Security Considerations
The following sections describe the key considerations to successfully secure your deployments on Red Hat OpenShift.
Verifying Signatures of Application Modernization Accelerator Artifacts
The public keys, certificates and certificate chains that are required for verifying the Application Modernization Accelerator signatures are available for download here: taPublicKeys.zip
Unzip the archive to access the following files:
PRD0004063key.pem.cerPRD0004063key.pem.chainPRD0004063key.pem.pub.keyPRD0004063key.pub.asc
Subsequent sections describe how to use these files to verify the Application Modernization Accelerator artifact signatures.
Verifying Application Modernization Accelerator Image Signatures
The Application Modernization Accelerator AMD64 images are signed using GPG simple signing.
The signature can be verified by the skopeo or podman tools as
follows:
-
Create a
policy.jsonfile that configures the verification. For example:{ "default": [{"type": "reject"}], "transports": { "docker": { "cp.icr.io/cp/icpa": [{ "type": "signedBy", "keyType": "GPGKeys", "keyPath": "<KEY_LOCATION>/PRD0004063key.pub.asc" }], "icr.io/cpopen": [{ "type": "signedBy", "keyType": "GPGKeys", "keyPath": "<KEY_LOCATION>/PRD0004063key.pub.asc" }], "icr.io/appcafe": [{ "type": "signedBy", "keyType": "GPGKeys", "keyPath": "<KEY_LOCATION>/PRD0004063key.pub.asc" }] } } } -
Method 1: Verify using
skopeo copy...skopeo copy --policy ~/policy.json docker://cp.icr.io/cp/icpa/transformation-advisor-ui@sha256:1234... dir:./image-dir --src-creds iamapikey:<MY_API_KEY> -
Method 2: Verify using
podman pull...podman pull --signature-policy ~/policy.json cp.icr.io/cp/icpa/transformation-advisor-ui@sha256:1234..
Please see Red Hat OpenShift Container Platform docs for information configuring your OpenShift cluster to verify the image signatures.
Verifying Application Modernization Accelerator Local Zip Signature
For more information on Application Modernization Accelerator Local, and how to download the zip file, see Installing IBM Application Modernization Accelerator on RHEL.
When downloading the zip, you should also download the
<filename>.zip.cosign.sig file to allow you to verify the integrity of the
zip file.
There are three ways to verify the signature, according to preference. The public keys, certs and chains needed for the following steps can be downloaded from the links at the start of this section.
Method 1: Using the PEM encoded public key
Prerequisites:
- cosign utility. To install see here: https://github.com/sigstore/cosign/releases
- The PEM public key:
PRD0004063key.pem.pub.key - The signature file:
transformationAdvisor-${VERSION}.zip.cosign.sig - The zip artifact:
transformationAdvisor-${VERSION}.zip
cosign verify-blob --key PRD0004063key.pem.pub.key --signature transformationAdvisor-${VERSION}.zip.cosign.sig transformationAdvisor-${VERSION}.zipMethod 2: Using the PEM encoded public certificate
Prerequisites:
- cosign utility. (To install see here: https://github.com/sigstore/cosign/releases). It is recommended to use version 1.x of
cosign. If using version 2+, then you must add the flag--insecure-ignore-tlog=truewhen verifying. - The PEM public certificate:
PRD0004063key.pem.cer - The certificate chain:
PRD0004063key.pem.chain - The signature file:
transformationAdvisor-${VERSION}.zip.cosign.sig - The zip artifact:
transformationAdvisor-${VERSION}.zip
cosign verify-blob --cert PRD0004063key.pem.cer --cert-chain PRD0004063key.pem.chain --signature transformationAdvisor-${VERSION}.zip.cosign.sig transformationAdvisor-${VERSION}.zipMethod 3: Using the PEM encoded public key with openssl
Prerequisites:
openssl- The PEM public key:
PRD0004063key.pem.pub.key - The signature file:
transformationAdvisor-${VERSION}.zip.cosign.sig - The zip artifact:
transformationAdvisor-${VERSION}.zip
openssl enc -d -A -base64 -in transformationAdvisor-${VERSION}.zip.cosign.sig -out ./transformationAdvisor-${VERSION}.zip.bytes.sig
openssl dgst -verify PRD0004063key.pem.pub.key -keyform PEM -sha256 -signature ./transformationAdvisor-${VERSION}.zip.bytes.sig -binary transformationAdvisor-${VERSION}.zip