cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
BookmarkSubscribeRSS Feed

Can you trust your SAS Viya Container images?

Started ‎07-09-2025 by
Modified ‎07-09-2025 by
Views 644

 

With the 2024.07 release, SAS Mirror Manager introduced the ability to verify the integrity of SAS Viya container images. Then in 2024.10, it was improved further. 

01_RP_verif-logo.png

 

This feature provides the ability to check the Viya images authenticity and integrity, which is a critical security process for establishing trust with our customers deploying SAS Viya.

 

As noted in the official documentation, “SAS provides container image signatures for all official product images. These signatures can be used with SAS Mirror Manager and other tools in order to verify that images originated from SAS.”

 

In this post we’ll discuss the details of the Viya container image verification and see some examples.

 

 

What has changed?

 

SAS Mirror Manager verifies image signatures

 

Starting with 2024.07, SAS Mirror Manager verifies image signatures at the time when images are downloaded from SAS container repositories.

 

As illustrated in the diagram below, it means that each time you run the SAS Mirror Manager tool to pull the SAS Viya images from the official SAS container registry (cr.sas.com), a check of the images signatures is automatically performed. The public key included in the order’s certificates archive is used.

 

02_RP_diagram-verif1.png

Select any image to see a larger version.
Mobile users: To view the images, select the "Full" version at the bottom of the page.

 

 

SAS Mirror Manager mirror the image signature

 

Since the version 2024.10 of SAS Viya, SAS Mirror Manager can also mirror the image signature to some destination container registries (such as Azure Container Registry, Elastic Container Registry, and so on).

 

In the situation where you have made your Viya container images available into a private container registry (such as Azure Container Registry or JFrog), then you can also manually verify the associated signatures.

 

You can use an opensource tool called “Cosign” to perform the verification.

 

03_RP_diagram-verif2.png

 

 

Requirements for image verification in a private registry

 

  • OCI version 1.1

SAS relies on the OCI version 1.1 specification for the SAS Mirror Manager image signature implementation. Signatures can be mirrored into any Container registry implementation that conforms to this specification.

 

As of today, the following Container Registry implementations support this version of the specification:

 

    • Azure Container registry
    • Amazon Elastic Container Registry
    • Google Artifact Registry

 

  • The image signing public key

The signing key was added to new orders after May 2024, so older orders that were simply renewed will not have it in the corresponding certs.zip files.
In the short term, if you are using an older order and want to verify the signatures of the images mirrored into a private registry, then current solution would be to request a new order.

If a signing key is associated to your order, you should see a file named cosign_release_2023.pub when you unzip the order's certificate archive ("-certs.zip" file).

 

  • The Cosign open-source verification utility

The Cosign source code and binaries can be found on the Cosign GitHub project.  You can install the cosign utility on many operating systems.

 

For example, on a RedHat Linux based operating system (RedHat Enterprise Linux, CentOS, Rocky Linux), you could simply run the commands below to download and install the RPM package:

 

04_RP_download-cosign.png

 

 

Example

 

The SAS documentation provides the steps to perform the signature verification, and if you visit the latest version of the SAS Viya: Deployment on Google Kubernetes Engine hands-on (soon to be published in learn.sas.com), you can also find an example on how to do it against SAS Viya images that have been mirrored into the Google Artifact Registry.

 

Here are the steps :

 

  • Create the OAuth token to access the Google Artifact Registry
    • When we run the Cosign tool, we need to provide a username and password to authenticate against the remote registry.
    • With the Google Artifact registry, you can run a gcloud command to generate a short-lived OAuth access token to authenticate.

 

05_RP_gcloud-accesstoken.png

 

  • Install Cosign
    • Download and use the appropriate package depending on your operating system. In our example we are running Cosign on Rocky Linux 9, so we simply download and install the RPM package (see the example above).
  • Extract the image signing public key:
    • You can simply use the unzip command to extract the public key from the order’s -certs.zip file.
  • Verify the image signature with Cosign:
    • In the example below, we collect the sas-logon-app image name, with its exact path in the registry and the associated image tag.
    • Then we run the Cosign command using the syntax that is provided in the SAS documentation.

 

06_RP_cosign-verif-command.png

 

 

  • Finally, when you run the verification command, you should see something like this:

 

07_RP_cosign-verif-output.png

 

 

It confirms that the container image signature has been verified with success!

 

 

Conclusion

 

That’s it for today. This approach to validate the source and integrity of SAS container images improves the security posture of our software. Sites deploying SAS Viya can reliably ensure that the software they're installing comes from SAS in its original form without modification or replacement by intermediaries.

 

Special thanks to Elliot Peele for his support in the write up of this post !

 

 

Find more articles from SAS Global Enablement and Learning here.

0 Likes
Contributors
Version history
Last update:
‎07-09-2025 06:30 AM
Updated by:
SAS Employee

Catch up on SAS Innovate 2026

Dive into keynotes, announcements and breakthroughs on demand.

Explore Now →

SAS AI and Machine Learning Courses

The rapid growth of AI technologies is driving an AI skills gap and demand for AI talent. Ready to grow your AI literacy? SAS offers free ways to get started for beginners, business leaders, and analytics professionals of all skill levels. Your future self will thank you.

Get started

Article Labels
Article Tags