Verifying container image integrity

Container images for IBM Cloud Pak® for Business Automation are signed by using GPG keys. You can verify the integrity of these images by using signature validation when you pull images by using Linux command-line tools. In Red Hat OpenShift, you can create a policy to enforce signature validation when your worker nodes pull images.

About this task

IBM Cloud Pak for Business Automation provides container images in the IBM® Entitled Registry that are signed following the approach from Red Hat. You can use the signature to verify that the images come from IBM when they are pulled onto the system. For more information about the signature verification, see Verifying signatures of Red Hat container images.

Cloud Pak for Business Automation installs a number of dependencies, such as IBM Cloud Pak foundational services, which has its own signature validation process.

Red Hat OpenShift can be configured to verify container image signatures upon pulling images from a specific location. See Container image signatures for details about Red Hat's signatures of Red Hat OpenShift images. Images for IBM Cloud Pak for Business Automation are signed by using GPG keys, which in turn are signed by a certificate chain with Digicert as its root. The signing key changed multiple times. Therefore, multiple keys must be configured in the signature policy.

The following sections can be used to verify the IBM Cloud Pak for Business Automation signature on the container images.

Creating files that contain GPG public keys to pull images

Create a set of files that contain the public GPG keys in the GNU Privacy Guard (GPG) format to sign container images for Cloud Pak for Business Automation. Four GPG public keys exist for the container images.
Table 1. Files for the four public GPG keys
File name for GPG key Date
icp4a-pubkey-upto-2021.gpg For images released before August 2021.
icp4a-pubkey-2021-2023.gpg For images released between August 2021 and March 2023.
icp4a-pubkey-from-2023.gpg For images released in March 2023 and later.
icp4a-pubkey-from-2024.gpg For images released in December 2024 and later.
  1. Create a file icp4a-pubkey-upto-2021.gpg and add the following public key in the GNU Privacy Guard (GPG) format. This is the public key that is used for signing images before August 2021 (up to and including 21.0.1-IF004). These images might be in the same cluster as more recent versions.
    -----BEGIN PGP PUBLIC KEY BLOCK-----
    mQENBF0UBwABCADAk2QMLvahhx2owpDyasQo0E36I7VM/YdK1J9lAAgsHBJFvn/P
    0PznCfnnFAw2cCj49ftYBN8orxJOSkuQE3p3hz/g21C9jrsrqwoNfNbo5WRUsIxA
    0hL9ywV8EvuOLAKdNY0ACOBHv2g82KSa/bZMg3bPA3Ir1jZZ3jjQrAzwAzvhp2Bo
    v5FwU0xYqm9DwCb/d4yYaEJ28jFWrwGdRnVHuoohu5PyUoQMpt4rwiU1yb3CabaN
    EpGo4ZF2/07sVdhSv1ieqfQMa/rC6XcFALygt/vxzQDeSkPlxWb8wBqzq/sgI5Jb
    wG6I55f3EMP67d/vWzA62FNbXk8DWMRLzWDHABEBAAG0BWljcDRhiQE5BBMBCAAj
    BQJdFAcAAhsvBwsJCAcDAgEGFQgCCQoLBBYCAwECHgECF4AACgkQcjTsJWhPPpnT
    hgf/ZYjAuPqiiHtJkmm1Nrw5HSCKHMsiHwUc1y5lb+J+xxfz7B3Jm07r/R82h6zI
    ZNnUTpgWzbEM7NazSAPcfL/KQXd3jw713hIXr2D4wzyMnvVAPJz0U/FUXDkZeTil
    U04PT4T9BF5b+kIh560TuouY4bot2QFhuBMnKasLMMrXx1PXbySH9OHWc5bnx3J6
    j+/d7TMj7MsdVgraoqmPtM68fOQUXyn0FCsx2M4kQRllGp7Wv0rIXVVh5lbT7VFs
    OP+8LBBj1DEfCuffQc/21jO4DkC3nalWhXW5jAcAnTLlzKWsAxm/YJLfRYzeAOHa
    mgv9nt/uDfwf0GasJw0cEeNq0A==
    =9hbX
    -----END PGP PUBLIC KEY BLOCK-----
  2. Create a file icp4a-pubkey-2021-to-2023.gpg and add the following public key in the GNU Privacy Guard (GPG) format. This is the public key that is used for signing images before March 2023 (up to and including 21.0.3-IF018 and 22.0.2-IF002).
    -----BEGIN PGP PUBLIC KEY BLOCK-----
    mQENBGChsgABCADZ1OhWUebPgUYn8V2GDYpWeTKu8Yq2ghAIgooas8mAqdK8Bxid
    oA6X4KcPY+RwXvVGjIfaVfR2pAqw6ZwwwVZ5CEo1eTtf9gGfdchYE7+beTOGTuzk
    5uhz86fpYvmq7TVki2SnpsF40LnqcHGkOyQ1Lqcys4J+6qAYSv43sgOWvlTr/GJS
    nDbqpES0N/4Lk2s4nb2iPJqB4zpwj1dtWJXvxLReclV5KFgrdpikHTfUgrxt1HbU
    NgRpXd8XLT8ovoP0I32Qc/ayyUGHon/vdNOMwHDLyXstwkqB70SEU/772bsUA7e0
    l+w7T4HubOEEvwoRWtsoNBXWFB++0PxLDurPABEBAAG0BWljcDRhiQE5BBMBCAAj
    BQJgobIAAhsvBwsJCAcDAgEGFQgCCQoLBBYCAwECHgECF4AACgkQfFz5ejnxNlAc
    PwgAxA7Jh6a4IKzlkLtI5FXabjZMVu81HjtrgRd4ZxnjciOHwdtjPaNZLd8HoSko
    MniMWlUdHsyzFiBAQG1ohSg2CzotzwJe5m0zH09bji7P6DLd39tWraolOaqbHdZS
    gLhNf50xfqVcq8uw/v/mFsc8eSczdrcxVH3wlWzczdmPGHFLnHsbhAlIJ/PLzN1l
    H/Nlm259peZ7V5uAIcq1wLLKvpRWYU0/weGXfcnQYKHkEPHWDNv+kRjD8Q89Vby+
    iDbn11I2GoJQeWYzCA7CXGrdeXO57MHSDOULQh22Aioq3CxmV3CRUCmATMYHw9oT
    RWIGtCYOx2BHh1HRAeB1vlOzIw==
    =SIpv
    -----END PGP PUBLIC KEY BLOCK-----
  3. Create a file icp4a-pubkey-from-2023.gpg and add the following public key in the GNU Privacy Guard (GPG) format. This key can be used to pull images from March 2023 to November 2024 (up to 24.0.0-IF003).
    -----BEGIN PGP PUBLIC KEY BLOCK-----
    mQINBGPJZX8BEADAO/bfaez4vdjXIuZfNFqpOpAOHzs89EhBguxGVHUdx2mtGUZo
    NEZB3/FWVO+IlmW5clZrNSvoBDCF1oV63UDBiZUcoE1lS0HsKQJuhEKxZqBURZOB
    5E12EjfVbS6xn+R3EubdepBwlNwv1rCq2un4KDhxY7phl0iwA1uWuxn4yU0LKQ/B
    /J/6jZL/ecSjlzITYNsbfOwmCFeRhjmeSxuMobzWd9A/cLA6sPh7sDTzSmyJp/27
    6ch3MijuxHLAdEFdR/oWvyh4XK04dRRQh2ecsJ2m5+EsS1DeYbFhwdgvMGtBVz6f
    fDKK7BBMt/csgT9wZX4BD97KDPFdAsANNC55ipYIxMKiDDrsuHJ1eD1UqaUGdTOn
    MuT+AC1Rfsjcbxwl0FItfdQ0rBUFmHEw1qTScDNa+WSKflj386lPV5hWneOG58UG
    u1vQuGHJchwcGYRIDvgeYC+lw/q/jECqgeLrnJx9JVcMUmkTbDxfTDGe82mIqbiw
    B38/boAujKCpCkvZFhP5OIylEmyCfRCZ/0ul8hvzS3kCjG5QSjBVcHolK75++CXb
    6yYNawmQYVjPk1KuNe6Y+TVl0nsYqtSEjnknO4LRsKX2ZHxkASimFqJCjbAEQiEx
    0B0mZ3RTUXR92Y/Uy7XXtusymGleCkW+bHs2F0+9i32l9Nuxgl/D7g1WywARAQAB
    tC9JQk0gQ2xvdWQgUGFrIGZvciBBdXRvbWF0aW9uIDxwc2lydEB1cy5pYm0uY29t
    PokCOgQTAQgAJAUCY8llfwIbDwULCQgHAgYVCgkICwIEFgIDAQIeAQUJA8Jm/wAK
    CRBxj1JAiOfS1LE1EAC+EnV5Mx3etxyOQT6rgaWlyfoiSmXaxUOZwY5EWt0Zu5P4
    mJ30KOdlqBjlLs43uFwxrXY7tjUpcSOpvK18SE4Z5UO3MB0WqKynN4bX2CDuDPuY
    ltDFsr2+hPpaicKkVw3uSHjxlaX67o/c3Hw9xBpgl1TfBXqjreYzmlCvzER6MZQx
    R7I+ZmiFqTWAdwfZnvUMmEsfXPpkOFBaVLgDaOjKYBTk0ddz8vf/7rdvTaKizg1j
    iBrai2JsILI//Ph+xHlh9GejAkbkP/59YVmu/1rVr86WkuWplYjMkiU8eJz2ob52
    omzGqRWY6Z2HwT7vV8ffQ1Uo4dKAUqzqoIBVcX58UkC27uMON3/DcTzpk+xjlcvu
    IxJ4j3vKcaZlgXI55Hd1BLhhj668gYoH8eGTFRBfM8V41sadB5ZL8NnNMPPntcHx
    ZlljbKkxay44OPGa6Fs/dMkfp4rIFkzriaVkW8s9tCNwZGIS8sI9mQYUzV5Dmurn
    NVAa0JnoZYgJmk9HjEJVBOOdHcJA/GQkF2tvKSmkFMUsUOTeLaytiG9btOnvf6fz
    AEFoJLzQldqvba10uT9XxVxEENn7qDO4Nihtk/aDuPQcUeHqvDGvNSqaXq9Dq4T4
    ESeuzJRr1X2AKu1WFZdhFSCKr5nF4iChCIj05iAiUar3LqlT3OJxvcAOdWKJzg==
    =CUKh
    -----END PGP PUBLIC KEY BLOCK-----
  4. Create a file icp4a-pubkey-from-2024.gpg and add the following public key in the GNU Privacy Guard (GPG) format. This key can be used to pull images from December 2024 and onwards (starting with 24.0.0-IF004).
    -----BEGIN PGP PUBLIC KEY BLOCK-----
    mQINBGcyQU0BEADAO/bfaez4vdjXIuZfNFqpOpAOHzs89EhBguxGVHUdx2mtGUZo
    NEZB3/FWVO+IlmW5clZrNSvoBDCF1oV63UDBiZUcoE1lS0HsKQJuhEKxZqBURZOB
    5E12EjfVbS6xn+R3EubdepBwlNwv1rCq2un4KDhxY7phl0iwA1uWuxn4yU0LKQ/B
    /J/6jZL/ecSjlzITYNsbfOwmCFeRhjmeSxuMobzWd9A/cLA6sPh7sDTzSmyJp/27
    6ch3MijuxHLAdEFdR/oWvyh4XK04dRRQh2ecsJ2m5+EsS1DeYbFhwdgvMGtBVz6f
    fDKK7BBMt/csgT9wZX4BD97KDPFdAsANNC55ipYIxMKiDDrsuHJ1eD1UqaUGdTOn
    MuT+AC1Rfsjcbxwl0FItfdQ0rBUFmHEw1qTScDNa+WSKflj386lPV5hWneOG58UG
    u1vQuGHJchwcGYRIDvgeYC+lw/q/jECqgeLrnJx9JVcMUmkTbDxfTDGe82mIqbiw
    B38/boAujKCpCkvZFhP5OIylEmyCfRCZ/0ul8hvzS3kCjG5QSjBVcHolK75++CXb
    6yYNawmQYVjPk1KuNe6Y+TVl0nsYqtSEjnknO4LRsKX2ZHxkASimFqJCjbAEQiEx
    0B0mZ3RTUXR92Y/Uy7XXtusymGleCkW+bHs2F0+9i32l9Nuxgl/D7g1WywARAQAB
    tC9JQk0gQ2xvdWQgUGFrIGZvciBBdXRvbWF0aW9uIDxwc2lydEB1cy5pYm0uY29t
    PokCOgQTAQgAJAUCZzJBTQIbDwULCQgHAgYVCgkICwIEFgIDAQIeAQUJAAAAAAAK
    CRC0lqyjOeABc5p+D/4uVq6HmZQ7B2oTYYBoOa6xBMdnI91GQPaoGRhAwAPzQh8W
    jw5fNiBJCLPVzTCIh26MJUwBWLXSZtlBDIg7zFEgXqUMqtS4qMuLTnBHyovx30hQ
    zJyH6DkCCeBTqS06oq2N3comsCk+pbLlHSEMZlDR1WrZE2omi7P42ET9wQn4Px+c
    iHmy07qJDoV4HyZEYAJ6LSyEXy8l0XTaqhMEerrFMKcLQGXsy0y0Al4/kvmtSuyw
    hZaAadMsaPV+2rSz8yfyjNUDf7ZPh2whelV3VYfaVHnuy7S+RRCFqAeOtIAxOpai
    ++hxazlf03mgnPQH7WGSvjaz8sWtEUUMYFE0mnwusrK0DObOXd76qghkifN1IRiS
    bUPvfa15U1/CwC0C5xFRWQfgrX2EwqUYNMiHqKRYxz8+LEC+vdT03naLzyxpAKwM
    6bZ2laNJYNofQd7dYU+Co4oWrCTGfFLD/LYnejzWYR7Drt5Ppz1qgW1q5J1Qi7+V
    s7+w4ga8n61Ta2zaDcccgdn/TG0IO8bWnxgwKwZS8w3wj+GFx70o4fIlH++PhL1/
    zdI2jfH4XqvjT+mx3LNpfEXUOquIl9ikkRZMG787lqdjr1L58YF9BdZPtqs5RufU
    mGzh82sCEmw9GaSJiGQb/fcoSIolqbLmEj4Aqy/hA6QSthBu58CGLOs91SevQQ==
    =Jn52
    -----END PGP PUBLIC KEY BLOCK-----

