dhi: cosign feedback (#22999)

craig-osterhout · web-flow · commit 30df4d2339bd · 2025-07-03T12:16:15.000-07:00
## Description Added important callout that cosign requires logging into Hub and Scout. Updated associated examples to only tested commands. ## Related issues or tickets ENGDOCS-2800 ## Reviews   - [ ] Technical review - [ ] Editorial review Signed-off-by: Craig <craig.osterhout@docker.com>
diff --git a/content/manuals/dhi/about/test.md b/content/manuals/dhi/about/test.md
@@ -142,7 +142,7 @@ You can view and verify this attestation using the Docker Scout CLI.
     ```
 
 If the attestation is valid, Docker Scout will confirm the signature and show
-the matching Cosign verify-attestation command.
+the matching `cosign verify` command.
 
 To view other attestations, such as SBOMs or vulnerability reports, see [Verify
 an image](../how-to/verify.md).
diff --git a/content/manuals/dhi/core-concepts/sbom.md b/content/manuals/dhi/core-concepts/sbom.md
@@ -67,27 +67,23 @@ $ docker scout sbom <image-name>:<tag>
 
 ## Verify the SBOM of a Docker Hardened Image
 
-Since Docker Hardened Images come with signed SBOMs, you can use Cosign to
+Since Docker Hardened Images come with signed SBOMs, you can use Docker Scout to
 verify the authenticity and integrity of the SBOM attached to the image. This
 ensures that the SBOM has not been tampered with and that the image's contents
 are trustworthy.
 
-To verify the SBOM of a Docker Hardened Image using Cosign, use the following command:
+To verify the SBOM of a Docker Hardened Image using Docker Scout, use the following command:
 
 ```console
-$ cosign verify-attestation \
-  --key https://registry.scout.docker.com/keyring/dhi/latest.pub \
-  --type sbom \
-  <image-reference>
+$ docker scout attest get <image-name>:<tag> \
+   --predicate-type https://scout.docker.com/sbom/v0.1 --verify --platform <platform>
 ```
 
-For example, to verify the SBOM attestation for the dhi/node image:
+For example, to verify the SBOM attestation for the `dhi/node:20.19-debian12-fips-20250701182639` image:
 
 ```console
-$ cosign verify-attestation \
-  --key https://registry.scout.docker.com/keyring/dhi/latest.pub \
-  --type sbom \
-  registry.scout.docker.com/dhi/node@sha256:6de8ac9c07367652496bf926675425a22bf93e487cc2690d6778a82dd0159c4f
+$ docker scout attest get docs/dhi-node:20.19-debian12-fips-20250701182639 \
+   --predicate-type https://scout.docker.com/sbom/v0.1 --verify --platform linux/amd64
 ```
 
 ## Resources
diff --git a/content/manuals/dhi/how-to/verify.md b/content/manuals/dhi/how-to/verify.md
@@ -57,8 +57,6 @@ offers several key advantages when working with Docker Hardened Images:
 
 In short, Docker Scout streamlines the verification process and reduces the chances of human error, while still giving you full visibility and the option to fall back to cosign when needed.
 
-
-
 ### List available attestations
 
 To list attestations for a mirrored DHI:
@@ -105,9 +103,26 @@ $ docker scout attest get \
   docs/dhi-python:3.13 --platform linux/amd64
 ```
 
-### Validate and show the equivalent cosign command
+### Validate the attestation with Docker Scout
+
+To validate the attestation using Docker Scout, you can use the `--verify` flag:
+
+```console
+$ docker scout attest get <image-name>:<tag> \
+   --predicate-type https://scout.docker.com/sbom/v0.1 --verify
+```
 
-You can use the `--verify` flag to validate the attestation and print the corresponding [cosign](https://docs.sigstore.dev/) command:
+For example, to verify the SBOM attestation for the `dhi/node:20.19-debian12-fips-20250701182639` image:
+
+```console
+$ docker scout attest get docs/dhi-node:20.19-debian12-fips-20250701182639 \
+   --predicate-type https://scout.docker.com/sbom/v0.1 --verify
+```
+
+### Show the equivalent cosign command
+
+When using the `--verify` flag, it also prints the corresponding
+[cosign](https://docs.sigstore.dev/) command to verify the image signature:
 
 ```console
 $ docker scout attest get \
@@ -137,6 +152,21 @@ Example output:
     ...
 ```
 
+> [!IMPORTANT]
+>
+> When using cosign, you must first authenticate to both the Docker Hub registry
+> and the Docker Scout registry.
+>
+> For example:
+>
+> ```console
+> $ docker login
+> $ docker login registry.scout.docker.com
+> $ cosign verify \
+>     registry.scout.docker.com/docker/dhi-python@sha256:b5418da893ada6272add2268573a3d5f595b5c486fb7ec58370a93217a9785ae \
+>     --key https://registry.scout.docker.com/keyring/dhi/latest.pub --experimental-oci11
+> ```
+
 ## Available DHI attestations
 
 See [available
