Verifying container image integrity
About this task
IBM
Cloud Pak for Business Automation provides container images in the IBM® Entitled Registry that are signed following the approach from Red Hat. You can use the signature to verify that the images come from IBM when they
are pulled onto the system. For more information about the signature verification, see Verifying signatures of Red Hat container images
.
Cloud Pak for Business Automation installs a number
of dependencies, such as IBM Cloud Pak foundational services
, which has its own signature validation
process.
Red Hat OpenShift can be configured to verify container image signatures upon pulling images from a specific location. See Container image signatures
for details about Red Hat's signatures of Red Hat OpenShift images. Images for IBM
Cloud Pak for Business Automation
are signed by using GPG keys, which in turn are signed by a certificate chain with Digicert as its
root. The signing key changed multiple times. Therefore, multiple keys must be configured in the
signature policy.
The following sections can be used to verify the IBM Cloud Pak for Business Automation signature on the container images.
- Creating files that contain GPG public keys to pull images
- Creating a policy to require signed images
- Signature validation in Linux command-line tools
- Optional: Verifying key material
- Cleaning up local images and caches
- Scanning for vulnerabilities
Creating files that contain GPG public keys to pull images
| File name for GPG key | Date |
|---|---|
icp4a-pubkey-from-2024.gpg |
For images released in December 2024 and later. |
- Create a file icp4a-pubkey-from-2024.gpg and add the
following public key in the GNU Privacy Guard (GPG) format. This key can be used to pull images from
December 2024 and onwards.
-----BEGIN PGP PUBLIC KEY BLOCK----- mQINBGcyQU0BEADAO/bfaez4vdjXIuZfNFqpOpAOHzs89EhBguxGVHUdx2mtGUZo NEZB3/FWVO+IlmW5clZrNSvoBDCF1oV63UDBiZUcoE1lS0HsKQJuhEKxZqBURZOB 5E12EjfVbS6xn+R3EubdepBwlNwv1rCq2un4KDhxY7phl0iwA1uWuxn4yU0LKQ/B /J/6jZL/ecSjlzITYNsbfOwmCFeRhjmeSxuMobzWd9A/cLA6sPh7sDTzSmyJp/27 6ch3MijuxHLAdEFdR/oWvyh4XK04dRRQh2ecsJ2m5+EsS1DeYbFhwdgvMGtBVz6f fDKK7BBMt/csgT9wZX4BD97KDPFdAsANNC55ipYIxMKiDDrsuHJ1eD1UqaUGdTOn MuT+AC1Rfsjcbxwl0FItfdQ0rBUFmHEw1qTScDNa+WSKflj386lPV5hWneOG58UG u1vQuGHJchwcGYRIDvgeYC+lw/q/jECqgeLrnJx9JVcMUmkTbDxfTDGe82mIqbiw B38/boAujKCpCkvZFhP5OIylEmyCfRCZ/0ul8hvzS3kCjG5QSjBVcHolK75++CXb 6yYNawmQYVjPk1KuNe6Y+TVl0nsYqtSEjnknO4LRsKX2ZHxkASimFqJCjbAEQiEx 0B0mZ3RTUXR92Y/Uy7XXtusymGleCkW+bHs2F0+9i32l9Nuxgl/D7g1WywARAQAB tC9JQk0gQ2xvdWQgUGFrIGZvciBBdXRvbWF0aW9uIDxwc2lydEB1cy5pYm0uY29t PokCOgQTAQgAJAUCZzJBTQIbDwULCQgHAgYVCgkICwIEFgIDAQIeAQUJAAAAAAAK CRC0lqyjOeABc5p+D/4uVq6HmZQ7B2oTYYBoOa6xBMdnI91GQPaoGRhAwAPzQh8W jw5fNiBJCLPVzTCIh26MJUwBWLXSZtlBDIg7zFEgXqUMqtS4qMuLTnBHyovx30hQ zJyH6DkCCeBTqS06oq2N3comsCk+pbLlHSEMZlDR1WrZE2omi7P42ET9wQn4Px+c iHmy07qJDoV4HyZEYAJ6LSyEXy8l0XTaqhMEerrFMKcLQGXsy0y0Al4/kvmtSuyw hZaAadMsaPV+2rSz8yfyjNUDf7ZPh2whelV3VYfaVHnuy7S+RRCFqAeOtIAxOpai ++hxazlf03mgnPQH7WGSvjaz8sWtEUUMYFE0mnwusrK0DObOXd76qghkifN1IRiS bUPvfa15U1/CwC0C5xFRWQfgrX2EwqUYNMiHqKRYxz8+LEC+vdT03naLzyxpAKwM 6bZ2laNJYNofQd7dYU+Co4oWrCTGfFLD/LYnejzWYR7Drt5Ppz1qgW1q5J1Qi7+V s7+w4ga8n61Ta2zaDcccgdn/TG0IO8bWnxgwKwZS8w3wj+GFx70o4fIlH++PhL1/ zdI2jfH4XqvjT+mx3LNpfEXUOquIl9ikkRZMG787lqdjr1L58YF9BdZPtqs5RufU mGzh82sCEmw9GaSJiGQb/fcoSIolqbLmEj4Aqy/hA6QSthBu58CGLOs91SevQQ== =Jn52 -----END PGP PUBLIC KEY BLOCK-----
Creating a policy to require signed images
A security policy can deny or allow images to be pulled, or require a trust relationship for
pulling images. This can be done for entire image registries or specific parts of image registries.