Creating a policy to require signed images

A security policy can deny or allow images to be pulled, or require a trust relationship for pulling images. This can be done for entire image registries or specific parts of image registries. For more information, see Controlling what image sources can be deployed.

The following policy is least intrusive, as it requires images that are pulled from cp.icr.io/cp/cp4a to be signed by using any of the GPG keys listed in the keyPaths array. Images from any other container registry and other parts inside of cp.icr.io are accepted without signatures.

If you can provide public keys for signature validation of all applications and their dependencies in your Red Hat OpenShift cluster, you can set the default type to reject.

Create a file and name it policy.json, then include the following content:

{
    "default": [
      {
       "type": "insecureAcceptAnything"
      }
    ],
    "transports": {
      "docker": {
        "cp.icr.io/cp/cp4a": [
          {
            "type": "signedBy",
            "keyType": "GPGKeys",
            "keyPaths": ["/etc/pki/icp4a-pubkey-upto-2021.gpg", "/etc/pki/icp4a-pubkey-2021-2023.gpg", "/etc/pki/icp4a-pubkey-from-2023.gpg", "/etc/pki/icp4a-pubkey-from-2024.gpg"]
          }
        ]
      }
    }
} 

You can use a MachineConfig object to inject the GPG public key files and the policy.json file into the nodes. The following example includes all GPG public key files inline in the URL encoded format (machine-config.yaml).

