Skip to content
DOCS
User Guide CLI Guide API Guide

Verifying Aembit container image signatures

Aembit cryptographically signs all container images in Aembit’s Docker Hub repositories. To verify container image signatures, Aembit suggests using cosign, a CLI utility for signing software artifacts and verifying signatures using Sigstore.

Aembit signs all container images in Docker Hub starting from the following versions:

Verify a container image tag

Section titled “Verify a container image tag”

The following example shows how to verify the container image signature for Agent Controller. Though, you can swap the image name to any of the other available container images available in Aembit’s Docker Hub.

To verify the aembit_agent_controller container image:

  1. Download the Aembit Image Signing verification public key.
  2. Install cosign using Cosign's official installation guide.

  3. Run the following command to verify the signature for an image:
    The following command always uses the latest tag.

    Terminal window
    cosign verify --key <path-to-public-key> aembit/aembit_agent_controller:latest

    If successful, Cosign confirms the image signature and display the following verification details:

    Terminal window
    [{
      "critical": {
        "identity": {
          "docker-reference": "index.docker.io/aembit/aembit_agent_controller"
        },
        "image": {
          "docker-manifest-digest": "sha256:528de2fadc98d0a ..."
        },
        "type": "cosign container image signature"
      },
      "optional": {
        "Bundle": {
          "SignedEntryTimestamp": "MEUCIQDUKU204hbQx ... vPA9+yrvC90uxFJ4=",
          "Payload": {
            "body": "eyJlvNmgvZTA5M1MzUjNpckxrTnhpYzNlUCtvPSIsInB1YmxpY0tleSI6eyJ ..."
    }}}}]

Verify a specific container image tag

Section titled “Verify a specific container image tag”

Use the commands from the following sections to verify specific Docker Hub tags for Aembit container images. You can verify all images with the same public key.

Public key: Aembit Image Signing verification public key

The command to use cosign should look similar to the following example, where <tag> is the specific version that you want to verify the signature.

Terminal window
cosign verify --key <path-to-public-key> aembit/<image_name>:<tag>

Agent Controller

Section titled “Agent Controller”

Image name: aembit_agent_controller

Docker Hub repo: aembit/aembit_agent_controller

Latest version: 1.24.2485

Verification command:

Terminal window
cosign verify --key <path-to-public-key> aembit/aembit_agent_controller:1.24.2485

Agent Proxy

Section titled “Agent Proxy”

Image name: aembit_agent_proxy

Docker Hub repo: aembit/aembit_agent_proxy

Latest version: 1.24.3324

Verification command:

Terminal window
cosign verify --key <path-to-public-key> aembit/aembit_agent_proxy:1.24.3324

Agent Injector

Section titled “Agent Injector”

Image name: aembit_agent_injector

Docker Hub repo: aembit/aembit_agent_injector

Latest version: 1.23.295

Verification command:

Terminal window
cosign verify --key <path-to-public-key> aembit/aembit_agent_injector:1.23.295

AWS Lambda Extension

Section titled “AWS Lambda Extension”

Image name: aembit_aws_lambda_extension

Docker Hub repo: aembit/aembit_aws_lambda_extension

Latest version: 1.24.128

Verification command:

Terminal window
cosign verify --key <path-to-public-key> aembit/aembit_aws_lambda_extension:1.24.128

Sidecar Init

Section titled “Sidecar Init”

Image name: aembit_sidecar_init

Docker Hub repo: aembit/aembit_sidecar_init

Latest version: 1.18.92

Verification command:

Terminal window
cosign verify --key <path-to-public-key> aembit/aembit_sidecar_init:1.18.92

Verify a container image digest

Section titled “Verify a container image digest”

To verify a specific container image digest, you can use the cosign command with the sha256 digest of the image.

The command to use cosign should look similar to the following example, where <hash variable> is the specific digest of the image you want to verify.

Terminal window
cosign verify --key <path-to-public-key>  aembit/aembit_agent_controller@sha256:<hash variable>

Example successfully verified output:

Terminal window
cosign verify --key ./aembit-cosign-public-key.pub  aembit/aembit_agent_controller@sha256:528de2fadc98d0affea24bc03920ed531825779f3a8246f72bf2d568324f4daf


Verification for index.docker.io/aembit/aembit_agent_controller@sha256:528de2fadc98d0affea24bc03920ed531825779f3a8246f72bf2d568324f4daf --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - Existence of the claims in the transparency log was verified offline
  - The signatures were verified against the specified public key


[{"critical":{"identity":{"docker-reference":"index.docker.io/aembit/aembit_agent_controller"},"image":{"docker-manifest-digest":"sha256:528de2fadc98d0affea24bc03920ed531825779f3a8246f72bf2d568324f4daf"},"type":"cosign container image signature"},"optional":{"Bundle":{"SignedEntryTimestamp":"MEUCIQDUKU204hbQxCwxvwz9iTiccDdf3dc8NE7lO12KQ2GlwQIgCNjs8XiwipX7x0uv0h9Mvz5r/GZrPA9+yrvC90uxFJ4=","Payload":{"body":"eyJhcGlWZXJzaW9uI...=","integratedTime":1750106188,"logIndex":240203120,"logID":"c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d"}}}}]