For more information, see Controlling what image sources can be deployed
.
The following policy is least intrusive, as it requires images that are pulled from
cp.icr.io/cp/cp4a to be signed by using any of the GPG keys listed in the
keyPaths array. Images from any other container registry and other parts inside
cp.icr.io are accepted without signatures.
If you can provide public keys for signature validation of all applications and their dependencies in your Red Hat OpenShift cluster, you can set the default type to reject.
Create a file and name it policy.json, then include the following content:
{
"default": [
{
"type": "insecureAcceptAnything"
}
],
"transports": {
"docker": {
"cp.icr.io/cp/cp4a": [
{
"type": "signedBy",
"keyType": "GPGKeys",
"keyPaths": ["/etc/pki/icp4a-pubkey-from-2024.gpg"]
}
]
}
}
} You can use a MachineConfig object to inject the GPG public key files and the
policy.json file into the nodes. The following example includes all GPG public key
files inline in the URL encoded format (machine-config.yaml).
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
labels:
machineconfiguration.openshift.io/role: worker
name: image-signature
spec:
config:
ignition:
version: 3.2.0
storage:
files:
- contents:
source: >-
data:,-----BEGIN%20PGP%20PUBLIC%20KEY%20BLOCK-----mQINBGcyQU0BEADAO%2Fbfaez4vdjXIuZfNFqpOpAOHzs89EhBguxGVHUdx2mtGUZo%NEZB3%2FFWVO+IlmW5clZrNSvoBDCF1oV63UDBiZUcoE1lS0HsKQJuhEKxZqBURZOB%5E12EjfVbS6xn+R3EubdepBwlNwv1rCq2un4KDhxY7phl0iwA1uWuxn4yU0LKQ%2FB%%2FJ%2F6jZL%2FecSjlzITYNsbfOwmCFeRhjmeSxuMobzWd9A%2FcLA6sPh7sDTzSmyJp%2F27%6ch3MijuxHLAdEFdR%2FoWvyh4XK04dRRQh2ecsJ2m5+EsS1DeYbFhwdgvMGtBVz6f%fDKK7BBMt%2FcsgT9wZX4BD97KDPFdAsANNC55ipYIxMKiDDrsuHJ1eD1UqaUGdTOn%MuT+AC1Rfsjcbxwl0FItfdQ0rBUFmHEw1qTScDNa+WSKflj386lPV5hWneOG58UG%u1vQuGHJchwcGYRIDvgeYC+lw%2Fq%2FjECqgeLrnJx9JVcMUmkTbDxfTDGe82mIqbiw%B38%2FboAujKCpCkvZFhP5OIylEmyCfRCZ%2F0ul8hvzS3kCjG5QSjBVcHolK75++CXb%6yYNawmQYVjPk1KuNe6Y+TVl0nsYqtSEjnknO4LRsKX2ZHxkASimFqJCjbAEQiEx%0B0mZ3RTUXR92Y%2FUy7XXtusymGleCkW+bHs2F0+9i32l9Nuxgl%2FD7g1WywARAQAB%tC9JQk0gQ2xvdWQgUGFrIGZvciBBdXRvbWF0aW9uIDxwc2lydEB1cy5pYm0uY29t%PokCOgQTAQgAJAUCZzJBTQIbDwULCQgHAgYVCgkICwIEFgIDAQIeAQUJAAAAAAAK%CRC0lqyjOeABc5p+D%2F4uVq6HmZQ7B2oTYYBoOa6xBMdnI91GQPaoGRhAwAPzQh8W%jw5fNiBJCLPVzTCIh26MJUwBWLXSZtlBDIg7zFEgXqUMqtS4qMuLTnBHyovx30hQ%zJyH6DkCCeBTqS06oq2N3comsCk+pbLlHSEMZlDR1WrZE2omi7P42ET9wQn4Px+c%iHmy07qJDoV4HyZEYAJ6LSyEXy8l0XTaqhMEerrFMKcLQGXsy0y0Al