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
    labels:
    machineconfiguration.openshift.io/role: worker
    name: image-signature
spec:
    config:
    ignition:
        version: 3.2.0
    storage:
        files:
        - contents:
            source: >-
                data:,-----BEGIN%20PGP%20PUBLIC%20KEY%20BLOCK-----%0AmQENBF0UBwABCADAk2QMLvahhx2owpDyasQo0E36I7VM%2FYdK1J9lAAgsHBJFvn%2FP%0A0PznCfnnFAw2cCj49ftYBN8orxJOSkuQE3p3hz%2Fg21C9jrsrqwoNfNbo5WRUsIxA%0A0hL9ywV8EvuOLAKdNY0ACOBHv2g82KSa%2FbZMg3bPA3Ir1jZZ3jjQrAzwAzvhp2Bo%0Av5FwU0xYqm9DwCb%2Fd4yYaEJ28jFWrwGdRnVHuoohu5PyUoQMpt4rwiU1yb3CabaN%0AEpGo4ZF2%2F07sVdhSv1ieqfQMa%2FrC6XcFALygt%2FvxzQDeSkPlxWb8wBqzq%2FsgI5Jb%0AwG6I55f3EMP67d%2FvWzA62FNbXk8DWMRLzWDHABEBAAG0BWljcDRhiQE5BBMBCAAj%0ABQJdFAcAAhsvBwsJCAcDAgEGFQgCCQoLBBYCAwECHgECF4AACgkQcjTsJWhPPpnT%0Ahgf%2FZYjAuPqiiHtJkmm1Nrw5HSCKHMsiHwUc1y5lb+J+xxfz7B3Jm07r%2FR82h6zI%0AZNnUTpgWzbEM7NazSAPcfL%2FKQXd3jw713hIXr2D4wzyMnvVAPJz0U%2FFUXDkZeTil%0AU04PT4T9BF5b+kIh560TuouY4bot2QFhuBMnKasLMMrXx1PXbySH9OHWc5bnx3J6%0Aj+%2Fd7TMj7MsdVgraoqmPtM68fOQUXyn0FCsx2M4kQRllGp7Wv0rIXVVh5lbT7VFs%0AOP+8LBBj1DEfCuffQc%2F21jO4DkC3nalWhXW5jAcAnTLlzKWsAxm%2FYJLfRYzeAOHa%0Amgv9nt%2FuDfwf0GasJw0cEeNq0A%3D%3D%0A%3D9hbX%0A-----END%20PGP%20PUBLIC%20KEY%20BLOCK-----
            filesystem: root
            mode: 420
            path: /etc/pki/icp4a-pubkey-upto-2021.gpg
        - contents:
            source: >-
                data:,-----BEGIN%20PGP%20PUBLIC%20KEY%20BLOCK-----%0AmQENBGChsgABCADZ1OhWUebPgUYn8V2GDYpWeTKu8Yq2ghAIgooas8mAqdK8Bxid%0AoA6X4KcPY+RwXvVGjIfaVfR2pAqw6ZwwwVZ5CEo1eTtf9gGfdchYE7+beTOGTuzk%0A5uhz86fpYvmq7TVki2SnpsF40LnqcHGkOyQ1Lqcys4J+6qAYSv43sgOWvlTr%2FGJS%0AnDbqpES0N%2F4Lk2s4nb2iPJqB4zpwj1dtWJXvxLReclV5KFgrdpikHTfUgrxt1HbU%0ANgRpXd8XLT8ovoP0I32Qc%2FayyUGHon%2FvdNOMwHDLyXstwkqB70SEU%2F772bsUA7e0%0Al+w7T4HubOEEvwoRWtsoNBXWFB++0PxLDurPABEBAAG0BWljcDRhiQE5BBMBCAAj%0ABQJgobIAAhsvBwsJCAcDAgEGFQgCCQoLBBYCAwECHgECF4AACgkQfFz5ejnxNlAc%0APwgAxA7Jh6a4IKzlkLtI5FXabjZMVu81HjtrgRd4ZxnjciOHwdtjPaNZLd8HoSko%0AMniMWlUdHsyzFiBAQG1ohSg2CzotzwJe5m0zH09bji7P6DLd39tWraolOaqbHdZS%0AgLhNf50xfqVcq8uw%2Fv%2FmFsc8eSczdrcxVH3wlWzczdmPGHFLnHsbhAlIJ%2FPLzN1l%0AH%2FNlm259peZ7V5uAIcq1wLLKvpRWYU0%2FweGXfcnQYKHkEPHWDNv+kRjD8Q89Vby+%0AiDbn11I2GoJQeWYzCA7CXGrdeXO57MHSDOULQh22Aioq3CxmV3CRUCmATMYHw9oT%0ARWIGtCYOx2BHh1HRAeB1vlOzIw%3D%3D%0A%3DSIpv%0A-----END%20PGP%20PUBLIC%20KEY%20BLOCK-----
            filesystem: root
            mode: 420
            path: /etc/pki/icp4a-pubkey-2021-2023.gpg  
        - contents:
            source: >-
                data:,-----BEGIN%20PGP%20PUBLIC%20KEY%20BLOCK-----%0AmQINBGPJZX8BEADAO%2Fbfaez4vdjXIuZfNFqpOpAOHzs89EhBguxGVHUdx2mtGUZo%0ANEZB3%2FFWVO+IlmW5clZrNSvoBDCF1oV63UDBiZUcoE1lS0HsKQJuhEKxZqBURZOB%0A5E12EjfVbS6xn+R3EubdepBwlNwv1rCq2un4KDhxY7phl0iwA1uWuxn4yU0LKQ%2FB%0A%2FJ%2F6jZL%2FecSjlzITYNsbfOwmCFeRhjmeSxuMobzWd9A%2FcLA6sPh7sDTzSmyJp%2F27%0A6ch3MijuxHLAdEFdR%2FoWvyh4XK04dRRQh2ecsJ2m5+EsS1DeYbFhwdgvMGtBVz6f%0AfDKK7BBMt%2FcsgT9wZX4BD97KDPFdAsANNC55ipYIxMKiDDrsuHJ1eD1UqaUGdTOn%0AMuT+AC1Rfsjcbxwl0FItfdQ0rBUFmHEw1qTScDNa+WSKflj386lPV5hWneOG58UG%0Au1vQuGHJchwcGYRIDvgeYC+lw%2Fq%2FjECqgeLrnJx9JVcMUmkTbDxfTDGe82mIqbiw%0AB38%2FboAujKCpCkvZFhP5OIylEmyCfRCZ%2F0ul8hvzS3kCjG5QSjBVcHolK75++CXb%0A6yYNawmQYVjPk1KuNe6Y+TVl0nsYqtSEjnknO4LRsKX2ZHxkASimFqJCjbAEQiEx%0A0B0mZ3RTUXR92Y%2FUy7XXtusymGleCkW+bHs2F0+9i32l9Nuxgl%2FD7g1WywARAQAB%0AtC9JQk0gQ2xvdWQgUGFrIGZvciBBdXRvbWF0aW9uIDxwc2lydEB1cy5pYm0uY29t%0APokCOgQTAQgAJAUCY8llfwIbDwULCQgHAgYVCgkICwIEFgIDAQIeAQUJA8Jm%2FwAK%0ACRBxj1JAiOfS1LE1EAC+EnV5Mx3etxyOQT6rgaWlyfoiSmXaxUOZwY5EWt0Zu5P4%0AmJ30KOdlqBjlLs43uFwxrXY7tjUpcSOpvK18SE4Z5UO3MB0WqKynN4bX2CDuDPuY%0AltDFsr2+hPpaicKkVw3uSHjxlaX67o%2Fc3Hw9xBpgl1TfBXqjreYzmlCvzER6MZQx%0AR7I+ZmiFqTWAdwfZnvUMmEsfXPpkOFBaVLgDaOjKYBTk0ddz8vf%2F7rdvTaKizg1j%0AiBrai2JsILI%2F%2FPh+xHlh9GejAkbkP%2F59YVmu%2F1rVr86WkuWplYjMkiU8eJz2ob52%0AomzGqRWY6Z2HwT7vV8ffQ1Uo4dKAUqzqoIBVcX58UkC27uMON3%2FDcTzpk+xjlcvu%0AIxJ4j3vKcaZlgXI55Hd1BLhhj668gYoH8eGTFRBfM8V41sadB5ZL8NnNMPPntcHx%0AZlljbKkxay44OPGa6Fs%2FdMkfp4rIFkzriaVkW8s9tCNwZGIS8sI9mQYUzV5Dmurn%0ANVAa0JnoZYgJmk9HjEJVBOOdHcJA%2FGQkF2tvKSmkFMUsUOTeLaytiG9btOnvf6fz%0AAEFoJLzQldqvba10uT9XxVxEENn7qDO4Nihtk%2FaDuPQcUeHqvDGvNSqaXq9Dq4T4%0AESeuzJRr1X2AKu1WFZdhFSCKr5nF4iChCIj05iAiUar3LqlT3OJxvcAOdWKJzg%3D%3D%0A%3DCUKh%0A-----END%20PGP%20PUBLIC%20KEY%20BLOCK-----
            filesystem: root
            mode: 420
            path: /etc/pki/icp4a-pubkey-from-2023.gpg
        - contents:
            source: >-
                data:,-----BEGIN%20PGP%20PUBLIC%20KEY%20BLOCK-----mQINBGcyQU0BEADAO%2Fbfaez4vdjXIuZfNFqpOpAOHzs89EhBguxGVHUdx2mtGUZo%NEZB3%2FFWVO+IlmW5clZrNSvoBDCF1oV63UDBiZUcoE1lS0HsKQJuhEKxZqBURZOB%5E12EjfVbS6xn+R3EubdepBwlNwv1rCq2un4KDhxY7phl0iwA1uWuxn4yU0LKQ%2FB%%2FJ%2F6jZL%2FecSjlzITYNsbfOwmCFeRhjmeSxuMobzWd9A%2FcLA6sPh7sDTzSmyJp%2F27%6ch3MijuxHLAdEFdR%2FoWvyh4XK04dRRQh2ecsJ2m5+EsS1DeYbFhwdgvMGtBVz6f%fDKK7BBMt%2FcsgT9wZX4BD97KDPFdAsANNC55ipYIxMKiDDrsuHJ1eD1UqaUGdTOn%MuT+AC1Rfsjcbxwl0FItfdQ0rBUFmHEw1qTScDNa+WSKflj386lPV5hWneOG58UG%u1vQuGHJchwcGYRIDvgeYC+lw%2Fq%2FjECqgeLrnJx9JVcMUmkTbDxfTDGe82mIqbiw%B38%2FboAujKCpCkvZFhP5OIylEmyCfRCZ%2F0ul8hvzS3kCjG5QSjBVcHolK75++CXb%6yYNawmQYVjPk1KuNe6Y+TVl0nsYqtSEjnknO4LRsKX2ZHxkASimFqJCjbAEQiEx%0B0mZ3RTUXR92Y%2FUy7XXtusymGleCkW+bHs2F0+9i32l9Nuxgl%2FD7g1WywARAQAB%tC9JQk0gQ2xvdWQgUGFrIGZvciBBdXRvbWF0aW9uIDxwc2lydEB1cy5pYm0uY29t%PokCOgQTAQgAJAUCZzJBTQIbDwULCQgHAgYVCgkICwIEFgIDAQIeAQUJAAAAAAAK%CRC0lqyjOeABc5p+D%2F4uVq6HmZQ7B2oTYYBoOa6xBMdnI91GQPaoGRhAwAPzQh8W%jw5fNiBJCLPVzTCIh26MJUwBWLXSZtlBDIg7zFEgXqUMqtS4qMuLTnBHyovx30hQ%zJyH6DkCCeBTqS06oq2N3comsCk+pbLlHSEMZlDR1WrZE2omi7P42ET9wQn4Px+c%iHmy07qJDoV4HyZEYAJ6LSyEXy8l0XTaqhMEerrFMKcLQGXsy0y0Al4%2FkvmtSuyw%hZaAadMsaPV+2rSz8yfyjNUDf7ZPh2whelV3VYfaVHnuy7S+RRCFqAeOtIAxOpai%++hxazlf03mgnPQH7WGSvjaz8sWtEUUMYFE0mnwusrK0DObOXd76qghkifN1IRiS%bUPvfa15U1%2FCwC0C5xFRWQfgrX2EwqUYNMiHqKRYxz8+LEC+vdT03naLzyxpAKwM%6bZ2laNJYNofQd7dYU+Co4oWrCTGfFLD%2FLYnejzWYR7Drt5Ppz1qgW1q5J1Qi7+V%s7+w4ga8n61Ta2zaDcccgdn%2FTG0IO8bWnxgwKwZS8w3wj+GFx70o4fIlH++PhL1%2F%zdI2jfH4XqvjT+mx3LNpfEXUOquIl9ikkRZMG787lqdjr1L58YF9BdZPtqs5RufU%mGzh82sCEmw9GaSJiGQb%2FfcoSIolqbLmEj4Aqy%2FhA6QSthBu58CGLOs91SevQQ%0A%0A%%0AJn52-----END%20PGP%20PUBLIC%20KEY%20BLOCK-----
            filesystem: root
            mode: 420
            path: /etc/pki/icp4a-pubkey-from-2024.gpg 
        - contents:
            source: >-
                data:,%7B%0D%0A%20%20%20%20%22default%22%3A%20%5B%0D%0A%20%20%20%20%20%20%7B%0D%0A%20%20%20%20%20%20%20%22type%22%3A%20%22insecureAcceptAnything%22%0D%0A%20%20%20%20%20%20%7D%0D%0A%20%20%20%20%5D,%0D%0A%20%20%20%20%22transports%22%3A%20%7B%0D%0A%20%20%20%20%20%20%22docker%22%3A%20%7B%0D%0A%20%20%20%20%20%20%20%20%22cp.icr.io%2Fcp%2Fcp4a%22%3A%20%5B%0D%0A%20%20%20%20%20%20%20%20%20%20%7B%0D%0A%20%20%20%20%20%20%20%20%20%20%20%20%22type%22%3A%20%22signedBy%22,%0D%0A%20%20%20%20%20%20%20%20%20%20%20%20%22keyType%22%3A%20%22GPGKeys%22,%0D%0A%20%20%20%20%20%20%20%20%20%20%20%20%22keyPaths%22%3A%20%5B%22%2Fetc%2Fpki%2Ficp4a-pubkey-upto-2021.gpg%22,%20%22%2Fetc%2Fpki%2Ficp4a-pubkey-2021-2023.gpg%22,%20%22%2Fetc%2Fpki%2Ficp4a-pubkey-from-2023.gpg,%20%22%2Fetc%2Fpki%2Ficp4a-pubkey-from-2024.gpg%22%5D%0D%0A%20%20%20%20%20%20%20%20%20%20%7D%0D%0A%20%20%20%20%20%20%20%20%5D%0D%0A%20%20%20%20%20%20%7D%0D%0A%20%20%20%20%7D%0D%0A%7D
            filesystem: root
            mode: 420
            path: /etc/containers/policy.json 

You can decode the files into clear text by using a URL decoder, and then apply the MachineConfig resource:

oc apply -f machine-config.yaml

You can watch the rebooted worker nodes as they apply the updated policy:

oc get mcp

If you are running a starter pattern, PodDisruptionBudgets on some pods might prevent a node from restarting gracefully. You can force deletion of pods on the nodes by first identifying a node for which scheduling is disabled:

oc get node

Use the node name to delete the pods on this node:

node=...
oc delete pod --field-selector="spec.nodeName=$node" --all-namespaces

Signature validation in Linux command-line tools

When it comes to inspecting and transporting images, skopeo is a useful tool as it does not need a docker or a daemon. It can be used easily in continuous integration (CI) pipelines to copy images between two registries, provide credentials for secured registries, or to promote images from a development registry into production.

If you pull the images from the IBM Entitled Registry with skopeo, you can enable the container image signature verification. The icp4a-pubkey-upto-2021.gpg, icp4a-pubkey-2021-2023.gpg, icp4a-pubkey-from-2023.gpg, and icp4a-pubkey-from-2024.gpg files that you created can be used to verify the images under a certain repository and path.

In the following example, images are pulled from cp.icr.io/cp/cp4a and verified with the GPG public key that is in the icp4a-pubkey-from-2024.gpg file. All images are rejected, except the signed images in the cp4a folder.

The keyPaths array is not supported in podman and skopeo. Instead, you need to point to a specific key file by using the keyPath parameter (icp4a-pubkey-from-2024.gpg).

Create a file and name it policy-2.json, then include the following content:

{
    "default": [
      {
       "type": "reject"
      }
    ],
    "transports": {
      "docker": {
        "cp.icr.io/cp/cp4a": [
          {
            "type": "signedBy",
            "keyType": "GPGKeys",
            "keyPath": "icp4a-pubkey-from-2024.gpg"
          }
        ]
      }
    }
} 
Note: If cp.icr.io is specified, all of the images that are not signed under this folder are rejected. The skopeo command has the useful option --policy policy-2.json, which sets a specific policy file instead of using the default /etc/containers/policy.json file.

The following sample pulls one image into the local file system and validates its signature.

skopeo --policy ./policy-2.json copy docker://cp.icr.io/cp/cp4a/ban/navigator:21.0.3-IF018-amd64 dir:./ban

When you pull images by using podman, you can provide a --signature-policy policy2.json option to point to a policy file.

