Verifying image signatures

Digital signatures provide a way for consumers of content to ensure that what they download is both authentic (it originated from the expected source) and has integrity (it is what we expect it to be). All images for IBM Cloud Pak® for Integration are signed. This page describes how to verify the signatures on those images.

Prerequisites

To perform signature verification:

  • Your machine must have these command line tools installed (they can usually be installed on Linux using the package manager):

  • The IBM Cloud Pak for Integration public key must exist on the same machine as above. Copy the text block below exactly as shown into a text editor, and save it in a file named cp4i-public.gpg:

    -----BEGIN PGP PUBLIC KEY BLOCK-----

mQENBF8PmIABCADhk5bSsNY7Oi3sA5uxqXjNY2vHFEIgaHhhdWc6Y61mRcowcJPl
JclMvNJltmQCFgInQ8uhuXYq2N+q1Yk+Q6PzRRUmbFtA88O43ZoW8hd7A+Ukh55b
to/tSYtwRdR4l05kX4dZsP/kpYEzU+hc3buhn3y/LvM9uNcK05t+M402cRzROx48
Vl22lSX+DsuZMj78ECREZU9uDEyAOCyGuuk94mLJkvD7QRN8IFjQXVSt7+aOb/LX
Ox5jRORg9m1aOPQOgwRCMR+A2uwdyFA6LFddC0uEzvttiNe+/yN23VoSM+uoF8wS
H1TIV6QCaqemZ1FajQyuW76cykXfUB+KnkCbABEBAAG0CGNwNGlzaWduiQE5BBMB
CAAjBQJfD5iAAhsvBwsJCAcDAgEGFQgCCQoLBBYCAwECHgECF4AACgkQaRnhuFDQ
5lvoaAgAt7nKxRv2FZ5geYyDW31n1J4LJn2BW/6KoMV9hlv9pSqPbaneMjaX0w4A
jABoaolmDjrjPmaLJY+Gh7KahCwmnJkrrHZmpUIw0rgNJFRlMiWrs61+qFFJEmst
PO33He6JxL5MbJDIKP16Zvxg1+4Vjkd+Hl0ZA0HvfFpdPXl0TMaVelqaZhmavQJx
cLq34lglHOUC3NuAa4ab5YSdCXQ5j6RQKV4M81TVBbgtm2fsvHp+wK09Ruu8s71h
i4Xq2eTopdnn1hKUfDPwXolaa/dChnWMkvXOdVjZn+nTSyYigfqoLCnr0aAnCb8O
3DzzaOf293Klj0JCwRDOGpJEiyfKmg==
=a1wb
-----END PGP PUBLIC KEY BLOCK-----
  • You must have a list of images to verify. To get a list of container images used in Cloud Pak for Integration, refer to the procedure in Downloading container images. In this procedure below, we will use the example image icr.io/cpopen/ibm-cp-integration-catalog:1.3.0-2021-00-00-0000-00000000.
    Note: Note that this tag is an example for demonstration purposes; it is not a real tag. Obtain the most up-to-date image names and tags using the procedure in the article above.

Procedure

  1. Import the Cloud Pak for Integration public key on the machine you prepared according to the Prerequisites section above:

    sudo gpg2 --import cp4i-public.gpg
    Note: This step needs to be done only once on each machine you use for signature verification.

  2. Calculate the fingerprint:

    fingerprint=$(sudo gpg2 --fingerprint --with-colons cp4i | grep fpr | tr -d 'fpr:')

    This command stores the key's fingerprint in an environment variable called fingerprint, which is need for the command to verify the signature. When you exit your shell session, the variable will be deleted. The next time you log in to your machine, you can set it again by rerunning the command.

  3. Create a directory for the image and use skopeo to pull it into local storage:

    mkdir images
skopeo copy docker://icr.io/cpopen/ibm-cp-integration-catalog:1.3.0-2021-00-00-0000-00000000 dir:./images
    This command downloads the image as a set of files and places them in the images directory (or another directory that you choose).
    Note: There is a manifest file named images/manifest.json, and a signature file named images/signature-1. You reference both these files in the next step (in the command to verify the signature).

  4. Verify the signature:

    sudo skopeo standalone-verify ./images/manifest.json icr.io/cpopen/ibm-cp-integration-catalog:1.3.0-2021-00-00-0000-00000000 ${fingerprint} ./images/signature-1

    You get a confirmation similar to this:

    Signature verified, digest sha256:0000000000000000000000000000000000000000000000000000000000000000