4%2FkvmtSuyw%hZaAadMsaPV+2rSz8yfyjNUDf7ZPh2whelV3VYfaVHnuy7S+RRCFqAeOtIAxOpai%++hxazlf03mgnPQH7WGSvjaz8sWtEUUMYFE0mnwusrK0DObOXd76qghkifN1IRiS%bUPvfa15U1%2FCwC0C5xFRWQfgrX2EwqUYNMiHqKRYxz8+LEC+vdT03naLzyxpAKwM%6bZ2laNJYNofQd7dYU+Co4oWrCTGfFLD%2FLYnejzWYR7Drt5Ppz1qgW1q5J1Qi7+V%s7+w4ga8n61Ta2zaDcccgdn%2FTG0IO8bWnxgwKwZS8w3wj+GFx70o4fIlH++PhL1%2F%zdI2jfH4XqvjT+mx3LNpfEXUOquIl9ikkRZMG787lqdjr1L58YF9BdZPtqs5RufU%mGzh82sCEmw9GaSJiGQb%2FfcoSIolqbLmEj4Aqy%2FhA6QSthBu58CGLOs91SevQQ%0A%0A%%0AJn52-----END%20PGP%20PUBLIC%20KEY%20BLOCK-----
filesystem: root
mode: 420
path: /etc/pki/icp4a-pubkey-from-2024.gpg
- contents:
source: >-
data:,%7B%0D%0A%20%20%20%20%22default%22%3A%20%5B%0D%0A%20%20%20%20%20%20%7B%0D%0A%20%20%20%20%20%20%20%22type%22%3A%20%22insecureAcceptAnything%22%0D%0A%20%20%20%20%20%20%7D%0D%0A%20%20%20%20%5D,%0D%0A%20%20%20%20%22transports%22%3A%20%7B%0D%0A%20%20%20%20%20%20%22docker%22%3A%20%7B%0D%0A%20%20%20%20%20%20%20%20%22cp.icr.io%2Fcp%2Fcp4a%22%3A%20%5B%0D%0A%20%20%20%20%20%20%20%20%20%20%7B%0D%0A%20%20%20%20%20%20%20%20%20%20%20%20%22type%22%3A%20%22signedBy%22,%0D%0A%20%20%20%20%20%20%20%20%20%20%20%20%22keyType%22%3A%20%22GPGKeys%22,%0D%0A%20%20%20%20%20%20%20%20%20%20%20%20%22keyPaths%22%3A%20%22%2Fetc%2Fpki%2Ficp4a-pubkey-from-2024.gpg%22%5D%0D%0A%20%20%20%20%20%20%20%20%20%20%7D%0D%0A%20%20%20%20%20%20%20%20%5D%0D%0A%20%20%20%20%20%20%7D%0D%0A%20%20%20%20%7D%0D%0A%7D
filesystem: root
mode: 420
path: /etc/containers/policy.json You can decode the files into clear text by using a URL decoder, and then apply the
MachineConfig resource:
oc apply -f machine-config.yamlYou can watch the rebooted worker nodes as they apply the updated policy:
oc get mcpIf you are running a starter pattern, PodDisruptionBudgets on some pods might
prevent a node from restarting gracefully. You can force deletion of pods on the nodes by first
identifying a node for which scheduling is disabled:
oc get nodeUse the node name to delete the pods on this node:
node=...
oc delete pod --field-selector="spec.nodeName=$node" --all-namespacesSignature validation in Linux command-line tools
When inspecting and transporting images, skopeo
is a useful tool as it does not need a docker or a
daemon. It can be easily used in continuous integration (CI) pipelines to copy images between two
registries, provide credentials for secured registries, or to promote images from a development
registry into production.
