Skip to main content

Artifact security and provenance verification (SLSA)

Overview

ReversingLabs artifacts are signed using the SLSA (Supply-chain Levels for Software Artifacts) framework to ensure these artifacts are authentic and have not been tampered with. This document describes how to verify artifact signatures and provenance attestations using Cosign and in-toto attestation.

Supported products:

  • Spectra Analyze
  • Spectra Detect
  • File Inspection Engine

SLSA framework

SLSA is a security framework for verifying software supply chain integrity. By adhering to SLSA, every artifact has a cryptographically verifiable provenance record. Verification mitigates risks such as:

  • Unauthorized injection: malicious code added during the build process.
  • Build environment compromise: code built on an unverified or insecure machine.
  • Identity spoofing: a third party impersonating ReversingLabs.

Each artifact includes:

  • Digital signature: verifies the artifact was produced by ReversingLabs and has not been modified since signing.
  • Provenance attestation: an in-toto attestation containing metadata about how the artifact was built:
    • Builder: the build system used (e.g., GitHub Actions, GitLab CI).
    • Materials: the source code commit hash and dependencies.
    • Recipe: the build steps or entry point used to create the artifact.

Prerequisites

Install the Cosign CLI from the Sigstore project by following the official installation guide.

Verification

ReversingLabs uses Sigstore keyless signing with Google as the OIDC provider.

Certificate identity: sigstore@appliances-reversinglabs.iam.gserviceaccount.com

Container images and Helm charts

Signatures and attestations for containerized products are stored in registry.reversinglabs.com alongside the image.

Verify the digital signature

To confirm the image was signed by our trusted identity, run the following command:

cosign verify "registry.reversinglabs.com/${IMAGE_REPOSITORY}:${VERSION}" \
  --certificate-identity=sigstore@appliances-reversinglabs.iam.gserviceaccount.com \
  --certificate-oidc-issuer=https://accounts.google.com

For example:

cosign verify registry.reversinglabs.com/detect/images/detect-worker-mono:5.7.0 \
  --certificate-identity=sigstore@appliances-reversinglabs.iam.gserviceaccount.com \
  --certificate-oidc-issuer=https://accounts.google.com

To verify Helm charts, use the same approach:

cosign verify registry.reversinglabs.com/detect/charts/detect:5.7.0-2 \
  --certificate-identity=sigstore@appliances-reversinglabs.iam.gserviceaccount.com \
  --certificate-oidc-issuer=https://accounts.google.com

If the verification is succesful, you will see the output of the checks that were performed as well as a json output that contains the information about the artifact.

Verify the SLSA provenance attestation

To verify the attestation, use cosign verify-attestation with --type=slsaprovenance1:

cosign verify-attestation "registry.reversinglabs.com/${IMAGE_REPOSITORY}:${VERSION}" \
  --certificate-identity=sigstore@appliances-reversinglabs.iam.gserviceaccount.com \
  --certificate-oidc-issuer=https://accounts.google.com \
  --type=slsaprovenance1

For example:

cosign verify-attestation registry.reversinglabs.com/detect/images/detect-worker-mono:5.7.0 \
  --certificate-identity=sigstore@appliances-reversinglabs.iam.gserviceaccount.com \
  --certificate-oidc-issuer=https://accounts.google.com \
  --type=slsaprovenance1

To verify Helm charts, use the same approach:

cosign verify-attestation registry.reversinglabs.com/detect/charts/detect:5.7.0-2 \
  --certificate-identity=sigstore@appliances-reversinglabs.iam.gserviceaccount.com \
  --certificate-oidc-issuer=https://accounts.google.com \
  --type=slsaprovenance1

OVA images and update binaries

For OVA images and update binaries, signature and attestation bundles are provided alongside the artifacts, as well as SHA256 checksum files. To obtain these files, contact Customer Support.

To verify the signature, run the following command:

cosign verify-blob --bundle reversinglabs-c1000-5.6.4-update.bin.sig.bundle \
  --certificate-identity=sigstore@appliances-reversinglabs.iam.gserviceaccount.com \
  --certificate-oidc-issuer=https://accounts.google.com \
  reversinglabs-c1000-5.6.4-update.bin

For blob attestation verification, the SHA256 checksum must be provided using the --digest parameter, as cosign verify-blob-attestation does not work reliably with large files:

To verify the attestation, run the following command:

cosign verify-blob-attestation --bundle reversinglabs-c1000-5.6.4-update.bin.attestation.bundle \
  --certificate-identity=sigstore@appliances-reversinglabs.iam.gserviceaccount.com \
  --certificate-oidc-issuer=https://accounts.google.com \
  --type slsaprovenance1 \
  --digestAlg=sha256 \
  --digest $(cut -d " " -f1 reversinglabs-c1000-5.6.4-update.bin-sha256)

Successful output:

Verified OK

Example error output:

Error: no matching subject digest found
error during command execution: no matching subject digest found

AMI images

Unlike Docker images and Helm charts, AMI (Amazon Machine Image) deliverables are published directly to AWS and cannot be cryptographically signed at the time of upload. Instead, a file containing the image ARN is used as the subject for the SLSA provenance attestation.

Verifying the signature on the provenance and comparing the artifact digest confirms:

  • The artifact was produced by the expected build system.
  • The artifact has not been modified since the build.

To obtain the verification files, contact Customer Support.

To verify the signature, run the following command:

cosign verify-blob --bundle c1000-5.6.4-39-2025-12-18.ami.sig.bundle \
  --certificate-identity=sigstore@appliances-reversinglabs.iam.gserviceaccount.com \
  --certificate-oidc-issuer=https://accounts.google.com \
  c1000-5.6.4-39-2025-12-18.ami

To verify the attestation, run the following command:

cosign verify-blob-attestation --bundle c1000-5.6.4-39-2025-12-18.ami.attestation.bundle \
  --digestAlg sha256 \
  --digest $(sha256sum c1000-5.6.4-39-2025-12-18.ami | cut -d " " -f1) \
  --certificate-identitysigstore@appliances-reversinglabs.iam.gserviceaccount.com \
  --certificate-oidc-issuer=https://accounts.google.com \
  --type slsaprovenance1

Support

For verification failures or security-related questions, contact Customer Support.