All KoalaLab container images contain verifiable signatures and high-quality SBOMs (software bill of materials), features that enable users to confirm the origin of each image build and have a detailed list of everything that is packed within.
You'll need cosign and jq in order to download and verify image attestations.
Registry and Tags for adoptium-jdk Image
Attestations are provided per image build, so you'll need to specify the correct tag and registry when pulling attestations from an image with cosign.
the Public Registry contains our Starter Images, which typically comprise the latest* versions of an image.
contains all Production Images that your organisation has access to.
The commands listed on this page will default to the latest tag, but you can specify a different tag to fetch attestations for.
Verifying adoptium-jdk Image Signatures
The adoptium-jdk KoalaLab Containers are signed using Sigstore, and you can check the included signatures using cosign.
The cosign verify command will pull detailed information about all signatures found for the provided image.
