Verifying images

Use this information to verify the signatures on the IBM Cloud Pak® for AIOps images.

Digital signatures provide a way for consumers of content to ensure that what they download is authentic (it originated from the expected source) and has integrity (it is what it is expected to be). All images for IBM Cloud Pak for AIOps are signed.

Prerequisites

  • Ensure that you these command line tools are installed (they can usually be installed on Linux® with the package manager):

    • GNU Privacy Guard v2 (package name gpg2)
    • OpenSSL (package name openssl)
    • skopeo
  • The IBM Cloud Pak for AIOps public key must exist on the same machine as the command line tools. Copy the following text block exactly as shown into a text editor, and save it in a file named cp4waiops-public.pub.asc:

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBGc7ZOEBEADTRz2VX7ukVRhPvwpq+LUhbc9pwCIXCA2Mj9M5/OIY7UEZ57+9
bs0pKbumxa4H6JOKl4iQd+jdlmeZU5W6jeJoDqQ7YPIniKemnqtbGqIDNN7bvkAe
t7hcX4QdgQTezO2r7AsEkjRnTioXBhP1Ie+RHbnZlWRexwSa2GPaZmewpH6ysFBI
6mysLpXiBRs0vRtNwPvliBjZIwtLXZYPF83mt2YvB2uzrRrDPD9OCfNW8vUpdvuu
EsGHps/LzV4iob6TWWcbQSvagnq3KG8/Z6CAEOWDCJFR78kgqtm0bN/SKXFxFXMi
n+OLwNhLm4E+l0aJ3lGUCfjAhY5q4WftUPoytnNLrolyKoHSCM08h1YGm0EB/xVQ
z6+sl+YmXtV0QEx+yyaV51IONXKHBsAWiyoiOr7KmHF6SPIbxXPK13QQqgkeqRAU
MY1t9lUxSuVugdImBeVtNBf5iSJp7FYMAzF4q8Tpr2KzB3gPyM+f9jf89+ZpiUZg
LsX7Xp3Kl6TlwvIU+HU2LHhBJZ6KnQgUou7Q7y4gIeypnUDmb3lZwg5eRQBvA4sQ
xS2Ct3+nBM9g991FnFzK0N7YrdjgyiODx0QLY7RG+T2MHwaQj0apjy23qY5Otnix
3YtDK4qwazp14ciaQY02eFtQxtk0Vwfom83n/QTO8QCs6aBGA8RcpaBFuwARAQAB
tDFJQk0gQ2xvdWQgUGFrIGZvciBXYXRzb24gQUlPcHMgPHBzaXJ0QHVzLmlibS5j
b20+iQI6BBMBCAAkBQJnO2ThAhsPBQsJCAcCBhUKCQgLAgQWAgMBAh4BBQkAAAAA
AAoJEHjfy5NvBiOtm/wP/1g1Rt/0WjdcQqmhnhqscd83jbtBQ2n8f1Ehx1Wlm07w
5KGu8ARswSTTVr1KCEU1DIqmeCel+WS834xzJVkUC6ZHOENGRLN6F8SafarJWHpe
AqtkgPj2vddKznSRqSIwugOFKEu6VuENAHDC3yPUIFGYntH+M1e2DLvr/ls4DyhS
jVfQ0HG6Of7+nn+APxsMXo5s393r8w8SyXi1j/JjlEraQQIStxsIlA5bzL/kDWZ0
1TOykJ9ZECeJkEAD9F07o1ammPrT/mMZO0XJUUX5TQAy9l1o3kczUKbSZRT8PO8p
cWdd/O4zC5K/156rviAYg9NwjMwWG359d5i8VMBGJhSe0o9IUmUAMVEfxeVdc+U1
3Y4UrHp6GBzw7+jb4OS1wmTVercgI0FjL99+FHQcRQd2Jje95fEV/l7Flww1OybS
+t1B57FX9+YdzjcGFZV/SqSg4CokyBJQsZx7UNRBTQtqyC8oJhLU3A9sW/3r10Ry
FkLDb/l/zfnU7EoUNqQwvlmkYyxBNgmFD1WCdOoTGmVfL/7hhUNEVp455TPCnhIZ
jGaRiGmehH+qbPFSr1+kOPZw5qh+RurtWJpCXya/8jaypW3naqY8PMxYybfgSa9Q
MlmVerxDTlspub/nGDTnW0LQNzYt/UlGecVpdyAn0oU2y83Y2jvOXbAd2lH/WG73
=wCG8
-----END PGP PUBLIC KEY BLOCK-----
  • You must have a list of images to verify. To get a list of container images used in Cloud Pak for AIOps, refer to the procedure in Downloading or listing container images. In the following procedure, the example image cp.icr.io/cp/cp4waiops/node-server:v3.7.0-00000000.0000-000000000 is used.

    Note: This tag is an example for demonstration purposes; it is not a real tag. Obtain the most up-to-date image names and tags with the procedure in Downloading or listing container images.

Procedure

  1. Log in to the entitled registry cp.icr.io so that you can pull images from that registry.

    podman login cp.icr.io --username cp --password <entitlement_key>
    

    If you need to obtain the entitlement key that is assigned to your ID, complete the following steps:

    1. Log in to MyIBM Container Software Library with the IBMid and password that are associated with the entitled software.
    2. In the Entitlement keys section, select Copy key to copy the entitlement key to the clipboard.
  2. Import the IBM Cloud Pak for AIOps public key on the machine that you prepared according to the Prerequisites section:

    sudo gpg2 --import cp4waiops-public.pub.asc
    

    Note: This step needs to be done only once on each machine you use for signature verification.

  3. Calculate the fingerprint:

    fingerprint=$(sudo gpg2 --fingerprint --with-colons IBM Cloud Pak for AIOps | grep fpr | tr -d 'fpr:')
    

    This command stores the key's fingerprint in an environment variable called fingerprint, which is need for the command to verify the signature. When you exit your shell session, the variable is deleted. The next time that you log in to your machine, you can set it again by rerunning the command.

  4. Create a directory for the image and use skopeo to pull it into local storage:

    mkdir images
    skopeo copy docker://cp.icr.io/cpopen/ibm-aiops-orchestrator:3.2.0-2021-00-00-0000-00000000 dir:$HOME/images
    

    This command downloads the image as a set of files and places them in the images directory (or another directory that you choose).

    Note: There is a manifest file named images/manifest.json, and a signature file named images/signature-1. You reference both these files in the next step (in the command to verify the signature).

  5. Verify the signature:

    for SIGNATURE in $(ls $HOME/images | grep signature); do
        skopeo standalone-verify $HOME/images/manifest.json cp.icr.io/cp/cp4waiops/node-server:v3.7.0-00000000.0000-000000000 ${fingerprint} $HOME/images/$SIGNATURE 2> /dev/null
        if [ $? -eq 0 ]; then
           break
        fi
    done
    

    If the signature is verified, you get a confirmation similar to the following output. Otherwise, no output is provided:

    Signature verified, digest sha256:0000000000000000000000000000000000000000000000000000000000000000