Skip to content
DOCS
User Guide API Guide

Verifying Aembit container image signatures

Aembit cryptographically signs all container images in Aembit’s Docker Hub repositories. To verify container image signatures, Aembit suggests using cosign, a CLI utility for signing software artifacts and verifying signatures using Sigstore.

Aembit signs all container images in Docker Hub starting from the following versions:

Verify a container image tag

Section titled “Verify a container image tag”

The following example shows how to verify the container image signature for Agent Controller. Though, you can swap the image name to any of the other available container images available in Aembit’s Docker Hub.

To verify the aembit_agent_controller container image:

  1. Download the Aembit Image Signing verification public key.
  2. Install cosign using Cosign's official installation guide.

  3. Run the following command to verify the signature for an image:
    The following command always uses the latest tag.

    Terminal window
    cosign verify --key <path-to-public-key> aembit/aembit_agent_controller:latest

    If successful, Cosign confirms the image signature and display the following verification details:

    Terminal window
    [{
      "critical": {
        "identity": {
          "docker-reference": "index.docker.io/aembit/aembit_agent_controller"
        },
        "image": {
          "docker-manifest-digest": "sha256:528de2fadc98d0a ..."
        },
        "type": "cosign container image signature"
      },
      "optional": {
        "Bundle": {
          "SignedEntryTimestamp": "MEUCIQDUKU204hbQx ... vPA9+yrvC90uxFJ4=",
          "Payload": {
            "body": "eyJlvNmgvZTA5M1MzUjNpckxrTnhpYzNlUCtvPSIsInB1YmxpY0tleSI6eyJ ..."
    }}}}]

Verify a specific container image tag

Section titled “Verify a specific container image tag”

Use the commands from the following sections to verify specific Docker Hub tags for Aembit container images. You can verify all images with the same public key.

Public key: Aembit Image Signing verification public key

The command to use cosign should look similar to the following example, where <tag> is the specific version that you want to verify the signature.

Terminal window
cosign verify --key <path-to-public-key> aembit/<image_name>:<tag>

Agent Controller

Section titled “Agent Controller”

Image name: aembit_agent_controller

Docker Hub repo: aembit/aembit_agent_controller

Latest version: 1.23.2263

Verification command:

Terminal window
cosign verify --key <path-to-public-key> aembit/aembit_agent_controller:1.23.2263

Agent Proxy

Section titled “Agent Proxy”

Image name: aembit_agent_proxy

Docker Hub repo: aembit/aembit_agent_proxy

Latest version: 1.23.3002

Verification command:

Terminal window
cosign verify --key <path-to-public-key> aembit/aembit_agent_proxy:1.23.3002

Agent Injector

Section titled “Agent Injector”

Image name: aembit_agent_injector

Docker Hub repo: aembit/aembit_agent_injector

Latest version: 1.23.295

Verification command:

Terminal window
cosign verify --key <path-to-public-key> aembit/aembit_agent_injector:1.23.295

AWS Lambda Extension

Section titled “AWS Lambda Extension”

Image name: aembit_aws_lambda_extension

Docker Hub repo: aembit/aembit_aws_lambda_extension

Latest version: 1.23.112

Verification command:

Terminal window
cosign verify --key <path-to-public-key> aembit/aembit_aws_lambda_extension:1.23.112

Sidecar Init

Section titled “Sidecar Init”

Image name: aembit_sidecar_init

Docker Hub repo: aembit/aembit_sidecar_init

Latest version: 1.18.92

Verification command:

Terminal window
cosign verify --key <path-to-public-key> aembit/aembit_sidecar_init:1.18.92