Skip to main content
Minimus uses the Sigstore toolkit to sign its images to allow end-users to verify image provenance. Cosign is the Sigstore tool for signing and verifying container images. If you’re new to Sigstore, take a minute to learn the basics.

Prerequisites

Before you can begin, you’ll need to install the following:
  • Cosign - needed to verify and download image signatures and attestations
  • jq - a JSON processor needed to format the attestations

Verify image

Use Cosign to verify the signature of a Minimus image by running one of the below commands. 
# first authenticate to the minimus registry
docker login reg.mini.dev -u minimus
# Password: {minimus-token}

# verify an image
cosign verify \
    --certificate-oidc-issuer=https://accounts.google.com \
    --certificate-identity=minimus-images-sa@prod-375107.iam.gserviceaccount.com \
    reg.mini.dev/{image}:{tag} | jq
The command validates that the container image is cryptographically signed by a trusted Google service account with a certificate issued by Google’s OIDC provider. If the verification is successful, you will receive a JSON with information about the signature. Explanation:
  • cosign verify instructs Cosign to verify the cryptographic signature of the specified container image.
  • --certificate-oidc-issuer=https://accounts.google.com is used for images signed by a Google Cloud service account.
  • --certificate-identity=minimus-images-sa@prod-375107.iam.gserviceaccount.comdefines the Minimus build process as the expected identity.
  • | jq formats the output in a human-readable JSON structure using the JQ JSON processor.

Verify image SBOM

Use the cosign verify-attestation command to verify the image SBOM. The SBOM is created and signed during the image build workflow and is stored along with the image in the registry. You will need to specify the architecture-specific image digest. 
cosign verify-attestation \
    --type https://spdx.dev/Document \
    --certificate-oidc-issuer=https://accounts.google.com \
    --certificate-identity=minimus-images-sa@prod-375107.iam.gserviceaccount.com \
    reg.mini.dev/mini_2lg***/{image}@sha256:******
To learn more about the flags used in this command, visit Cosign documentation for Verify Attestation in GitHub.

Download image SBOM

Use the cosign download attestation command to print the SBOM attestation directly to the terminal. The SBOM is created and signed during the image build workflow and is stored along with the image in the registry. You will need to specify the image architecture, for example linux/amd64. 
cosign download attestation \
 --platform linux/amd64 \
 --predicate-type=https://spdx.dev/Document \
 reg.mini.dev/{minimus token}/{image:tag} | \
 jq '.payload | @base64d | fromjson | .predicate'
To learn more about the flags used in this command, visit Cosign documentation for Download Attestation in GitHub.

SPDX format

When downloading the signed SBOM from Minimus, it will be downloaded in the SPDX format. SPDX, short for Software Package Data Exchange, is the most popular SBOM format. SPDX is an open standard for communicating SBOM information developed by the Linux Foundation.
Learn more about the SPDX spec
You can use a CLI command to print the package license information from the SBOM attestation. The information includes the URLs to view the original license agreements, where available.
Packages without standard SPDX license identifiers such as FIPS packages marked as PROPRIETARY will not include the URL to the license agreement.
For example, here’s the command to print the licenses used by the Minimus nginx image:
Command to print package license info
cosign download attestation \
  --predicate-type=https://spdx.dev/Document \
  --platform linux/amd64 \
  reg.mini.dev/nginx:latest \
| jq -r '
  .payload
  | @base64d
  | fromjson
  | .predicate.packages
  | map(select(any(.externalRefs[]?; (.referenceLocator // "") | contains("pkg:apk/"))))
  | unique_by(.name)
  | .[]
  | . as $p
  | "Package: \($p.name)\nVersion: \($p.versionInfo // "unknown")\nLicense: \($p.licenseDeclared // "UNKNOWN")"
    + (
      if (($p.licenseDeclared // "UNKNOWN") | test("^(NOASSERTION|UNKNOWN|NONE)$")) then
        "\nLicense URL: Not available\n"
      else
        "\nLicense URL(s):\n"
        + (
          ($p.licenseDeclared
            | gsub(" AND | OR | WITH "; ",")
            | split(",")
            | map(select(. != "" and . != "NOASSERTION" and . != "UNKNOWN" and . != "NONE"))
            | map("  https://spdx.org/licenses/\(.).html")
            | join("\n")
          ) + "\n"
        )
      end
    )
'
The output will print out the SBOM information as follows:
  • Package name
  • Package version
  • License name
  • License URLs
Example from the license printout for the Minimus nginx image
Package: ca-certificates-bundle
Version: 20251003-r0
License: MPL-2.0 AND MIT
License URL(s):
  https://spdx.org/licenses/MPL-2.0.html
  https://spdx.org/licenses/MIT.html

Package: glibc
Version: 2.43-r0
License: LGPL-2.1-or-later
License URL(s):
  https://spdx.org/licenses/LGPL-2.1-or-later.html

Package: glibc-locale-posix
Version: 2.43-r0
License: LGPL-2.1-or-later
License URL(s):
  https://spdx.org/licenses/LGPL-2.1-or-later.html

...
Last modified on March 19, 2026