Verifying images

Use this information to verify the signatures on the IBM Cloud Pak® for Watson AIOps images.

Digital signatures provide a way for consumers of content to ensure that what they download is authentic (it originated from the expected source) and has integrity (it is what it is expected to be). All images for IBM Cloud Pak for Watson AIOps are signed.

Prerequisites

Ensure that you these command line tools are installed (they can usually be installed on Linux® with the package manager):
- GNU Privacy Guard v2 (package name gpg2)
- OpenSSL (package name openssl)
- skopeo
The IBM Cloud Pak for Watson AIOps public key must exist on the same machine as the command line tools. Copy the following text block exactly as shown into a text editor, and save it in a file named cp4waiops-public.pub.asc:

You must have a list of images to verify. To get a list of container images used in Cloud Pak for Watson AIOps, refer to the procedure in Downloading or listing container images. In the following procedure, the example image cp.icr.io/cp/cp4waiops/node-server:v3.7.0-00000000.0000-000000000 is used.

Note: This tag is an example for demonstration purposes; it is not a real tag. Obtain the most up-to-date image names and tags with the procedure in Downloading or listing container images.

Procedure

Log in to the entitled registry cp.icr.io so that you can pull images from that registry.
```
podman login cp.icr.io --username cp --password <entitlement_key>
```
If you need to obtain the entitlement key that is assigned to your ID, complete the following steps:
1. Log in to MyIBM Container Software Library with the IBMid and password that are associated with the entitled software.
2. In the Entitlement keys section, select Copy key to copy the entitlement key to the clipboard.
Import the IBM Cloud Pak for Watson AIOps public key on the machine that you prepared according to the Prerequisites section:
```
sudo gpg2 --import cp4waiops-public.pub.asc
```
Note: This step needs to be done only once on each machine you use for signature verification.
Calculate the fingerprint:
```
fingerprint=$(sudo gpg2 --fingerprint --with-colons IBM Cloud Pak for Watson AIOps | grep fpr | tr -d 'fpr:')
```
This command stores the key's fingerprint in an environment variable called fingerprint, which is need for the command to verify the signature. When you exit your shell session, the variable is deleted. The next time that you log in to your machine, you can set it again by rerunning the command.
Create a directory for the image and use skopeo to pull it into local storage:
```
mkdir images
skopeo copy docker://cp.icr.io/cpopen/ibm-aiops-orchestrator:3.2.0-2021-00-00-0000-00000000 dir:$HOME/images
```
This command downloads the image as a set of files and places them in the images directory (or another directory that you choose).

Note: There is a manifest file named images/manifest.json, and a signature file named images/signature-1. You reference both these files in the next step (in the command to verify the signature).

Verify the signature:

for SIGNATURE in $(ls $HOME/images | grep signature); do
    skopeo standalone-verify $HOME/images/manifest.json cp.icr.io/cp/cp4waiops/node-server:v3.7.0-00000000.0000-000000000 ${fingerprint} $HOME/images/$SIGNATURE 2> /dev/null
    if [ $? -eq 0 ]; then
       break
    fi
done

If the signature is verified, you get a confirmation similar to the following output. Otherwise, no output is provided:

Signature verified, digest sha256:0000000000000000000000000000000000000000000000000000000000000000