ISC2 Certified Secure Software Lifecycle Professional (CSSLP) Practice Question
During a release readiness review, the security team wants to confirm that the container image pulled from the internal registry is the same one produced by the CI server. Which action best validates the artifact's provenance before deployment?
Validate the image's digital signature using the CI server's published public key
Compare the file size of the image to the size recorded in the build log
Check the build number embedded in the container tag matches the version control tag
Rely on the registry's TLS certificate to confirm authenticity during the pull
Verifying the digital signature attests both the origin and integrity of the build artifact. The CI server signs the image with its private key at build time. Operations personnel can later validate the signature with the corresponding trusted public key; any alteration to the image causes the signature check to fail. File size comparison and tag matching give only weak, easily spoofed assurance, while relying solely on TLS confirms the communication channel, not the artifact itself.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a digital signature and how does it work in validating artifacts?
Open an interactive chat with Bash
What role does a CI server play in securing artifacts?
Open an interactive chat with Bash
Why is TLS alone insufficient to verify artifact authenticity?
Open an interactive chat with Bash
What is a digital signature in software security?
Open an interactive chat with Bash
How does a CI server sign a container image?
Open an interactive chat with Bash
Why is file size comparison insufficient for validating container image provenance?
Open an interactive chat with Bash
ISC2 Certified Secure Software Lifecycle Professional (CSSLP)