> ## Documentation Index
> Fetch the complete documentation index at: https://docs.minimus.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Verifying Images & SBOMs

> Use Cosign to verify image signatures and SBOM attestations for Minimus images

Minimus uses the [Sigstore](https://www.sigstore.dev/) toolkit to sign its images to allow end-users to verify image provenance. Cosign is the Sigstore tool for signing and verifying container images. If you're new to Sigstore, take a minute to [learn the basics](/integrity/sigstore).

## Prerequisites

Before you can begin, you'll need to install the following:

* [Cosign](https://docs.sigstore.dev/cosign/overview/) - needed to verify and download image signatures and attestations
* [jq](https://stedolan.github.io/jq/) - a JSON processor needed to format the attestations

## Verify image

Use Cosign to verify the signature of a Minimus image by running one of the below commands.

<CodeGroup>
  ```bash General command theme={null}
  # first authenticate to the minimus registry
  docker login reg.mini.dev -u minimus
  # Password: {minimus-token}

  # verify an image
  cosign verify \
      --certificate-oidc-issuer=https://accounts.google.com \
      --certificate-identity=minimus-images-sa@prod-375107.iam.gserviceaccount.com \
      reg.mini.dev/{image}:{tag} | jq
  ```

  ```bash Example with image tag theme={null}
  # first authenticate to the minimus registry
  docker login reg.mini.dev -u minimus
  # Password: {minimus-token}

  # verify an image
  cosign verify \
      --certificate-oidc-issuer=https://accounts.google.com \
      --certificate-identity=minimus-images-sa@prod-375107.iam.gserviceaccount.com \
      reg.mini.dev/go:latest | jq
  ```

  ```bash Example with image digest theme={null}
  # first authenticate to the minimus registry
  docker login reg.mini.dev -u minimus
  # Password: {minimus-token}

  # verify an image
  cosign verify \
      --certificate-oidc-issuer=https://accounts.google.com \
      --certificate-identity=minimus-images-sa@prod-375107.iam.gserviceaccount.com \
      reg.mini.dev/go@sha256:c85345b30f809b53361880e2c84766d808f166c9820d41c98207f340f1efdeaf | jq
  ```

  ```bash With inline token theme={null}
  cosign verify \
      --certificate-oidc-issuer=https://accounts.google.com \
      --certificate-identity=minimus-images-sa@prod-375107.iam.gserviceaccount.com \
      reg.mini.dev/{minimus-token}/{image}:{tag} | jq
  ```
</CodeGroup>

The command validates that the container image is cryptographically signed by a trusted Google service account with a certificate issued by Google’s OIDC provider. If the verification is successful, you will receive a JSON with information about the signature.

Explanation:

* `cosign verify` instructs Cosign to verify the cryptographic signature of the specified container image.
* `--certificate-oidc-issuer=https://accounts.google.com` is used for images signed by a Google Cloud service account.
* `--certificate-identity=minimus-images-sa@prod-375107.iam.gserviceaccount.com` defines the Minimus build process as the expected identity.
* `| jq` formats the output in a human-readable JSON structure using the JQ JSON processor.

## Verify image SBOM

Use the `cosign verify-attestation` command to verify the image SBOM. The SBOM is created and signed during the image build workflow and is stored along with the image in the registry.

You will need to specify the architecture-specific image digest.

<CodeGroup>
  ```bash General command theme={null}
  cosign verify-attestation \
      --type https://spdx.dev/Document \
      --certificate-oidc-issuer=https://accounts.google.com \
      --certificate-identity=minimus-images-sa@prod-375107.iam.gserviceaccount.com \
      reg.mini.dev/mini_2lg***/{image}@sha256:******
  ```

  ```bash Example theme={null}
  cosign verify-attestation \
      --type https://spdx.dev/Document \
      --certificate-oidc-issuer=https://accounts.google.com \
      --certificate-identity=minimus-images-sa@prod-375107.iam.gserviceaccount.com \
      reg.mini.dev/mini_***/go@sha256:c3b0414330d5be44cc079ae9152ca6ce5b327182309b6ada91451351b70216c5 
  ```
</CodeGroup>

<Info>
  To learn more about the flags used in this command, visit Cosign documentation for [Verify Attestation](https://github.com/sigstore/cosign/blob/main/doc/cosign_verify-attestation.md) in GitHub.
</Info>

## Download image SBOM

Use the `cosign download attestation` command to print the SBOM attestation directly to the terminal. The SBOM is created and signed during the image build workflow and is stored along with the image in the registry.