If you pull the images from the IBM Entitled Registry with skopeo, you can enable the container image signature verification. The icp4a-pubkey-from-2024.gpg file that you created
can be used to verify the images under a certain repository and path.
In the following example, images are pulled from cp.icr.io/cp/cp4a and verified
with the GPG public key that is in the icp4a-pubkey-from-2024.gpg file. All images
are rejected, except the signed images in the cp4a folder.
The keyPaths array is not supported in podman and
skopeo. Instead, you need to point to a specific key file by using the
keyPath parameter (icp4a-pubkey-from-2024.gpg).
Create a file and name it policy-2.json, then include the following content:
{
"default": [
{
"type": "reject"
}
],
"transports": {
"docker": {
"cp.icr.io/cp/cp4a": [
{
"type": "signedBy",
"keyType": "GPGKeys",
"keyPath": "icp4a-pubkey-from-2024.gpg"
}
]
}
}
} cp.icr.io is specified, all the images that are not signed under this
folder are rejected. The skopeo command has the useful option --policy
policy-2.json, which sets a specific policy file instead of using the default
/etc/containers/policy.json file.The following sample pulls one image into the local file system and validates its signature.
skopeo --policy ./policy-2.json copy docker://cp.icr.io/cp/cp4a/ban/navigator:24.0.1-amd64 dir:./banWhen you pull images by using podman, you can provide a
--signature-policy policy2.json option to point to a policy file.
Referencing the correct public key for signature validation, images can be pulled.
podman pull --signature-policy policy-2.json cp.icr.io/cp/cp4a/ban/navigator:24.0.1-amd64
Trying to pull cp.icr.io/cp/cp4a/ban/navigator:24.0.1-amd64...
Getting image source signatures
Checking if image destination supports signatures
...Pulling images fail when the policy file references another public key.
podman pull --signature-policy policy-1.json cp.icr.io/cp/cp4a/ban/navigator:24.0.1-amd64
Trying to pull cp.icr.io/cp/cp4a/ban/navigator:24.0.1-amd64...
None of the signatures were accepted, reasons: Invalid GPG signature: gpgme.Signature{Summary:128, Fingerprint:"7C5CF97A39F13650", Status:gpgme.Error{err:0x7000009}, Timestamp:time.Time{wall:0x0, ext:63812637354, loc:(*time.Location)(0x55fc881421a0)}, ExpTimestamp:time.Time{wall:0x0, ext:62135596800, loc:(*time.Location)(0x55fc881421a0)}, WrongKeyUsage:false, PKATrust:0x0, ChainModel:false, Validity:0, ValidityReason:error(nil), PubkeyAlgo:1, HashAlgo:8}; Invalid GPG signature: gpgme.Signature{Summary:128, Fingerprint:"7C5CF97A39F13650", Status:gpgme.Error{err:0x7000009}, Timestamp:time.Time{wall:0x0, ext:63812637429, loc:(*time.Location)(0x55fc881421a0)}, ExpTimestamp:time.Time{wall:0x0, ext:62135596800, loc:(*time.Location)(0x55fc881421a0)}, WrongKeyUsage:false, PKATrust:0x0, ChainModel:false, Validity:0, ValidityReason:error(nil), PubkeyAlgo:1, HashAlgo:8}
Error: error pulling image "cp.icr.io/cp/cp4a/ban/navigator:24.0.1-amd64": unable to pull cp.icr.io/cp/cp4a/ban/navigator:24.0.1-amd64: unable to pull image: Source image rejected: None of the signatures were accepted, reasons: Invalid GPG signature: gpgme.Signature{Summary:128, Fingerprint:"7C5CF97A39F13650", Status:gpgme.Error{err:0x7000009}, Timestamp:time.Time{wall:0x0, ext:63812637354, loc:(*time.Location)(0x55fc881421a0)}, ExpTimestamp:time.Time{wall:0x0, ext:62135596800, loc:(*time.Location)(0x55fc881421a0)}, WrongKeyUsage:false, PKATrust:0x0, ChainModel:false, Validity:0, ValidityReason:error(nil), PubkeyAlgo:1, HashAlgo:8}; Invalid GPG signature: gpgme.Signature{Summary:128, Fingerprint:"7C5CF97A39F13650", Status:gpgme.Error{err:0x7000009}, Timestamp:time.Time{wall:0x0, ext:63812637429, loc:(*time.Location)(0x55fc881421a0)}, ExpTimestamp:time.Time{wall:0x0, ext:62135596800, loc:(*time.Location)(0x55fc881421a0)}, WrongKeyUsage:false, PKATrust:0x0, ChainModel:false, Validity:0, ValidityReason:error(nil), PubkeyAlgo:1, HashAlgo:8}Verifying key material
You can verify the public keys once, and you do not need to repeat the process when you apply policies to multiple clusters.
