View all questions & answers for the KCSA exam
Which information does a user need to verify a signed container image?
The image's SHA-256 hash and the private key of the signing authority.
The image's digital signature and the private key of the signing authority.
The image's SHA-256 hash and the public key of the signing authority.
The image's digital signature and the public key of the signing authority.
Container image signing (e.g., withcosign, Notary v2) uses asymmetric cryptography.
Verification process:
Retrieve theimage’s digital signature.
Validate the signature with thepublic keyof the signer.
Exact extract (Sigstore Cosign Docs):
“Verification of an image requires the signature and the signer’s public key. The signature proves authenticity and integrity.”
Why others are wrong:
A & B: The private key is only used by the signer, never shared.
C: The hash alone cannot prove authenticity without the digital signature.
Submit