Referencing the correct public key for signature validation, images can be pulled.

podman pull --signature-policy policy-2.json cp.icr.io/cp/cp4a/ban/navigator:21.0.3-IF018-amd64
Trying to pull cp.icr.io/cp/cp4a/ban/navigator:21.0.3-IF018-amd64...
Getting image source signatures
Checking if image destination supports signatures
...

Pulling images fail when the policy file references another public key.

podman pull --signature-policy policy-1.json cp.icr.io/cp/cp4a/ban/navigator:21.0.3-IF018-amd64
Trying to pull cp.icr.io/cp/cp4a/ban/navigator:21.0.3-IF018-amd64...
None of the signatures were accepted, reasons: Invalid GPG signature: gpgme.Signature{Summary:128, Fingerprint:"7C5CF97A39F13650", Status:gpgme.Error{err:0x7000009}, Timestamp:time.Time{wall:0x0, ext:63812637354, loc:(*time.Location)(0x55fc881421a0)}, ExpTimestamp:time.Time{wall:0x0, ext:62135596800, loc:(*time.Location)(0x55fc881421a0)}, WrongKeyUsage:false, PKATrust:0x0, ChainModel:false, Validity:0, ValidityReason:error(nil), PubkeyAlgo:1, HashAlgo:8}; Invalid GPG signature: gpgme.Signature{Summary:128, Fingerprint:"7C5CF97A39F13650", Status:gpgme.Error{err:0x7000009}, Timestamp:time.Time{wall:0x0, ext:63812637429, loc:(*time.Location)(0x55fc881421a0)}, ExpTimestamp:time.Time{wall:0x0, ext:62135596800, loc:(*time.Location)(0x55fc881421a0)}, WrongKeyUsage:false, PKATrust:0x0, ChainModel:false, Validity:0, ValidityReason:error(nil), PubkeyAlgo:1, HashAlgo:8}
Error: error pulling image "cp.icr.io/cp/cp4a/ban/navigator:21.0.3-IF018-amd64": unable to pull cp.icr.io/cp/cp4a/ban/navigator:21.0.3-IF018-amd64: unable to pull image: Source image rejected: None of the signatures were accepted, reasons: Invalid GPG signature: gpgme.Signature{Summary:128, Fingerprint:"7C5CF97A39F13650", Status:gpgme.Error{err:0x7000009}, Timestamp:time.Time{wall:0x0, ext:63812637354, loc:(*time.Location)(0x55fc881421a0)}, ExpTimestamp:time.Time{wall:0x0, ext:62135596800, loc:(*time.Location)(0x55fc881421a0)}, WrongKeyUsage:false, PKATrust:0x0, ChainModel:false, Validity:0, ValidityReason:error(nil), PubkeyAlgo:1, HashAlgo:8}; Invalid GPG signature: gpgme.Signature{Summary:128, Fingerprint:"7C5CF97A39F13650", Status:gpgme.Error{err:0x7000009}, Timestamp:time.Time{wall:0x0, ext:63812637429, loc:(*time.Location)(0x55fc881421a0)}, ExpTimestamp:time.Time{wall:0x0, ext:62135596800, loc:(*time.Location)(0x55fc881421a0)}, WrongKeyUsage:false, PKATrust:0x0, ChainModel:false, Validity:0, ValidityReason:error(nil), PubkeyAlgo:1, HashAlgo:8}

Verifying key material

You can verify the public keys once, and you do not need to repeat the process when you apply policies to multiple clusters.

If you want to verify the icp4a-pubkey-from-2024.gpg file, which is used to sign images from December 2024:

  1. Create a file icp4a-cert-from-2024.pem and add the following public certificate in the PEM format.

    -----BEGIN CERTIFICATE-----
    MIIHljCCBX6gAwIBAgIQBqryQeC8iRAuWmp8GI81ZDANBgkqhkiG9w0BAQsFADBp
    MQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMT
    OERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0
    IDIwMjEgQ0ExMB4XDTI0MTAxMDAwMDAwMFoXDTI2MTAwOTIzNTk1OVowgZ0xCzAJ
    BgNVBAYTAlVTMREwDwYDVQQIEwhOZXcgWW9yazEPMA0GA1UEBxMGQXJtb25rMTQw
    MgYDVQQKEytJbnRlcm5hdGlvbmFsIEJ1c2luZXNzIE1hY2hpbmVzIENvcnBvcmF0
    aW9uMTQwMgYDVQQDEytJbnRlcm5hdGlvbmFsIEJ1c2luZXNzIE1hY2hpbmVzIENv
    cnBvcmF0aW9uMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAwDv232ns
    +L3Y1yLmXzRaqTqQDh87PPRIQYLsRlR1HcdprRlGaDRGQd/xVlTviJZluXJWazUr
    6AQwhdaFet1AwYmVHKBNZUtB7CkCboRCsWagVEWTgeRNdhI31W0usZ/kdxLm3XqQ
    cJTcL9awqtrp+Cg4cWO6YZdIsANblrsZ+MlNCykPwfyf+o2S/3nEo5cyE2DbG3zs
    JghXkYY5nksbjKG81nfQP3CwOrD4e7A080psiaf9u+nIdzIo7sRywHRBXUf6Fr8o
    eFytOHUUUIdnnLCdpufhLEtQ3mGxYcHYLzBrQVc+n3wyiuwQTLf3LIE/cGV+AQ/e
    ygzxXQLADTQueYqWCMTCogw67LhydXg9VKmlBnUzpzLk/gAtUX7I3G8cJdBSLX3U
    NKwVBZhxMNak0nAzWvlkin5Y9/OpT1eYVp3jhufFBrtb0LhhyXIcHBmESA74HmAv
    pcP6v4xAqoHi65ycfSVXDFJpE2w8X0wxnvNpiKm4sAd/P26ALoygqQpL2RYT+TiM
    pRJsgn0Qmf9LpfIb80t5AoxuUEowVXB6JSu+fvgl2+smDWsJkGFYz5NSrjXumPk1
    ZdJ7GKrUhI55JzuC0bCl9mR8ZAEophaiQo2wBEIhMdAdJmd0U1F0fdmP1Mu117br
    MphpXgpFvmx7NhdPvYt9pfTbsYJfw+4NVssCAwEAAaOCAgMwggH/MB8GA1UdIwQY
    MBaAFGg34Ou2O/hfEYb7/mF7CIhl9E5CMB0GA1UdDgQWBBTEsx2YOiP6YqWh6lsj
    gTXn4F3PqjA+BgNVHSAENzA1MDMGBmeBDAEEATApMCcGCCsGAQUFBwIBFhtodHRw
    Oi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQM
    MAoGCCsGAQUFBwMDMIG1BgNVHR8Ega0wgaowU6BRoE+GTWh0dHA6Ly9jcmwzLmRp
    Z2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNI
    QTM4NDIwMjFDQTEuY3JsMFOgUaBPhk1odHRwOi8vY3JsNC5kaWdpY2VydC5jb20v
    RGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0Ex
    LmNybDCBlAYIKwYBBQUHAQEEgYcwgYQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3Nw
    LmRpZ2ljZXJ0LmNvbTBcBggrBgEFBQcwAoZQaHR0cDovL2NhY2VydHMuZGlnaWNl
    cnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0
    MjAyMUNBMS5jcnQwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAgEAZv157KwX
    lQBf4jjavOplJqEkGMjSe5o5PvJE1+vQkFHpuJ19Kw5fW5EgKHQunzXu0ae+UwRT
    +sUl3XXiszZ3WUTL8PD/OAE1t3k9FHccIlhSuySKGecu0YE4b4cXhDcIzVh7Gic2
    pBGgiD48+wg4JrnpFhol6fGFN5OJx30VJmSedgJ/fwADRyqAZCF1/xtU9HugmELg
    7Hvbc+CFjeW5PLmdxLxf4zDX6LHEblXT9Pphria4aats0qe2DziMHIkZuBWDqBDa
    wDbfRThezGeLtyQq+JHtl7t6/lMlEck/uKpnMlwNah7FE7vzxgCyGMBPhDJBsbVt
    Q74U5SJqTGn9LpormoK5pXKKmwuEQqydurNrnL0Mqy4jnlRA/c77QedvGa+moo0R
    EkxGOtXvydkzQnE/hXTFsGTFlhy1DVFvaKnBCJtY6YZLJ2VVRnCeQcwlTq1rzn4v
    B0x7yb7XaN+Ww1R1wG3kfZ2VTi+cPCtDH9AEVsJZyJOMQ+u2corlOgpmz7nB2w1I
    C8alYEIbrAfDq3Mg74Yu2jXyIPKxzZRlRAvx3n6cr8omtWNU7pIoN9Vm6q4+nH0+
    7XzeF74EjXosS9AKseTyrHMuXOFQDT2nea2T3BpQyfluo5DzWEGit8Pz5IU7sFvT
    6G2qgpCwQDwWS6ygsCyxzVcmb/3GIkcJ+xY=
    -----END CERTIFICATE-----
  2. Create a file icp4a-issuer-from-2024.pem and add the following issuer public certificate in the PEM format.
    -----BEGIN CERTIFICATE-----
    MIIGsDCCBJigAwIBAgIQCK1AsmDSnEyfXs2pvZOu2TANBgkqhkiG9w0BAQwFADBi
    MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
    d3cuZGlnaWNlcnQuY29tMSEwHwYDVQQDExhEaWdpQ2VydCBUcnVzdGVkIFJvb3Qg
    RzQwHhcNMjEwNDI5MDAwMDAwWhcNMzYwNDI4MjM1OTU5WjBpMQswCQYDVQQGEwJV
    UzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRy
    dXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMIIC
    IjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA1bQvQtAorXi3XdU5WRuxiEL1
    M4zrPYGXcMW7xIUmMJ+kjmjYXPXrNCQH4UtP03hD9BfXHtr50tVnGlJPDqFX/IiZ
    wZHMgQM+TXAkZLON4gh9NH1MgFcSa0OamfLFOx/y78tHWhOmTLMBICXzENOLsvsI
    8IrgnQnAZaf6mIBJNYc9URnokCF4RS6hnyzhGMIazMXuk0lwQjKP+8bqHPNlaJGi
    TUyCEUhSaN4QvRRXXegYE2XFf7JPhSxIpFaENdb5LpyqABXRN/4aBpTCfMjqGzLm
    ysL0p6MDDnSlrzm2q2AS4+jWufcx4dyt5Big2MEjR0ezoQ9uo6ttmAaDG7dqZy3S
    vUQakhCBj7A7CdfHmzJawv9qYFSLScGT7eG0XOBv6yb5jNWy+TgQ5urOkfW+0/tv
    k2E0XLyTRSiDNipmKF+wc86LJiUGsoPUXPYVGUztYuBeM/Lo6OwKp7ADK5GyNnm+
    960IHnWmZcy740hQ83eRGv7bUKJGyGFYmPV8AhY8gyitOYbs1LcNU9D4R+Z1MI3s
    MJN2FKZbS110YU0/EpF23r9Yy3IQKUHw1cVtJnZoEUETWJrcJisB9IlNWdt4z4FK
    PkBHX8mBUHOFECMhWWCKZFTBzCEa6DgZfGYczXg4RTCZT/9jT0y7qg0IU0F8WD1H
    s/q27IwyCQLMbDwMVhECAwEAAaOCAVkwggFVMBIGA1UdEwEB/wQIMAYBAf8CAQAw
    HQYDVR0OBBYEFGg34Ou2O/hfEYb7/mF7CIhl9E5CMB8GA1UdIwQYMBaAFOzX44LS
    cV1kTN8uZz/nupiuHA9PMA4GA1UdDwEB/wQEAwIBhjATBgNVHSUEDDAKBggrBgEF
    BQcDAzB3BggrBgEFBQcBAQRrMGkwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRp
    Z2ljZXJ0LmNvbTBBBggrBgEFBQcwAoY1aHR0cDovL2NhY2VydHMuZGlnaWNlcnQu
    Y29tL0RpZ2lDZXJ0VHJ1c3RlZFJvb3RHNC5jcnQwQwYDVR0fBDwwOjA4oDagNIYy
    aHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZFJvb3RHNC5j
    cmwwHAYDVR0gBBUwEzAHBgVngQwBAzAIBgZngQwBBAEwDQYJKoZIhvcNAQEMBQAD
    ggIBADojRD2NCHbuj7w6mdNW4AIapfhINPMstuZ0ZveUcrEAyq9sMCcTEp6QRJ9L
    /Z6jfCbVN7w6XUhtldU/SfQnuxaBRVD9nL22heB2fjdxyyL3WqqQz/WTauPrINHV
    UHmImoqKwba9oUgYftzYgBoRGRjNYZmBVvbJ43bnxOQbX0P4PpT/djk9ntSZz0rd
    KOtfJqGVWEjVGv7XJz/9kNF2ht0csGBc8w2o7uCJob054ThO2m67Np375SFTWsPK
    6Wrxoj7bQ7gzyE84FJKZ9d3OVG3ZXQIUH0AzfAPilbLCIXVzUstG2MQ0HKKlS43N
    b3Y3LIU/Gs4m6Ri+kAewQ3+ViCCCcPDMyu/9KTVcH4k4Vfc3iosJocsL6TEa/y4Z
    XDlx4b6cpwoG1iZnt5LmTl/eeqxJzy6kdJKt2zyknIYf48FWGysj/4+16oh7cGvm
    oLr9Oj9FpsToFpFSi0HASIRLlk2rREDjjfAVKM7t8RhWByovEMQMCGQ8M4+uKIw8
    y4+ICw2/O/TOHnuO77Xry7fwdxPm5yg/rBKupS8ibEH5glwVZsxsDsrFhsP2JjMM
    B0ug0wcCampAMEhLNKhRILutG4UI4lkNbcoFUCvqShyepf2gpx8GdOfy1lKQ/a+F
    SCH5Vzu0nAPthkX0tGFuv2jiJmCG6sivqf6UHedjGzqGVnhO
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    MIIFkDCCA3igAwIBAgIQBZsbV56OITLiOQe9p3d1XDANBgkqhkiG9w0BAQwFADBi
    MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
    d3cuZGlnaWNlcnQuY29tMSEwHwYDVQQDExhEaWdpQ2VydCBUcnVzdGVkIFJvb3Qg
    RzQwHhcNMTMwODAxMTIwMDAwWhcNMzgwMTE1MTIwMDAwWjBiMQswCQYDVQQGEwJV
    UzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQu
    Y29tMSEwHwYDVQQDExhEaWdpQ2VydCBUcnVzdGVkIFJvb3QgRzQwggIiMA0GCSqG
    SIb3DQEBAQUAA4ICDwAwggIKAoICAQC/5pBzaN675F1KPDAiMGkz7MKnJS7JIT3y
    ithZwuEppz1Yq3aaza57G4QNxDAf8xukOBbrVsaXbR2rsnnyyhHS5F/WBTxSD1If
    xp4VpX6+n6lXFllVcq9ok3DCsrp1mWpzMpTREEQQLt+C8weE5nQ7bXHiLQwb7iDV
    ySAdYyktzuxeTsiT+CFhmzTrBcZe7FsavOvJz82sNEBfsXpm7nfISKhmV1efVFiO
    DCu3T6cw2Vbuyntd463JT17lNecxy9qTXtyOj4DatpGYQJB5w3jHtrHEtWoYOAMQ
    jdjUN6QuBX2I9YI+EJFwq1WCQTLX2wRzKm6RAXwhTNS8rhsDdV14Ztk6MUSaM0C/
    CNdaSaTC5qmgZ92kJ7yhTzm1EVgX9yRcRo9k98FpiHaYdj1ZXUJ2h4mXaXpI8OCi
    EhtmmnTK3kse5w5jrubU75KSOp493ADkRSWJtppEGSt+wJS00mFt6zPZxd9LBADM
    fRyVw4/3IbKyEbe7f/LVjHAsQWCqsWMYRJUadmJ+9oCw++hkpjPRiQfhvbfmQ6QY
    uKZ3AeEPlAwhHbJUKSWJbOUOUlFHdL4mrLZBdd56rF+NP8m800ERElvlEFDrMcXK
    chYiCd98THU/Y+whX8QgUWtvsauGi0/C1kVfnSD8oR7FwI+isX4KJpn15GkvmB0t
    9dmpsh3lGwIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIB
    hjAdBgNVHQ4EFgQU7NfjgtJxXWRM3y5nP+e6mK4cD08wDQYJKoZIhvcNAQEMBQAD
    ggIBALth2X2pbL4XxJEbw6GiAI3jZGgPVs93rnD5/ZpKmbnJeFwMDF/k5hQpVgs2
    SV1EY+CtnJYYZhsjDT156W1r1lT40jzBQ0CuHVD1UvyQO7uYmWlrx8GnqGikJ9yd
    +SeuMIW59mdNOj6PWTkiU0TryF0Dyu1Qen1iIQqAyHNm0aAFYF/opbSnr6j3bTWc
    fFqK1qI4mfN4i/RN0iAL3gTujJtHgXINwBQy7zBZLq7gcfJW5GqXb5JQbZaNaHqa
    sjYUegbyJLkJEVDXCLG4iXqEI2FCKeWjzaIgQdfRnGTZ6iahixTXTBmyUEFxPT9N
    cCOGDErcgdLMMpSEDQgJlxxPwO5rIHQw0uA5NBCFIRUBCOhVMt5xSdkoF1BN5r5N
    0XWs0Mr7QbhDparTwwVETyw2m+L64kW4I1NsBm9nVX9GtUw/bihaeSbSpKhil9Ie
    4u1Ki7wb/UdKDd9nZn6yW0HQO+T0O/QEY+nvwlQAUaCKKsnOeMzV6ocEGLPOr0mI
    r/OSmbaz5mEP0oUA51Aa5BuVnRmhuZyxm7EAHu/QD09CbMkKvO5D+jpxpchNJqU1
    /YldvIViHTLSoCtU7ZpXwdv6EM8Zt4tKG48BtieVU+i2iW1bvGjUI+iLUaJW+fCm
    gKDWHrO8Dw9TdSmq6hN35N6MgSGtBxBHEa2HPQfRdbzP82Z+
    -----END CERTIFICATE-----
  3. Run the following commands to verify the GPG key and its issuer with the icp4a-cert-from-2024.pem and icp4a-issuer-from-2024.pem files.
    Table 2. Commands to verify certificate issuance and validity for icp4a-pubkey-from-2024.gpg
    Command Description
    openssl x509 -text -in icp4a-cert-from-2024.pem
    Displays the IBM Cloud Pak for Business Automation public certificate. Verify that the "Subject" line is IBM, and the "Issuer" is www.digicert.com. The icp4a-cert-from-2024.pem certificate is signed by Digicert.
    gpg2 -v --list-packets icp4a-pubkey-from-2024.gpg
    Displays the GPG public key. Verify that pkey[0] is the same as the "Modulus" of icp4a-cert-from-2024.pem. The command validates that icp4a-pubkey-from-2024.gpg is the public key (in GPG format) for IBM Cloud Pak for Business Automation.
    openssl ocsp -no_nonce \
    -issuer icp4a-issuer-from-2024.pem \
    -cert icp4a-cert-from-2024.pem \
    -VAfile icp4a-issuer-from-2024.pem \
    -text -url http://ocsp.digicert.com	
    Verifies that the certificate icp4a.pem comes from Digicert by using the Online Certificate Status Protocol (OCSP).

If you want to verify the icp4a-pubkey-from-2023.gpg file, which is used to sign images from March 2023:

  1. Create a file icp4a-cert-from-2023.pem and add the following public certificate in the PEM format.

    -----BEGIN CERTIFICATE-----
    MIIHrDCCBZSgAwIBAgIQDw7smApOleo+HxSb9Nw/nTANBgkqhkiG9w0BAQsFADBp
    MQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMT
    OERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0
    IDIwMjEgQ0ExMB4XDTIzMDExNjAwMDAwMFoXDTI0MTEwNzIzNTk1OVowgbAxCzAJ
    BgNVBAYTAlVTMREwDwYDVQQIEwhOZXcgWW9yazEPMA0GA1UEBxMGQXJtb25rMTQw
    MgYDVQQKEytJbnRlcm5hdGlvbmFsIEJ1c2luZXNzIE1hY2hpbmVzIENvcnBvcmF0
    aW9uMREwDwYDVQQLEwhJQk0gQ0NTUzE0MDIGA1UEAxMrSW50ZXJuYXRpb25hbCBC
    dXNpbmVzcyBNYWNoaW5lcyBDb3Jwb3JhdGlvbjCCAiIwDQYJKoZIhvcNAQEBBQAD
    ggIPADCCAgoCggIBAMA79t9p7Pi92Nci5l80Wqk6kA4fOzz0SEGC7EZUdR3Haa0Z
    Rmg0RkHf8VZU74iWZblyVms1K+gEMIXWhXrdQMGJlRygTWVLQewpAm6EQrFmoFRF
    k4HkTXYSN9VtLrGf5HcS5t16kHCU3C/WsKra6fgoOHFjumGXSLADW5a7GfjJTQsp
    D8H8n/qNkv95xKOXMhNg2xt87CYIV5GGOZ5LG4yhvNZ30D9wsDqw+HuwNPNKbImn
    /bvpyHcyKO7EcsB0QV1H+ha/KHhcrTh1FFCHZ5ywnabn4SxLUN5hsWHB2C8wa0FX
    Pp98MorsEEy39yyBP3BlfgEP3soM8V0CwA00LnmKlgjEwqIMOuy4cnV4PVSppQZ1
    M6cy5P4ALVF+yNxvHCXQUi191DSsFQWYcTDWpNJwM1r5ZIp+WPfzqU9XmFad44bn
    xQa7W9C4YclyHBwZhEgO+B5gL6XD+r+MQKqB4uucnH0lVwxSaRNsPF9MMZ7zaYip
    uLAHfz9ugC6MoKkKS9kWE/k4jKUSbIJ9EJn/S6XyG/NLeQKMblBKMFVweiUrvn74
    JdvrJg1rCZBhWM+TUq417pj5NWXSexiq1ISOeSc7gtGwpfZkfGQBKKYWokKNsARC
    ITHQHSZndFNRdH3Zj9TLtde26zKYaV4KRb5sezYXT72LfaX027GCX8PuDVbLAgMB
    AAGjggIGMIICAjAfBgNVHSMEGDAWgBRoN+Drtjv4XxGG+/5hewiIZfROQjAdBgNV
    HQ4EFgQUxLMdmDoj+mKloepbI4E15+Bdz6owDgYDVR0PAQH/BAQDAgeAMBMGA1Ud
    JQQMMAoGCCsGAQUFBwMDMIG1BgNVHR8Ega0wgaowU6BRoE+GTWh0dHA6Ly9jcmwz
    LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5
    NlNIQTM4NDIwMjFDQTEuY3JsMFOgUaBPhk1odHRwOi8vY3JsNC5kaWdpY2VydC5j
    b20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIx
    Q0ExLmNybDA+BgNVHSAENzA1MDMGBmeBDAEEATApMCcGCCsGAQUFBwIBFhtodHRw
    Oi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwgZQGCCsGAQUFBwEBBIGHMIGEMCQGCCsG
    AQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wXAYIKwYBBQUHMAKGUGh0
    dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVT
    aWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3J0MAwGA1UdEwEB/wQCMAAwDQYJ
    KoZIhvcNAQELBQADggIBAF/Liexfoe54yBVD5kArBWUM+pLn6QL77paywkbg6knP
    iBvQMRiyTcCcyVwrBSw+Y0WS2TfJ8PH+0YozF20DD9XCmnQ6ESTdGK5PWN1jnz1p
    pS6yiksvgYCmqr3bTxnTQRnX7UTNX0JcAKa147T0dXj7cOd1pgZ0u6jDCXkLkQ4H
    AvM/jFcPohe3zdyHJIbGmCUbV895KqQqBwj8znhL24mSQOTiYZPLh33A/UfqLaPN
    ws1iGCwViDk5pD4+ygVQ7Fcxx77GrTmqU1DmJrcG2/tkPmJsdHdxI01k1RaExVnL
    0kLL7QsagtdxxRpkwbA87s6l2wu+yakdk642OIJqNcH1b+E7mO1tgCR4zzkOrr70
    TWbxI8Rgfm6AuVJMwdnbHRCX1vqxf+B1s0MxMeC8Q0ihC17T+j5BE0T6ghgbceE7
    oYa49bOv2Gl/mvWtEJdMEg2fhLEdemgUubOf7zGDy5Y2rkIgvHgX2PC7xyxE8gjH
    gRE2vbo59f/5cbkrttdh0ydmM0qJassAFJBTAtIyQGHEIRhynO3/OkFOeqbnd8Rx
    cSbCS8NI0lXuoFjvfYGCjRA3p7EdUbc2WZGsfM729cYoJCkT8ReTyxK+/uLD7Vw8
    5R+S47yuqQWWHh+nBThRrVNUbwz3DI2Hi5+GlBWH7giDKYxdWzb83pJEYvbvdTHz
    -----END CERTIFICATE-----
  2. Create a file icp4a-issuer-from-2023.pem and add the following issuer public certificate in the PEM format.
    -----BEGIN CERTIFICATE-----
    MIIGsDCCBJigAwIBAgIQCK1AsmDSnEyfXs2pvZOu2TANBgkqhkiG9w0BAQwFADBi
    MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
    d3cuZGlnaWNlcnQuY29tMSEwHwYDVQQDExhEaWdpQ2VydCBUcnVzdGVkIFJvb3Qg
    RzQwHhcNMjEwNDI5MDAwMDAwWhcNMzYwNDI4MjM1OTU5WjBpMQswCQYDVQQGEwJV
    UzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRy
    dXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMIIC
    IjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA1bQvQtAorXi3XdU5WRuxiEL1
    M4zrPYGXcMW7xIUmMJ+kjmjYXPXrNCQH4UtP03hD9BfXHtr50tVnGlJPDqFX/IiZ
    wZHMgQM+TXAkZLON4gh9NH1MgFcSa0OamfLFOx/y78tHWhOmTLMBICXzENOLsvsI
    8IrgnQnAZaf6mIBJNYc9URnokCF4RS6hnyzhGMIazMXuk0lwQjKP+8bqHPNlaJGi
    TUyCEUhSaN4QvRRXXegYE2XFf7JPhSxIpFaENdb5LpyqABXRN/4aBpTCfMjqGzLm
    ysL0p6MDDnSlrzm2q2AS4+jWufcx4dyt5Big2MEjR0ezoQ9uo6ttmAaDG7dqZy3S
    vUQakhCBj7A7CdfHmzJawv9qYFSLScGT7eG0XOBv6yb5jNWy+TgQ5urOkfW+0/tv
    k2E0XLyTRSiDNipmKF+wc86LJiUGsoPUXPYVGUztYuBeM/Lo6OwKp7ADK5GyNnm+
    960IHnWmZcy740hQ83eRGv7bUKJGyGFYmPV8AhY8gyitOYbs1LcNU9D4R+Z1MI3s
    MJN2FKZbS110YU0/EpF23r9Yy3IQKUHw1cVtJnZoEUETWJrcJisB9IlNWdt4z4FK
    PkBHX8mBUHOFECMhWWCKZFTBzCEa6DgZfGYczXg4RTCZT/9jT0y7qg0IU0F8WD1H
    s/q27IwyCQLMbDwMVhECAwEAAaOCAVkwggFVMBIGA1UdEwEB/wQIMAYBAf8CAQAw
    HQYDVR0OBBYEFGg34Ou2O/hfEYb7/mF7CIhl9E5CMB8GA1UdIwQYMBaAFOzX44LS
    cV1kTN8uZz/nupiuHA9PMA4GA1UdDwEB/wQEAwIBhjATBgNVHSUEDDAKBggrBgEF
    BQcDAzB3BggrBgEFBQcBAQRrMGkwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRp
    Z2ljZXJ0LmNvbTBBBggrBgEFBQcwAoY1aHR0cDovL2NhY2VydHMuZGlnaWNlcnQu
    Y29tL0RpZ2lDZXJ0VHJ1c3RlZFJvb3RHNC5jcnQwQwYDVR0fBDwwOjA4oDagNIYy
    aHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZFJvb3RHNC5j
    cmwwHAYDVR0gBBUwEzAHBgVngQwBAzAIBgZngQwBBAEwDQYJKoZIhvcNAQEMBQAD
    ggIBADojRD2NCHbuj7w6mdNW4AIapfhINPMstuZ0ZveUcrEAyq9sMCcTEp6QRJ9L
    /Z6jfCbVN7w6XUhtldU/SfQnuxaBRVD9nL22heB2fjdxyyL3WqqQz/WTauPrINHV
    UHmImoqKwba9oUgYftzYgBoRGRjNYZmBVvbJ43bnxOQbX0P4PpT/djk9ntSZz0rd
    KOtfJqGVWEjVGv7XJz/9kNF2ht0csGBc8w2o7uCJob054ThO2m67Np375SFTWsPK
    6Wrxoj7bQ7gzyE84FJKZ9d3OVG3ZXQIUH0AzfAPilbLCIXVzUstG2MQ0HKKlS43N
    b3Y3LIU/Gs4m6Ri+kAewQ3+ViCCCcPDMyu/9KTVcH4k4Vfc3iosJocsL6TEa/y4Z
    XDlx4b6cpwoG1iZnt5LmTl/eeqxJzy6kdJKt2zyknIYf48FWGysj/4+16oh7cGvm
    oLr9Oj9FpsToFpFSi0HASIRLlk2rREDjjfAVKM7t8RhWByovEMQMCGQ8M4+uKIw8
    y4+ICw2/O/TOHnuO77Xry7fwdxPm5yg/rBKupS8ibEH5glwVZsxsDsrFhsP2JjMM
    B0ug0wcCampAMEhLNKhRILutG4UI4lkNbcoFUCvqShyepf2gpx8GdOfy1lKQ/a+F
    SCH5Vzu0nAPthkX0tGFuv2jiJmCG6sivqf6UHedjGzqGVnhO
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    MIIFkDCCA3igAwIBAgIQBZsbV56OITLiOQe9p3d1XDANBgkqhkiG9w0BAQwFADBi
    MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
    d3cuZGlnaWNlcnQuY29tMSEwHwYDVQQDExhEaWdpQ2VydCBUcnVzdGVkIFJvb3Qg
    RzQwHhcNMTMwODAxMTIwMDAwWhcNMzgwMTE1MTIwMDAwWjBiMQswCQYDVQQGEwJV
    UzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQu
    Y29tMSEwHwYDVQQDExhEaWdpQ2VydCBUcnVzdGVkIFJvb3QgRzQwggIiMA0GCSqG
    SIb3DQEBAQUAA4ICDwAwggIKAoICAQC/5pBzaN675F1KPDAiMGkz7MKnJS7JIT3y
    ithZwuEppz1Yq3aaza57G4QNxDAf8xukOBbrVsaXbR2rsnnyyhHS5F/WBTxSD1If
    xp4VpX6+n6lXFllVcq9ok3DCsrp1mWpzMpTREEQQLt+C8weE5nQ7bXHiLQwb7iDV
    ySAdYyktzuxeTsiT+CFhmzTrBcZe7FsavOvJz82sNEBfsXpm7nfISKhmV1efVFiO
    DCu3T6cw2Vbuyntd463JT17lNecxy9qTXtyOj4DatpGYQJB5w3jHtrHEtWoYOAMQ
    jdjUN6QuBX2I9YI+EJFwq1WCQTLX2wRzKm6RAXwhTNS8rhsDdV14Ztk6MUSaM0C/
    CNdaSaTC5qmgZ92kJ7yhTzm1EVgX9yRcRo9k98FpiHaYdj1ZXUJ2h4mXaXpI8OCi
    EhtmmnTK3kse5w5jrubU75KSOp493ADkRSWJtppEGSt+wJS00mFt6zPZxd9LBADM
    fRyVw4/3IbKyEbe7f/LVjHAsQWCqsWMYRJUadmJ+9oCw++hkpjPRiQfhvbfmQ6QY
    uKZ3AeEPlAwhHbJUKSWJbOUOUlFHdL4mrLZBdd56rF+NP8m800ERElvlEFDrMcXK
    chYiCd98THU/Y+whX8QgUWtvsauGi0/C1kVfnSD8oR7FwI+isX4KJpn15GkvmB0t
    9dmpsh3lGwIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIB
    hjAdBgNVHQ4EFgQU7NfjgtJxXWRM3y5nP+e6mK4cD08wDQYJKoZIhvcNAQEMBQAD
    ggIBALth2X2pbL4XxJEbw6GiAI3jZGgPVs93rnD5/ZpKmbnJeFwMDF/k5hQpVgs2
    SV1EY+CtnJYYZhsjDT156W1r1lT40jzBQ0CuHVD1UvyQO7uYmWlrx8GnqGikJ9yd
    +SeuMIW59mdNOj6PWTkiU0TryF0Dyu1Qen1iIQqAyHNm0aAFYF/opbSnr6j3bTWc
    fFqK1qI4mfN4i/RN0iAL3gTujJtHgXINwBQy7zBZLq7gcfJW5GqXb5JQbZaNaHqa
    sjYUegbyJLkJEVDXCLG4iXqEI2FCKeWjzaIgQdfRnGTZ6iahixTXTBmyUEFxPT9N
    cCOGDErcgdLMMpSEDQgJlxxPwO5rIHQw0uA5NBCFIRUBCOhVMt5xSdkoF1BN5r5N
    0XWs0Mr7QbhDparTwwVETyw2m+L64kW4I1NsBm9nVX9GtUw/bihaeSbSpKhil9Ie
    4u1Ki7wb/UdKDd9nZn6yW0HQO+T0O/QEY+nvwlQAUaCKKsnOeMzV6ocEGLPOr0mI
    r/OSmbaz5mEP0oUA51Aa5BuVnRmhuZyxm7EAHu/QD09CbMkKvO5D+jpxpchNJqU1
    /YldvIViHTLSoCtU7ZpXwdv6EM8Zt4tKG48BtieVU+i2iW1bvGjUI+iLUaJW+fCm
    gKDWHrO8Dw9TdSmq6hN35N6MgSGtBxBHEa2HPQfRdbzP82Z+
    -----END CERTIFICATE-----
  3. Run the following commands to verify the GPG key and its issuer with the icp4a-cert-from-2023.pem and icp4a-issuer-from-2023.pem files.
    Table 3. Commands to verify certificate issuance and validity for icp4a-pubkey-from-2023.gpg
    Command Description
    openssl x509 -text -in icp4a-cert-from-2023.pem
    Displays the IBM Cloud Pak for Business Automation public certificate. Verify that the "Subject" line is IBM, and the "Issuer" is www.digicert.com. The icp4a-cert-from-2023.pem certificate is signed by Digicert.
    gpg2 -v --list-packets icp4a-pubkey-from-2023.gpg
    Displays the GPG public key. Verify that pkey[0] is the same as the "Modulus" of icp4a-cert-from-2023.pem. The command validates that icp4a-pubkey-from-2023.gpg is the public key (in GPG format) for IBM Cloud Pak for Business Automation.
    openssl ocsp -no_nonce \
    -issuer icp4a-issuer-from-2023.pem \
    -cert icp4a-cert-from-2023.pem \
    -VAfile icp4a-issuer-from-2023.pem \
    -text -url http://ocsp.digicert.com	
    Verifies that the certificate icp4a.pem comes from Digicert by using the Online Certificate Status Protocol (OCSP).