If you want to verify the icp4a-pubkey-from-2024.gpg file:
-
Create a file
icp4a-cert-from-2024.pemand add the following public certificate in the PEM format.-----BEGIN CERTIFICATE----- MIIHljCCBX6gAwIBAgIQBqryQeC8iRAuWmp8GI81ZDANBgkqhkiG9w0BAQsFADBp MQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMT OERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0 IDIwMjEgQ0ExMB4XDTI0MTAxMDAwMDAwMFoXDTI2MTAwOTIzNTk1OVowgZ0xCzAJ BgNVBAYTAlVTMREwDwYDVQQIEwhOZXcgWW9yazEPMA0GA1UEBxMGQXJtb25rMTQw MgYDVQQKEytJbnRlcm5hdGlvbmFsIEJ1c2luZXNzIE1hY2hpbmVzIENvcnBvcmF0 aW9uMTQwMgYDVQQDEytJbnRlcm5hdGlvbmFsIEJ1c2luZXNzIE1hY2hpbmVzIENv cnBvcmF0aW9uMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAwDv232ns +L3Y1yLmXzRaqTqQDh87PPRIQYLsRlR1HcdprRlGaDRGQd/xVlTviJZluXJWazUr 6AQwhdaFet1AwYmVHKBNZUtB7CkCboRCsWagVEWTgeRNdhI31W0usZ/kdxLm3XqQ cJTcL9awqtrp+Cg4cWO6YZdIsANblrsZ+MlNCykPwfyf+o2S/3nEo5cyE2DbG3zs JghXkYY5nksbjKG81nfQP3CwOrD4e7A080psiaf9u+nIdzIo7sRywHRBXUf6Fr8o eFytOHUUUIdnnLCdpufhLEtQ3mGxYcHYLzBrQVc+n3wyiuwQTLf3LIE/cGV+AQ/e ygzxXQLADTQueYqWCMTCogw67LhydXg9VKmlBnUzpzLk/gAtUX7I3G8cJdBSLX3U NKwVBZhxMNak0nAzWvlkin5Y9/OpT1eYVp3jhufFBrtb0LhhyXIcHBmESA74HmAv pcP6v4xAqoHi65ycfSVXDFJpE2w8X0wxnvNpiKm4sAd/P26ALoygqQpL2RYT+TiM pRJsgn0Qmf9LpfIb80t5AoxuUEowVXB6JSu+fvgl2+smDWsJkGFYz5NSrjXumPk1 ZdJ7GKrUhI55JzuC0bCl9mR8ZAEophaiQo2wBEIhMdAdJmd0U1F0fdmP1Mu117br MphpXgpFvmx7NhdPvYt9pfTbsYJfw+4NVssCAwEAAaOCAgMwggH/MB8GA1UdIwQY MBaAFGg34Ou2O/hfEYb7/mF7CIhl9E5CMB0GA1UdDgQWBBTEsx2YOiP6YqWh6lsj gTXn4F3PqjA+BgNVHSAENzA1MDMGBmeBDAEEATApMCcGCCsGAQUFBwIBFhtodHRw Oi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQM MAoGCCsGAQUFBwMDMIG1BgNVHR8Ega0wgaowU6BRoE+GTWh0dHA6Ly9jcmwzLmRp Z2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNI QTM4NDIwMjFDQTEuY3JsMFOgUaBPhk1odHRwOi8vY3JsNC5kaWdpY2VydC5jb20v RGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0Ex LmNybDCBlAYIKwYBBQUHAQEEgYcwgYQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3Nw LmRpZ2ljZXJ0LmNvbTBcBggrBgEFBQcwAoZQaHR0cDovL2NhY2VydHMuZGlnaWNl cnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0 MjAyMUNBMS5jcnQwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAgEAZv157KwX lQBf4jjavOplJqEkGMjSe5o5PvJE1+vQkFHpuJ19Kw5fW5EgKHQunzXu0ae+UwRT +sUl3XXiszZ3WUTL8PD/OAE1t3k9FHccIlhSuySKGecu0YE4b4cXhDcIzVh7Gic2 pBGgiD48+wg4JrnpFhol6fGFN5OJx30VJmSedgJ/fwADRyqAZCF1/xtU9HugmELg 