You will need to specify the image architecture, for example `linux/amd64`.

<CodeGroup>
  ```bash General command theme={null}
  cosign download attestation \
   --platform linux/amd64 \
   --predicate-type=https://spdx.dev/Document \
   reg.mini.dev/{minimus token}/{image:tag} | \
   jq '.payload | @base64d | fromjson | .predicate'
  ```

  ```bash Example theme={null}
  cosign download attestation \
   --platform linux/amd64 \
   --predicate-type=https://spdx.dev/Document \
   reg.mini.dev/mini_ftwgvii4jko2qkz3brp6mrcmgjzukfdl/go:latest | \
   jq '.payload | @base64d | fromjson | .predicate'    
  ```
</CodeGroup>

<Info>
  To learn more about the flags used in this command, visit Cosign documentation for [Download Attestation](https://github.com/sigstore/cosign/blob/main/doc/cosign_download_attestation.md) in GitHub.
</Info>

### SPDX format

When downloading the signed SBOM from Minimus, it will be downloaded in the SPDX format. SPDX, short for Software Package Data Exchange, is the most popular SBOM format. SPDX is an open standard for communicating SBOM information developed by the Linux Foundation.

<Note>
  Learn more about the [SPDX spec](https://spdx.github.io/spdx-spec/v2.3/)
</Note>

## Print package license info

You can use a CLI command to print the package license information from the SBOM attestation. The information includes the URLs to view the original license agreements, where available.

<Info>
  Packages without standard SPDX license identifiers such as FIPS packages marked as PROPRIETARY will not include the URL to the license agreement.
</Info>

For example, here's the command to print the licenses used by the Minimus nginx image:

```shellscript Command to print package license info expandable theme={null}
cosign download attestation \
  --predicate-type=https://spdx.dev/Document \
  --platform linux/amd64 \
  reg.mini.dev/nginx:latest \
| jq -r '
  .payload
  | @base64d
  | fromjson
  | .predicate.packages
  | map(select(any(.externalRefs[]?; (.referenceLocator // "") | contains("pkg:apk/"))))
  | unique_by(.name)
  | .[]
  | . as $p
  | "Package: \($p.name)\nVersion: \($p.versionInfo // "unknown")\nLicense: \($p.licenseDeclared // "UNKNOWN")"
    + (
      if (($p.licenseDeclared // "UNKNOWN") | test("^(NOASSERTION|UNKNOWN|NONE)$")) then
        "\nLicense URL: Not available\n"
      else
        "\nLicense URL(s):\n"
        + (
          ($p.licenseDeclared
            | gsub(" AND | OR | WITH "; ",")
            | split(",")
            | map(select(. != "" and . != "NOASSERTION" and . != "UNKNOWN" and . != "NONE"))
            | map("  https://spdx.org/licenses/\(.).html")
            | join("\n")
          ) + "\n"
        )
      end
    )
'
```

The output will print out the SBOM information as follows:

* Package name
* Package version
* License name
* License URLs

```yaml Example from the license printout for the Minimus nginx image expandable lines theme={null}
Package: ca-certificates-bundle
Version: 20251003-r0
License: MPL-2.0 AND MIT
License URL(s):
  https://spdx.org/licenses/MPL-2.0.html
  https://spdx.org/licenses/MIT.html

Package: glibc
Version: 2.43-r0
License: LGPL-2.1-or-later
License URL(s):
  https://spdx.org/licenses/LGPL-2.1-or-later.html

Package: glibc-locale-posix
Version: 2.43-r0
License: LGPL-2.1-or-later
License URL(s):
  https://spdx.org/licenses/LGPL-2.1-or-later.html

...
```