If you want to verify the icp4a-pubkey-2021-2023.gpg file, which is used to sign images from August 2021 (21.0.1-IF004) to March 2023:

  1. Create a file icp4a-cert-2021-2023.pem and add the following public certificate in the PEM format.

    -----BEGIN CERTIFICATE-----
    MIIFdDCCBFygAwIBAgIQDofrKzCsbdRrg6R+pu8vWTANBgkqhkiG9w0BAQsFADBy
    MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
    d3cuZGlnaWNlcnQuY29tMTEwLwYDVQQDEyhEaWdpQ2VydCBTSEEyIEFzc3VyZWQg
    SUQgQ29kZSBTaWduaW5nIENBMB4XDTE5MDYyNzAwMDAwMFoXDTIxMDcwMTEyMDAw
    MFowgbAxCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhOZXcgWW9yazEPMA0GA1UEBxMG
    QXJtb25rMTQwMgYDVQQKEytJbnRlcm5hdGlvbmFsIEJ1c2luZXNzIE1hY2hpbmVz
    IENvcnBvcmF0aW9uMREwDwYDVQQLEwhJQk0gQ0NTUzE0MDIGA1UEAxMrSW50ZXJu
    YXRpb25hbCBCdXNpbmVzcyBNYWNoaW5lcyBDb3Jwb3JhdGlvbjCCASIwDQYJKoZI
    hvcNAQEBBQADggEPADCCAQoCggEBAMCTZAwu9qGHHajCkPJqxCjQTfojtUz9h0rU
    n2UACCwcEkW+f8/Q/OcJ+ecUDDZwKPj1+1gE3yivEk5KS5ATeneHP+DbUL2Ouyur
    Cg181ujlZFSwjEDSEv3LBXwS+44sAp01jQAI4Ee/aDzYpJr9tkyDds8DcivWNlne
    ONCsDPADO+GnYGi/kXBTTFiqb0PAJv93jJhoQnbyMVavAZ1GdUe6iiG7k/JShAym
    3ivCJTXJvcJpto0SkajhkXb/TuxV2FK/WJ6p9Axr+sLpdwUAvKC3+/HNAN5KQ+XF
    ZvzAGrOr+yAjklvAbojnl/cQw/rt3+9bMDrYU1teTwNYxEvNYMcCAwEAAaOCAcUw
    ggHBMB8GA1UdIwQYMBaAFFrEuXsqCqOl6nEDwGD5LfZldQ5YMB0GA1UdDgQWBBRh
    HPobjHmPzyDJZsLVBlf/zImp5jAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYI
    KwYBBQUHAwMwdwYDVR0fBHAwbjA1oDOgMYYvaHR0cDovL2NybDMuZGlnaWNlcnQu
    Y29tL3NoYTItYXNzdXJlZC1jcy1nMS5jcmwwNaAzoDGGL2h0dHA6Ly9jcmw0LmRp
    Z2ljZXJ0LmNvbS9zaGEyLWFzc3VyZWQtY3MtZzEuY3JsMEwGA1UdIARFMEMwNwYJ
    YIZIAYb9bAMBMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LmRpZ2ljZXJ0LmNv
    bS9DUFMwCAYGZ4EMAQQBMIGEBggrBgEFBQcBAQR4MHYwJAYIKwYBBQUHMAGGGGh0
    dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBOBggrBgEFBQcwAoZCaHR0cDovL2NhY2Vy
    dHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0U0hBMkFzc3VyZWRJRENvZGVTaWduaW5n
    Q0EuY3J0MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQELBQADggEBACCmH7YUx2O/
    3s599Fk1I8kOJvtkGTccrsrwOEumDiS3BWQJbUKqilr2IhGUA2c1O/zfi0uA3Oem
    Fm3a4wwgtrvme7AkWJNgIdH9FeHGOVan6mB5E318UJ7WJGErPiqk0Xoq0bFGfsoh
    oDSX8INKi2hiEa0Aurt+3FZr0IoJkPyscUSoK/mWZx3dUI1+hXozLhfWZjKnC9wj
    9pa6OKHqvS0Xfl/VQyzX59d3w4bzcalb+kK5N7/dbBlcopvWF5jCOD+WZxkn2Xhe
    aGrTT9LluqInVZ7UR5lQ4iDC7v09i37MoeBZiV20xMHUSVTj4F1ecSdthphymute
    GOc/2vekRHo=
    -----END CERTIFICATE-----
  2. Create a file icp4a-issuer-2021-2023.pem and add the following issuer public certificate in the PEM format.
    -----BEGIN CERTIFICATE-----
    MIIFMDCCBBigAwIBAgIQBAkYG1/Vu2Z1U0O1b5VQCDANBgkqhkiG9w0BAQsFADBl
    MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
    d3cuZGlnaWNlcnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJv
    b3QgQ0EwHhcNMTMxMDIyMTIwMDAwWhcNMjgxMDIyMTIwMDAwWjByMQswCQYDVQQG
    EwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNl
    cnQuY29tMTEwLwYDVQQDEyhEaWdpQ2VydCBTSEEyIEFzc3VyZWQgSUQgQ29kZSBT
    aWduaW5nIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA+NOzHH8O
    Ea9ndwfTCzFJGc/Q+0WZsTrbRPV/5aid2zLXcep2nQUut4/6kkPApfmJ1DcZ17aq
    8JyGpdglrA55KDp+6dFn08b7KSfH03sjlOSRI5aQd4L5oYQjZhJUM1B0sSgmuyRp
    wsJS8hRniolF1C2ho+mILCCVrhxKhwjfDPXiTWAYvqrEsq5wMWYzcT6scKKrzn/p
    fMuSoeU7MRzP6vIK5Fe7SrXpdOYr/mzLfnQ5Ng2Q7+S1TqSp6moKq4TzrGdOtcT3
    jNEgJSPrCGQ+UpbB8g8S9MWOD8Gi6CxR93O8vYWxYoNzQYIH5DiLanMg0A9kczye
    n6Yzqf0Z3yWT0QIDAQABo4IBzTCCAckwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNV
    HQ8BAf8EBAMCAYYwEwYDVR0lBAwwCgYIKwYBBQUHAwMweQYIKwYBBQUHAQEEbTBr
    MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wQwYIKwYBBQUH
    MAKGN2h0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEFzc3VyZWRJ
    RFJvb3RDQS5jcnQwgYEGA1UdHwR6MHgwOqA4oDaGNGh0dHA6Ly9jcmw0LmRpZ2lj
    ZXJ0LmNvbS9EaWdpQ2VydEFzc3VyZWRJRFJvb3RDQS5jcmwwOqA4oDaGNGh0dHA6
    Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEFzc3VyZWRJRFJvb3RDQS5jcmww
    TwYDVR0gBEgwRjA4BgpghkgBhv1sAAIEMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8v
    d3d3LmRpZ2ljZXJ0LmNvbS9DUFMwCgYIYIZIAYb9bAMwHQYDVR0OBBYEFFrEuXsq
    CqOl6nEDwGD5LfZldQ5YMB8GA1UdIwQYMBaAFEXroq/0ksuCMS1Ri6enIZ3zbcgP
    MA0GCSqGSIb3DQEBCwUAA4IBAQA+7A1aJLPzItEVyCx8JSl2qB1dHC06GsTvMGHX
    fgtg/cM9D8Svi/3vKt8gVTew4fbRknUPUbRupY5a4l4kgU4QpO4/cY5jDhNLrddf
    RHnzNhQGivecRk5c/5CxGwcOkRX7uq+1UcKNJK4kxscnKqEpKBo6cSgCPC6Ro8Al
    EeKcFEehemhor5unXCBc2XGxDI+7qPjFEmifz0DLQESlE/DmZAwlCEIysjaKJAL+
    L3J+HNdJRZboWR3p+nRka7LrZkPas7CM1ekN3fYBIM6ZMWM9CBoYs4GbT8aTEAb8
    B4H6i9r5gkn3Ym6hU/oSlBiFLpKR6mhsRDKyZqHnGKSaZFHv
    -----END CERTIFICATE-----
  3. Run the following commands to verify the GPG key and its issuer with the icp4a-cert-2021-2023.pem and icp4a-issuer-2021-2023.pem files.
    Table 4. Commands to verify certificate issuance and validity for icp4a-pubkey-2021-2023.gpg
    Command Description
    openssl x509 -text -in icp4a-cert-2021-2023.pem
    Displays the IBM Cloud Pak for Business Automation public certificate. Verify that the "Subject" line is IBM, and the "Issuer" is www.digicert.com. The icp4a-cert-2021-2023.pem certificate is signed by Digicert.
    gpg2 -v --list-packets icp4a-pubkey-2021-2023.gpg
    Displays the GPG public key. Verify that pkey[0] is the same as the "Modulus" of icp4a-cert-2021-2023.pem. The command validates that icp4a-pubkey-2021-2023.gpg is the public key (in GPG format) for IBM Cloud Pak for Business Automation.
    openssl ocsp -no_nonce \
    -issuer icp4a-issuer-2021-2023.pem \
    -cert icp4a-cert-2021-2023.pem \
    -VAfile icp4a-issuer-2021-2023.pem \
    -text -url http://ocsp.digicert.com	
    Verifies that the certificate icp4a.pem comes from Digicert by using the Online Certificate Status Protocol (OCSP).

