Verify an IBM z/OS Connect Designer image signature

Digital signatures provide a way to ensure that an image is both authentic (it originated from the expected source) and has integrity (it is what it's expected to be). IBM® z/OS Connect images are signed and this topic describes how to verify the signatures on those images.

Before you begin

zosConnect-3.0 Applies to zosConnect-3.0.

Containers Applies to z/OS Connect container deployments.

z/OS Connect images are signed. If you need to verify the image signatures, complete the following procedure. Enabling signature verification when container images are pulled to a host system can be automated. For information on automating image signature verification, A launch icon to indicate a link opens a new tab or window. Verifying image signing for Red Hat® Container Registry.

Some of the steps in this procedure use gpg. GPG2 is the extended version of GPG and gpg2 can be used instead of gpg.

The following tasks must be completed.
  1. Optional: Verify that the z/OS Connect Server image signature is an optional step. If you need to verify the z/OS Connect signed images, you need to install the following command-line tools:

  2. The z/OS Connect public keys must exist on the same machine as the command-line tools.

    Copy the following text block exactly as shown into a text editor, and save it in a file named PRD0012028key.pub.asc:
    -----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBGQU0cUBEACqSHOnQ2HyQRdr0dkcYpehWGz/OSXLpOiKpmgqcvLEm2ZIGpZu
pzN5wc57XOxhz5YNodODFysewjqKntgQg1EbQ85g8BmV14iZJZ/8oVMCQGe6yt2G
efpD1+qY/QxK+JBB45Y5E6TEudNPzhhNY/9BsImPvHLSD95ikMYHVs2jCIquTXdT
UC1fyaXKU5T1qQZd1XxTX+HEaFGIInRHRWvjw2z92LNM35Ul6vJU5R8f8yVZIRAG
Y+J8/4qBRd2w23uUupNWQw6QYdW3Q3K6LVZc3K9ykJ8/zNaYBLT/dUXd3L2UYPO7
glWmO3oJynGc0kQczq/ohtCiUtKkXigYZ1feFC0nrFsVa7+Edzao5LOCYNhd9ASM
KZBL11VYvQ9pdjeWa4yd/VuTtG6l3GwN1AHXY+dLYdG3lrB0UmTNfyHZoJtIJ+yd
cmTZHhfvQ5djjCDwuNxN6NLuAKkzBzUNK3CMi7swKwym7agidMtf4G/WUAy981+P
502RGEtEDO98egA7yEXjGNB0vh7wuqyUKtugsCpGYQhuto42L8nEUogM69JK8Z9J
d2xs9PM/N8DEFdOXc73MMYnZejstoZ71t79MyEKw/3flKMADJE3x1xebnOMIj4CI
32Mnc0YHnmeADuYRtbk8omEOQAlWJrCFRUMr8+uSfvUb8QChuhKZDURRKQARAQAB
tEBJQk0gei9PUyBDb25uZWN0IEVudGVycHJpc2UgRWRpdGlvbiBVbmxpbWl0ZWQg
PHBzaXJ0QHVzLmlibS5jb20+iQI6BBMBCAAkBQJkFNHFAhsPBQsJCAcCBhUKCQgL
AgQWAgMBAh4BBQkAAAAAAAoJELBRtMIty7kNhqwP/1YQPQECXMUqno1z0OfQK+Wn
+eVQlS8cwvgarpKMv/a3tjFwggJvTaB6TRzdEcBHMSaXqY0+ljnHn7pHWtIQA3uR
FZszNWWzsRG9ahlne2NqjIwzCrvIN0BNKL3LSsJWOOptSTSjCxqeg9UmThdtXBu4
8DBCjHSsvtNa0hnSJG2tC5HQ3bnoduU1D7v9jZIP2SEg/lL6iZkKAz1HLxT9oqLL
KMpoUAVwRFN/wTFpQy83loxkU+xqXHgcq0htZWWspeqRrTSGkhtqEDcO8Bt3jSQ0
p9U7Bq9chpmEwngN5WwtvxXcrMMerlbaVJ6jLbNnJwERv+Q5N36Wl1hoNffV6Itw
LOYp4rfqO6eV5yFmC2gYLq6xMEHHM4q8nUQ1KhmwoARzwXJuRxocDl62kjq2YBOR
6H8WLZmHuE0ba0dp4JR+Wg99no2Sud4dT6Rs/ZylezyJGaFEEK7NNrl+G1JYVbms
Ynq6McZVz+Hcqow5k7PsZ4KviFb+F/DlP/lNCDlabFy+IC0gD4gjoKYbyOed+rKc
ZUd4DDxLl2KqEUiItn3aIU3epLAf9MtrGd+tugwMQPaq0v2Gep8zntuWew2TWEoy
c7C0udUwdjw1q4SwyJzYwiapwz6LCu+dlu7sf2Kxds5USYBWsrTxVzga3/BtRghK
V7Pi5/oMEPjk9O7eoOnL
=2ZDV
-----END PGP PUBLIC KEY BLOCK----
Note: You must have an image to verify. To get a z/OS Connect Designer image, refer to the procedure in Download the IBM z/OS Connect Designer image.

Procedure

  1. Import the z/OS Connect public key on the machine that you prepared according to the Prerequisites section: 
    sudo gpg --import PRD0012028key.pub.asc
    This step needs to be done only once on each machine you use for signature verification.
  2. Calculate the fingerprints: 
    fingerprint=$(sudo gpg --fingerprint --with-colons | grep -B1 'IBM z/OS Connect Enterprise Edition Unlimited' | grep fpr | tr -d ‘fpr:’)

    This command stores the keys' fingerprint in an environment variable that is called fingerprint, which is needed to verify the signature. When you exit your shell session, the variable is deleted. The next time that you log in to your machine, you can set it again by rerunning the command.

  3. Create a directory for the image and use skopeo to pull it into local storage: 
    mkdir images

    sudo skopeo copy docker://icr.io/zosconnect/ibm-zcon-designer:3.0.101 dir:./images -a

    This command downloads the image as a set of files and places them in the images directory (or another directory that you choose). If the source image is a list of images for different architectures, the -a attribute copies all of the images.

    Tip: One of these files is a manifest file that is named images/manifest.json, and a signature file that is named images/signature-1. You reference both these files in the next step (in the command to verify the signature).
  4. Verify the signature: 

    sudo skopeo standalone-verify ./images/manifest.json icr.io/zosconnect/ibm-zcon-designer:3.0.101 ${fingerprint} ./images/signature-1

    The confirmation output should be similar to: 

    Signature verified, digest sha256:0000000000000000000000000000000000000000000000000000000000000000

Results

The IBM Cloud Container Registry image is in your local docker registry. Validate by running the following command.
$docker image ls

REPOSITORY                                  TAG        IMAGE ID    CREATED     SIZE
icr.io/zosconnect/ibm-zcon-designer        3.0.101  6d2af17d10bd  1 days ago    979MB
Note: Image size varies depending on the release.