Supply Chain Security

All QMigrator container images are signed using Cosign. Before deploying, verify each image against the QMigrator public key to confirm it was produced by Quadrant Technologies and has not been modified.

Step 1: Get the Public Key

Download the signing public key (cosign-qmigrator.pub) and save it locally:

Windows macOS / Linux

curl -fsSL https://docs.qmigrator.ai/deployment/files/cosign-qmigrator.pub `
  -o cosign-qmigrator.pub

curl -fsSL https://docs.qmigrator.ai/deployment/files/cosign-qmigrator.pub \
  -o cosign-qmigrator.pub

Step 2: Install Cosign

Install Cosign v2 if not already present:

Windows macOS Linux

curl -O -L https://github.com/sigstore/cosign/releases/latest/download/cosign-windows-amd64.exe
New-Item -ItemType Directory -Force -Path "$Env:ProgramFiles\cosign" | Out-Null
Move-Item cosign-windows-amd64.exe "$Env:ProgramFiles\cosign\cosign.exe"
[System.Environment]::SetEnvironmentVariable(
  "Path",
  [System.Environment]::GetEnvironmentVariable("Path","Machine") + ";$Env:ProgramFiles\cosign",
  [System.EnvironmentVariableTarget]::Machine
)

brew install cosign

curl -O -L "https://github.com/sigstore/cosign/releases/latest/download/cosign-linux-amd64"
sudo mv cosign-linux-amd64 /usr/local/bin/cosign
sudo chmod +x /usr/local/bin/cosign

Confirm the installation:

cosign version

Step 3: Verify an Image

Replace <tag> with the release version (e.g., v2.3.0) and <component> with the image name:

cosign verify \
  --key cosign-qmigrator.pub \
  qmigrator.azurecr.io/qmigrator/<component>:<tag> # (1)!

Component image names: app, eng, asses, migrt, convs, airflow.

A successful verification exits with code 0 and prints the signature payload:

Verification for qmigrator.azurecr.io/<component>:<tag> --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - Existence of the claims in the transparency log was verified offline
  - The signatures were verified against the specified public key

[{"critical":{"identity":{"docker-reference":"qmigrator.azurecr.io/<component>:<tag>"},...}]

Verification failure

If cosign exits non-zero or prints error: no matching signatures, do not use the image.

Step 4: Verify SBOM Attestation

Run attestation verification and decode the payload:

cosign verify-attestation --key cosign-qmigrator.pub \
  qmigrator.azurecr.io/qmigrator/<component>:<tag> 
  | jq -r .payload \
  | base64 -d \
  | jq .

This prints the attestation document. Validate that it contains SBOM metadata for the same image digest.

Optional: Filter SBOM Predicate

cosign verify-attestation --key cosign-qmigrator.pub \
  qmigrator.azurecr.io/qmigrator/<component>:<tag> 
  | jq -r .payload \
  | base64 -d \
  | jq '.predicateType, .predicate'

Expected result:

predicateType is present
predicate contains SBOM content (for example SPDX or CycloneDX structures)

Troubleshooting

Symptom	Cause	Resolution
`error: no matching signatures`	Wrong key or unsigned image	Confirm you are using `cosign-qmigrator.pub` and the correct tag