Linux Foundation KCSA Question Answer
Which information does a user need to verify a signed container image?
The image's SHA-256 hash and the private key of the signing authority.
The image's digital signature and the private key of the signing authority.
The image's SHA-256 hash and the public key of the signing authority.
The image's digital signature and the public key of the signing authority.
Container image signing (e.g., withcosign, Notary v2) uses asymmetric cryptography.
Verification process:
Retrieve theimage’s digital signature.
Validate the signature with thepublic keyof the signer.
Exact extract (Sigstore Cosign Docs):
“Verification of an image requires the signature and the signer’s public key. The signature proves authenticity and integrity.”
Why others are wrong:
A & B: The private key is only used by the signer, never shared.
C: The hash alone cannot prove authenticity without the digital signature.
TESTED 21 Oct 2025
Copyright © 2014-2025 ACE4Sure. All Rights Reserved