If you want to verify the icp4a-pubkey-upto-2021.gpg file, which is used to sign images up to August 2021 (21.0.1-IF004):

  1. Create a file icp4a-cert-upto-2021.pem and add the following public certificate in the PEM format.

    -----BEGIN CERTIFICATE-----
    MIIFdDCCBFygAwIBAgIQDofrKzCsbdRrg6R+pu8vWTANBgkqhkiG9w0BAQsFADBy
    MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
    d3cuZGlnaWNlcnQuY29tMTEwLwYDVQQDEyhEaWdpQ2VydCBTSEEyIEFzc3VyZWQg
    SUQgQ29kZSBTaWduaW5nIENBMB4XDTE5MDYyNzAwMDAwMFoXDTIxMDcwMTEyMDAw
    MFowgbAxCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhOZXcgWW9yazEPMA0GA1UEBxMG
    QXJtb25rMTQwMgYDVQQKEytJbnRlcm5hdGlvbmFsIEJ1c2luZXNzIE1hY2hpbmVz
    IENvcnBvcmF0aW9uMREwDwYDVQQLEwhJQk0gQ0NTUzE0MDIGA1UEAxMrSW50ZXJu
    YXRpb25hbCBCdXNpbmVzcyBNYWNoaW5lcyBDb3Jwb3JhdGlvbjCCASIwDQYJKoZI
    hvcNAQEBBQADggEPADCCAQoCggEBAMCTZAwu9qGHHajCkPJqxCjQTfojtUz9h0rU
    n2UACCwcEkW+f8/Q/OcJ+ecUDDZwKPj1+1gE3yivEk5KS5ATeneHP+DbUL2Ouyur
    Cg181ujlZFSwjEDSEv3LBXwS+44sAp01jQAI4Ee/aDzYpJr9tkyDds8DcivWNlne
    ONCsDPADO+GnYGi/kXBTTFiqb0PAJv93jJhoQnbyMVavAZ1GdUe6iiG7k/JShAym
    3ivCJTXJvcJpto0SkajhkXb/TuxV2FK/WJ6p9Axr+sLpdwUAvKC3+/HNAN5KQ+XF
    ZvzAGrOr+yAjklvAbojnl/cQw/rt3+9bMDrYU1teTwNYxEvNYMcCAwEAAaOCAcUw
    ggHBMB8GA1UdIwQYMBaAFFrEuXsqCqOl6nEDwGD5LfZldQ5YMB0GA1UdDgQWBBRh
    HPobjHmPzyDJZsLVBlf/zImp5jAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYI
    KwYBBQUHAwMwdwYDVR0fBHAwbjA1oDOgMYYvaHR0cDovL2NybDMuZGlnaWNlcnQu
    Y29tL3NoYTItYXNzdXJlZC1jcy1nMS5jcmwwNaAzoDGGL2h0dHA6Ly9jcmw0LmRp
    Z2ljZXJ0LmNvbS9zaGEyLWFzc3VyZWQtY3MtZzEuY3JsMEwGA1UdIARFMEMwNwYJ
    YIZIAYb9bAMBMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LmRpZ2ljZXJ0LmNv
    bS9DUFMwCAYGZ4EMAQQBMIGEBggrBgEFBQcBAQR4MHYwJAYIKwYBBQUHMAGGGGh0
    dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBOBggrBgEFBQcwAoZCaHR0cDovL2NhY2Vy
    dHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0U0hBMkFzc3VyZWRJRENvZGVTaWduaW5n
    Q0EuY3J0MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQELBQADggEBACCmH7YUx2O/
    3s599Fk1I8kOJvtkGTccrsrwOEumDiS3BWQJbUKqilr2IhGUA2c1O/zfi0uA3Oem
    Fm3a4wwgtrvme7AkWJNgIdH9FeHGOVan6mB5E318UJ7WJGErPiqk0Xoq0bFGfsoh
    oDSX8INKi2hiEa0Aurt+3FZr0IoJkPyscUSoK/mWZx3dUI1+hXozLhfWZjKnC9wj
    9pa6OKHqvS0Xfl/VQyzX59d3w4bzcalb+kK5N7/dbBlcopvWF5jCOD+WZxkn2Xhe
    aGrTT9LluqInVZ7UR5lQ4iDC7v09i37MoeBZiV20xMHUSVTj4F1ecSdthphymute
    GOc/2vekRHo=
    -----END CERTIFICATE-----
  2. Create a file icp4a-issuer-upto-2021.pem and add the following issuer public certificate in the PEM format.
    -----BEGIN CERTIFICATE-----
    MIIFMDCCBBigAwIBAgIQBAkYG1/Vu2Z1U0O1b5VQCDANBgkqhkiG9w0BAQsFADBl
    MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
    d3cuZGlnaWNlcnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJv
    b3QgQ0EwHhcNMTMxMDIyMTIwMDAwWhcNMjgxMDIyMTIwMDAwWjByMQswCQYDVQQG
    EwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNl
    cnQuY29tMTEwLwYDVQQDEyhEaWdpQ2VydCBTSEEyIEFzc3VyZWQgSUQgQ29kZSBT
    aWduaW5nIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA+NOzHH8O
    Ea9ndwfTCzFJGc/Q+0WZsTrbRPV/5aid2zLXcep2nQUut4/6kkPApfmJ1DcZ17aq
    8JyGpdglrA55KDp+6dFn08b7KSfH03sjlOSRI5aQd4L5oYQjZhJUM1B0sSgmuyRp
    wsJS8hRniolF1C2ho+mILCCVrhxKhwjfDPXiTWAYvqrEsq5wMWYzcT6scKKrzn/p
    fMuSoeU7MRzP6vIK5Fe7SrXpdOYr/mzLfnQ5Ng2Q7+S1TqSp6moKq4TzrGdOtcT3
    jNEgJSPrCGQ+UpbB8g8S9MWOD8Gi6CxR93O8vYWxYoNzQYIH5DiLanMg0A9kczye
    n6Yzqf0Z3yWT0QIDAQABo4IBzTCCAckwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNV
    HQ8BAf8EBAMCAYYwEwYDVR0lBAwwCgYIKwYBBQUHAwMweQYIKwYBBQUHAQEEbTBr
    MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wQwYIKwYBBQUH
    MAKGN2h0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEFzc3VyZWRJ
    RFJvb3RDQS5jcnQwgYEGA1UdHwR6MHgwOqA4oDaGNGh0dHA6Ly9jcmw0LmRpZ2lj
    ZXJ0LmNvbS9EaWdpQ2VydEFzc3VyZWRJRFJvb3RDQS5jcmwwOqA4oDaGNGh0dHA6
    Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEFzc3VyZWRJRFJvb3RDQS5jcmww
    TwYDVR0gBEgwRjA4BgpghkgBhv1sAAIEMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8v
    d3d3LmRpZ2ljZXJ0LmNvbS9DUFMwCgYIYIZIAYb9bAMwHQYDVR0OBBYEFFrEuXsq
    CqOl6nEDwGD5LfZldQ5YMB8GA1UdIwQYMBaAFEXroq/0ksuCMS1Ri6enIZ3zbcgP
    MA0GCSqGSIb3DQEBCwUAA4IBAQA+7A1aJLPzItEVyCx8JSl2qB1dHC06GsTvMGHX
    fgtg/cM9D8Svi/3vKt8gVTew4fbRknUPUbRupY5a4l4kgU4QpO4/cY5jDhNLrddf
    RHnzNhQGivecRk5c/5CxGwcOkRX7uq+1UcKNJK4kxscnKqEpKBo6cSgCPC6Ro8Al
    EeKcFEehemhor5unXCBc2XGxDI+7qPjFEmifz0DLQESlE/DmZAwlCEIysjaKJAL+
    L3J+HNdJRZboWR3p+nRka7LrZkPas7CM1ekN3fYBIM6ZMWM9CBoYs4GbT8aTEAb8
    B4H6i9r5gkn3Ym6hU/oSlBiFLpKR6mhsRDKyZqHnGKSaZFHv
    -----END CERTIFICATE-----
  3. Run the following commands to verify the GPG key and its issuer with the icp4a-cert-upto-2021.pem and icp4a-issuer-upto-2021.pem files.
    Table 5. Commands to verify certificate issuance and validity for icp4a-pubkey-upto-2021.gpg
    Command Description
    openssl x509 -text -in icp4a-cert-upto-2021.pem
    Displays the IBM Cloud Pak for Business Automation public certificate. Verify that the "Subject" line is IBM, and the "Issuer" is www.digicert.com. The icp4a-cert-upto-2021.pem certificate is signed by Digicert.
    gpg2 -v --list-packets icp4a-pubkey-upto-2021.gpg
    Displays the GPG public key. Verify that pkey[0] is the same as the "Modulus" of icp4a-cert-upto-2021.pem. The command validates that icp4a-pubkey-upto-2021.gpg is the public key (in GPG format) for IBM Cloud Pak for Business Automation.
    openssl ocsp -no_nonce \
    -issuer icp4a-issuer-upto-2021.pem \
    -cert icp4a-cert-upto-2021.pem \
    -VAfile icp4a-issuer-upto-2021.pem \
    -text -url http://ocsp.digicert.com	
    Verifies that the certificate icp4a.pem comes from Digicert by using the Online Certificate Status Protocol (OCSP).

Cleaning up local images and caches

Before any test or use of the image signature, you must clean up the container images and the local cache, even if your image pull policy is "always". If an image is cached locally, it is not pulled again, and the image signature verification does not take place.

for node in $(oc get no -l node-role.kubernetes.io/worker --no-headers -o name); do
    oc debug $node -- chroot /host sh -c "podman images | grep -e 'cp.icr.io/cp/cp4a' | awk '{print \$3}' | xargs podman rmi -f "
done

Scanning for vulnerabilities

All the container images pass rigorous image vulnerability scans during the development lifecycle, but new vulnerabilities are discovered almost every day. It is likely that most of the vulnerabilities that you find are related to the Linux® kernel or to a few embedded packages. IBM tracks these vulnerabilities and provides fixes for them in fix packs or subsequent releases. To find out more, you can contact IBM support.