7Hvbc+CFjeW5PLmdxLxf4zDX6LHEblXT9Pphria4aats0qe2DziMHIkZuBWDqBDa wDbfRThezGeLtyQq+JHtl7t6/lMlEck/uKpnMlwNah7FE7vzxgCyGMBPhDJBsbVt Q74U5SJqTGn9LpormoK5pXKKmwuEQqydurNrnL0Mqy4jnlRA/c77QedvGa+moo0R EkxGOtXvydkzQnE/hXTFsGTFlhy1DVFvaKnBCJtY6YZLJ2VVRnCeQcwlTq1rzn4v B0x7yb7XaN+Ww1R1wG3kfZ2VTi+cPCtDH9AEVsJZyJOMQ+u2corlOgpmz7nB2w1I C8alYEIbrAfDq3Mg74Yu2jXyIPKxzZRlRAvx3n6cr8omtWNU7pIoN9Vm6q4+nH0+ 7XzeF74EjXosS9AKseTyrHMuXOFQDT2nea2T3BpQyfluo5DzWEGit8Pz5IU7sFvT 6G2qgpCwQDwWS6ygsCyxzVcmb/3GIkcJ+xY= -----END CERTIFICATE----- - Create a file
icp4a-issuer-from-2024.pemand add the following issuer public certificate in the PEM format.-----BEGIN CERTIFICATE----- MIIGsDCCBJigAwIBAgIQCK1AsmDSnEyfXs2pvZOu2TANBgkqhkiG9w0BAQwFADBi MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 d3cuZGlnaWNlcnQuY29tMSEwHwYDVQQDExhEaWdpQ2VydCBUcnVzdGVkIFJvb3Qg RzQwHhcNMjEwNDI5MDAwMDAwWhcNMzYwNDI4MjM1OTU5WjBpMQswCQYDVQQGEwJV UzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRy dXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMIIC IjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA1bQvQtAorXi3XdU5WRuxiEL1 M4zrPYGXcMW7xIUmMJ+kjmjYXPXrNCQH4UtP03hD9BfXHtr50tVnGlJPDqFX/IiZ wZHMgQM+TXAkZLON4gh9NH1MgFcSa0OamfLFOx/y78tHWhOmTLMBICXzENOLsvsI 8IrgnQnAZaf6mIBJNYc9URnokCF4RS6hnyzhGMIazMXuk0lwQjKP+8bqHPNlaJGi TUyCEUhSaN4QvRRXXegYE2XFf7JPhSxIpFaENdb5LpyqABXRN/4aBpTCfMjqGzLm ysL0p6MDDnSlrzm2q2AS4+jWufcx4dyt5Big2MEjR0ezoQ9uo6ttmAaDG7dqZy3S vUQakhCBj7A7CdfHmzJawv9qYFSLScGT7eG0XOBv6yb5jNWy+TgQ5urOkfW+0/tv k2E0XLyTRSiDNipmKF+wc86LJiUGsoPUXPYVGUztYuBeM/Lo6OwKp7ADK5GyNnm+ 960IHnWmZcy740hQ83eRGv7bUKJGyGFYmPV8AhY8gyitOYbs1LcNU9D4R+Z1MI3s MJN2FKZbS110YU0/EpF23r9Yy3IQKUHw1cVtJnZoEUETWJrcJisB9IlNWdt4z4FK PkBHX8mBUHOFECMhWWCKZFTBzCEa6DgZfGYczXg4RTCZT/9jT0y7qg0IU0F8WD1H s/q27IwyCQLMbDwMVhECAwEAAaOCAVkwggFVMBIGA1UdEwEB/wQIMAYBAf8CAQAw HQYDVR0OBBYEFGg34Ou2O/hfEYb7/mF7CIhl9E5CMB8GA1UdIwQYMBaAFOzX44LS cV1kTN8uZz/nupiuHA9PMA4GA1UdDwEB/wQEAwIBhjATBgNVHSUEDDAKBggrBgEF BQcDAzB3BggrBgEFBQcBAQRrMGkwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRp Z2ljZXJ0LmNvbTBBBggrBgEFBQcwAoY1aHR0cDovL2NhY2VydHMuZGlnaWNlcnQu Y29tL0RpZ2lDZXJ0VHJ1c3RlZFJvb3RHNC5jcnQwQwYDVR0fBDwwOjA4oDagNIYy aHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZFJvb3RHNC5j cmwwHAYDVR0gBBUwEzAHBgVngQwBAzAIBgZngQwBBAEwDQYJKoZIhvcNAQEMBQAD ggIBADojRD2NCHbuj7w6mdNW4AIapfhINPMstuZ0ZveUcrEAyq9sMCcTEp6QRJ9L /Z6jfCbVN7w6XUhtldU/SfQnuxaBRVD9nL22heB2fjdxyyL3WqqQz/WTauPrINHV UHmImoqKwba9oUgYftzYgBoRGRjNYZmBVvbJ43bnxOQbX0P4PpT/djk9ntSZz0rd KOtfJqGVWEjVGv7XJz/9kNF2ht0csGBc8w2o7uCJob054ThO2m67Np375SFTWsPK 6Wrxoj7bQ7gzyE84FJKZ9d3OVG3ZXQIUH0AzfAPilbLCIXVzUstG2MQ0HKKlS43N b3Y3LIU/Gs4m6Ri+kAewQ3+ViCCCcPDMyu/9KTVcH4k4Vfc3iosJocsL6TEa/y4Z XDlx4b6cpwoG1iZnt5LmTl/eeqxJzy6kdJKt2zyknIYf48FWGysj/4+16oh7cGvm oLr9Oj9FpsToFpFSi0HASIRLlk2rREDjjfAVKM7t8RhWByovEMQMCGQ8M4+uKIw8 y4+ICw2/O/TOHnuO77Xry7fwdxPm5yg/rBKupS8ibEH5glwVZsxsDsrFhsP2JjMM B0ug0wcCampAMEhLNKhRILutG4UI4lkNbcoFUCvqShyepf2gpx8GdOfy1lKQ/a+F SCH5Vzu0nAPthkX0tGFuv2jiJmCG6sivqf6UHedjGzqGVnhO -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIFkDCCA3igAwIBAgIQBZsbV56OITLiOQe9p3d1XDANBgkqhkiG9w0BAQwFADBi MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 d3cuZGlnaWNlcnQuY29tMSEwHwYDVQQDExhEaWdpQ2VydCBUcnVzdGVkIFJvb3Qg RzQwHhcNMTMwODAxMTIwMDAwWhcNMzgwMTE1MTIwMDAwWjBiMQswCQYDVQQGEwJV UzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQu Y29tMSEwHwYDVQQDExhEaWdpQ2VydCBUcnVzdGVkIFJvb3QgRzQwggIiMA0GCSqG SIb3DQEBAQUAA4ICDwAwggIKAoICAQC/5pBzaN675F1KPDAiMGkz7MKnJS7JIT3y ithZwuEppz1Yq3aaza57G4QNxDAf8xukOBbrVsaXbR2rsnnyyhHS5F/WBTxSD1If xp4VpX6+n6lXFllVcq9ok3DCsrp1mWpzMpTREEQQLt+C8weE5nQ7bXHiLQwb7iDV ySAdYyktzuxeTsiT+CFhmzTrBcZe7FsavOvJz82sNEBfsXpm7nfISKhmV1efVFiO DCu3T6cw2Vbuyntd463JT17lNecxy9qTXtyOj4DatpGYQJB5w3jHtrHEtWoYOAMQ jdjUN6QuBX2I9YI+EJFwq1WCQTLX2wRzKm6RAXwhTNS8rhsDdV14Ztk6MUSaM0C/ CNdaSaTC5qmgZ92kJ7yhTzm1EVgX9yRcRo9k98FpiHaYdj1ZXUJ2h4mXaXpI8OCi EhtmmnTK3kse5w5jrubU75KSOp493ADkRSWJtppEGSt+wJS00mFt6zPZxd9LBADM fRyVw4/3IbKyEbe7f/LVjHAsQWCqsWMYRJUadmJ+9oCw++hkpjPRiQfhvbfmQ6QY uKZ3AeEPlAwhHbJUKSWJbOUOUlFHdL4mrLZBdd56rF+NP8m800ERElvlEFDrMcXK chYiCd98THU/Y+whX8QgUWtvsauGi0/C1kVfnSD8oR7FwI+isX4KJpn15GkvmB0t 9dmpsh3lGwIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIB hjAdBgNVHQ4EFgQU7NfjgtJxXWRM3y5nP+e6mK4cD08wDQYJKoZIhvcNAQEMBQAD ggIBALth2X2pbL4XxJEbw6GiAI3jZGgPVs93rnD5/ZpKmbnJeFwMDF/k5hQpVgs2 SV1EY+CtnJYYZhsjDT156W1r1lT40jzBQ0CuHVD1UvyQO7uYmWlrx8GnqGikJ9yd +SeuMIW59mdNOj6PWTkiU0TryF0Dyu1Qen1iIQqAyHNm0aAFYF/opbSnr6j3bTWc fFqK1qI4mfN4i/RN0iAL3gTujJtHgXINwBQy7zBZLq7gcfJW5GqXb5JQbZaNaHqa sjYUegbyJLkJEVDXCLG4iXqEI2FCKeWjzaIgQdfRnGTZ6iahixTXTBmyUEFxPT9N cCOGDErcgdLMMpSEDQgJlxxPwO5rIHQw0uA5NBCFIRUBCOhVMt5xSdkoF1BN5r5N 0XWs0Mr7QbhDparTwwVETyw2m+L64kW4I1NsBm9nVX9GtUw/bihaeSbSpKhil9Ie 