub Actions workflow from minimusio/images). If the verification is successful, you will receive a JSON with information about the signature.

Explanation:

  • cosign verify instructs Cosign to verify the cryptographic signature of the specified container image.
  • --certificate-oidc-issuer=https://token.actions.githubusercontent.com is used for images signed by an automated GitHub Actions workflow, as in our case.
  • --certificate-identity=https://github.com/minimusio/images/.github/workflows/build.yaml@refs/heads/main defines the expected identity of the signer.
    • Ensures the image was signed by a GitHub Actions workflow running from the Minimus images repository (minimusio/images), specifically from the build.yaml workflow on the main branch.
  • | jq formats the output in a human-readable JSON structure using the JQ JSON processor.

Verify image SBOM

Use the cosign verify-attestation command to verify the image SBOM. The SBOM is created and signed during the image build workflow and is stored along with the image in the registry.

You will need to specify the architecture-specific image digest.

cosign verify-attestation \
    --type https://spdx.dev/Document \
    --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
    --certificate-identity=https://github.com/minimusio/images/.github/workflows/build.yaml@refs/heads/main \
    reg.mini.dev/{image}{digest}

To learn more about the flags used in this command, visit Cosign documentation for Verify Attestation in GitHub.

Download image SBOM

Use the cosign download attestation command to print the SBOM attestation directly to the terminal. The SBOM is created and signed during the image build workflow and is stored along with the image in the registry.

You will need to specify the image architecture, for example linux/amd64.

cosign download attestation \
 --platform linux/amd64 \
 --predicate-type=https://spdx.dev/Document \
 reg.mini.dev/{minimus token}/{image:tag} | \
 jq '.payload | @base64d | fromjson | .predicate'

To learn more about the flags used in this command, visit Cosign documentation for Download Attestation in GitHub.

SPDX format

When downloading the signed SBOM from Minimus, it will be downloaded in the SPDX format. SPDX, short for Software Package Data Exchange, is the most popular SBOM format. SPDX is an open standard for communicating SBOM information developed by the Linux Foundation.

Learn more about the SPDX spec