> ## Documentation Index
> Fetch the complete documentation index at: https://docs.abbyy.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Image Signature and Attestation Validation

> Verify Cosign signatures, SPDX SBOM, and vulnerability scan attestations for ABBYY Vantage Private Cloud container images to confirm supply-chain integrity.

This document describes how to verify the cryptographic signatures and attestations created by the vantage-packager image publishing pipeline.

## Overview

The vantage-packager pipeline creates several security artifacts for each published image:

* **Container Image Signature**: Cryptographic signature using Cosign
* **SPDX SBOM Attestation**: Software Bill of Materials in SPDX 2.3 format
* **Vulnerability Scan Attestation**: Security scan results in SARIF format
  All artifacts are signed with the same private key and can be verified using the corresponding public key.

## Prerequisites

You'll need the following tools installed:

* `cosign` - for signature and attestation verification
* `jq` - for JSON parsing and analysis
* `curl` - for downloading artifacts (optional)

## Signature Verification

### Basic Verification

Verify an image signature using the public key:

```bash theme={null}
# Verify signature (skip transparency log for private registries)
cosign verify --key cosign.key.pub --insecure-ignore-tlog \
  abyvtgonprm27.azurecr.io/vantage-installer:2.7.1
```

### With TLS Verification Disabled

For registries with self-signed certificates:

```bash theme={null}
cosign verify --key cosign.key.pub --insecure-ignore-tlog --allow-insecure-registry \
  abyvtgonprm27.azurecr.io/vantage-installer:2.7.1
```

Expected output:

```json theme={null}
[{
  "critical": {
    "identity": {
      "docker-reference": "abyvtgonprm27.azurecr.io/vantage-installer"
    },
    "image": {
      "docker-manifest-digest": "sha256:a4190ad9d5289d7ad2d02d05749c10713a7aac217e8010b5e4ef15161b181c94"
    },
    "type": "cosign container image signature"
  }
}]
```

## Attestation Verification

### SPDX SBOM Attestation

Verify the SPDX Software Bill of Materials attestation:

```bash theme={null}
# Verify SPDX attestation
cosign verify-attestation --key cosign.key.pub --type spdx --insecure-ignore-tlog \
  abyvtgonprm27.azurecr.io/vantage-installer:2.7.1
```

### Vulnerability Scan Attestation

Verify the vulnerability scan attestation:

```bash theme={null}
# Verify vulnerability scan attestation
cosign verify-attestation --key cosign.key.pub --type vuln --insecure-ignore-tlog \
  abyvtgonprm27.azurecr.io/vantage-installer:2.7.1
```

## Retrieving Attestation Data

### Download SPDX SBOM

Extract the SPDX SBOM from the attestation:

```bash theme={null}
# Download and extract SPDX SBOM
cosign download attestation --predicate-type spdx \
  abyvtgonprm27.azurecr.io/vantage-installer:2.7.1 | \
  jq -r '.payload' | base64 -d | jq -r '.predicate' > sbom.json
```

### Download Vulnerability Scan

Extract the vulnerability scan results:

```bash theme={null}
# Download and extract vulnerability scan
cosign download attestation --predicate-type vuln \
  abyvtgonprm27.azurecr.io/vantage-installer:2.7.1 | \
  jq -r '.payload' | base64 -d | jq -r '.predicate' > vuln-scan.sarif
```

## Analyzing SPDX SBOM Data

### Basic SBOM Information

```bash theme={null}
# View SBOM metadata
jq '{
  name: .name,
  spdxVersion: .spdxVersion,
  creationInfo: .creationInfo,
  packageCount: (.packages | length)
}' sbom.json
```

### List All Packages

```bash theme={null}
# List all packages with versions
jq -r '.packages[] | "\(.name) \(.versionInfo // "unknown")"' sbom.json | sort
```

### Find Packages with Known Vulnerabilities

```bash theme={null}
# List packages with CPE identifiers (vulnerability references)
jq -r '.packages[] | select(.externalRefs[]?.referenceType == "cpe23Type") |
  "\(.name) \(.versionInfo // "unknown") - \(.externalRefs[0].referenceLocator)"' sbom.json
```

### License Information

```bash theme={null}
# Show packages with declared licenses
jq -r '.packages[] | select(.licenseDeclared != "NOASSERTION") |
  "\(.name): \(.licenseDeclared)"' sbom.json
```

## Analyzing Vulnerability Scan Data

### Basic Scan Information

```bash theme={null}
# View scan metadata
jq '{
  version: .version,
  tool: .runs[0].tool.driver.name,
  toolVersion: .runs[0].tool.driver.version,
  resultCount: (.runs[0].results | length)
}' vuln-scan.sarif
```

### List Vulnerabilities

```bash theme={null}
# List all vulnerabilities found
jq -r '.runs[0].results[] |
  "\(.ruleId) - \(.level // "unknown") - \(.message.text)"' vuln-scan.sarif
```

### High Severity Vulnerabilities

```bash theme={null}
# Show only high severity vulnerabilities
jq -r '.runs[0].results[] | select(.level == "error") |
  "\(.ruleId): \(.message.text)"' vuln-scan.sarif
```

## SBOM Visualization Tools

### CLI Tools

#### CycloneDX SBOM Utility

Install and use the CycloneDX SBOM utility for advanced analysis:

```bash theme={null}
# Install sbom-utility (if available)
go install github.com/CycloneDX/sbom-utility@latest

# Validate SPDX SBOM
sbom-utility validate --input-file sbom.json

# Generate component report
sbom-utility query --input-file sbom.json --select "name,version" --from "packages"
```

#### Custom Analysis with jq

```bash theme={null}
# Create a dependency tree view
jq -r '.packages[] |
  select(.name != null) |
  "\(.name)@\(.versionInfo // "unknown") (\(.supplier // "unknown"))"' sbom.json |
  sort | uniq
```

### Web-based Visualization

#### SBOM.sh Online Viewer

1. Visit [https://sbom.sh/](https://sbom.sh/)
2. Upload your `sbom.json` file
3. Explore the interactive component and dependency visualization

## Artifact Reference Discovery

### Find Signature Artifacts

```bash theme={null}
# Find signature artifact reference
cosign triangulate --type signature \
  abyvtgonprm27.azurecr.io/vantage-installer:2.7.1
```

### Find Attestation Artifacts

```bash theme={null}
# Find attestation artifact reference
cosign triangulate --type attestation \
  abyvtgonprm27.azurecr.io/vantage-installer:2.7.1
```