4u1Ki7wb/UdKDd9nZn6yW0HQO+T0O/QEY+nvwlQAUaCKKsnOeMzV6ocEGLPOr0mI r/OSmbaz5mEP0oUA51Aa5BuVnRmhuZyxm7EAHu/QD09CbMkKvO5D+jpxpchNJqU1 /YldvIViHTLSoCtU7ZpXwdv6EM8Zt4tKG48BtieVU+i2iW1bvGjUI+iLUaJW+fCm gKDWHrO8Dw9TdSmq6hN35N6MgSGtBxBHEa2HPQfRdbzP82Z+ -----END CERTIFICATE----- - Run the following commands to verify the GPG key and its issuer with the
icp4a-cert-from-2024.pemandicp4a-issuer-from-2024.pemfiles.Table 2. Commands to verify certificate issuance and validity for icp4a-pubkey-from-2024.gpg Command Description openssl x509 -text -in icp4a-cert-from-2024.pemDisplays the IBM Cloud Pak for Business Automation public certificate. Verify that the "Subject" line is IBM, and the "Issuer" is www.digicert.com. The icp4a-cert-from-2024.pem certificate is signed by Digicert. gpg2 -v --list-packets icp4a-pubkey-from-2024.gpgDisplays the GPG public key. Verify that pkey[0] is the same as the "Modulus" of icp4a-cert-from-2024.pem. The command validates that icp4a-pubkey-from-2024.gpg is the public key (in GPG format) for IBM Cloud Pak for Business Automation. openssl ocsp -no_nonce \ -issuer icp4a-issuer-from-2024.pem \ -cert icp4a-cert-from-2024.pem \ -VAfile icp4a-issuer-from-2024.pem \ -text -url http://ocsp.digicert.comVerifies that the certificate icp4a.pem comes from Digicert by using the Online Certificate Status Protocol (OCSP).
Cleaning up local images and caches
Before any test or use of the image signature, you must clean up the container images and the
local cache, even if your image pull policy is "always". If an image is cached
locally, it is not pulled again, and the image signature verification does not take place.
for node in $(oc get no -l node-role.kubernetes.io/worker --no-headers -o name); do
oc debug $node -- chroot /host sh -c "podman images | grep -e 'cp.icr.io/cp/cp4a' | awk '{print \$3}' | xargs podman rmi -f "
doneScanning for vulnerabilities
All the container images pass rigorous image vulnerability scans during the development
lifecycle, but new vulnerabilities are discovered almost every day. It is likely that most of the
vulnerabilities that you find are related to the Linux kernel or to a few embedded packages. IBM tracks these vulnerabilities and provides fixes for them in fix packs or subsequent releases. To find out more, you can contact IBM support
.