Verifying container image integrity
About this task
IBM Cloud Pak for Business Automation provides container images in the IBM® Entitled Registry that are signed following the approach from Red Hat. You can use the signature to verify that the images come from IBM when they are pulled onto the system. For more information about the signature verification, see Verifying signatures of Red Hat container images.
Cloud Pak for Business Automation installs a number of dependencies, such as IBM Cloud Pak foundational services, which has its own signature validation process.
Red Hat OpenShift can be configured to verify container image signatures upon pulling images from a specific location. See Container image signatures for details about Red Hat's signatures of Red Hat OpenShift images. Images for IBM Cloud Pak for Business Automation are signed by using GPG keys, which in turn are signed by a certificate chain with Digicert as its root. The signing key changed multiple times. Therefore, multiple keys must be configured in the signature policy.
The following sections can be used to verify the IBM Cloud Pak for Business Automation signature on the container images.
- Creating files that contain GPG public keys to pull images
- Creating a policy to require signed images
- Signature validation in Linux command-line tools
- Optional: Verifying key material
- Cleaning up local images and caches
- Scanning for vulnerabilities
Creating files that contain GPG public keys to pull images
File name for GPG key | Date |
---|---|
icp4a-pubkey-upto-2021.gpg |
For images released before August 2021. |
icp4a-pubkey-2021-2023.gpg |
For images released between August 2021 and March 2023. |
icp4a-pubkey-from-2023.gpg |
For images released in March 2023 and later. |
icp4a-pubkey-from-2024.gpg |
For images released in December 2024 and later. |
- Create a file
icp4a-pubkey-upto-2021.gpg
and add the following public key in the GNU Privacy Guard (GPG) format. This is the public key that is used for signing images before August 2021 (up to and including 21.0.1-IF004). These images might be in the same cluster as more recent versions.-----BEGIN PGP PUBLIC KEY BLOCK----- mQENBF0UBwABCADAk2QMLvahhx2owpDyasQo0E36I7VM/YdK1J9lAAgsHBJFvn/P 0PznCfnnFAw2cCj49ftYBN8orxJOSkuQE3p3hz/g21C9jrsrqwoNfNbo5WRUsIxA 0hL9ywV8EvuOLAKdNY0ACOBHv2g82KSa/bZMg3bPA3Ir1jZZ3jjQrAzwAzvhp2Bo v5FwU0xYqm9DwCb/d4yYaEJ28jFWrwGdRnVHuoohu5PyUoQMpt4rwiU1yb3CabaN EpGo4ZF2/07sVdhSv1ieqfQMa/rC6XcFALygt/vxzQDeSkPlxWb8wBqzq/sgI5Jb wG6I55f3EMP67d/vWzA62FNbXk8DWMRLzWDHABEBAAG0BWljcDRhiQE5BBMBCAAj BQJdFAcAAhsvBwsJCAcDAgEGFQgCCQoLBBYCAwECHgECF4AACgkQcjTsJWhPPpnT hgf/ZYjAuPqiiHtJkmm1Nrw5HSCKHMsiHwUc1y5lb+J+xxfz7B3Jm07r/R82h6zI ZNnUTpgWzbEM7NazSAPcfL/KQXd3jw713hIXr2D4wzyMnvVAPJz0U/FUXDkZeTil U04PT4T9BF5b+kIh560TuouY4bot2QFhuBMnKasLMMrXx1PXbySH9OHWc5bnx3J6 j+/d7TMj7MsdVgraoqmPtM68fOQUXyn0FCsx2M4kQRllGp7Wv0rIXVVh5lbT7VFs OP+8LBBj1DEfCuffQc/21jO4DkC3nalWhXW5jAcAnTLlzKWsAxm/YJLfRYzeAOHa mgv9nt/uDfwf0GasJw0cEeNq0A== =9hbX -----END PGP PUBLIC KEY BLOCK-----
- Create a file
icp4a-pubkey-2021-to-2023.gpg
and add the following public key in the GNU Privacy Guard (GPG) format. This is the public key that is used for signing images before March 2023 (up to and including 21.0.3-IF018 and 22.0.2-IF002).-----BEGIN PGP PUBLIC KEY BLOCK----- mQENBGChsgABCADZ1OhWUebPgUYn8V2GDYpWeTKu8Yq2ghAIgooas8mAqdK8Bxid oA6X4KcPY+RwXvVGjIfaVfR2pAqw6ZwwwVZ5CEo1eTtf9gGfdchYE7+beTOGTuzk 5uhz86fpYvmq7TVki2SnpsF40LnqcHGkOyQ1Lqcys4J+6qAYSv43sgOWvlTr/GJS nDbqpES0N/4Lk2s4nb2iPJqB4zpwj1dtWJXvxLReclV5KFgrdpikHTfUgrxt1HbU NgRpXd8XLT8ovoP0I32Qc/ayyUGHon/vdNOMwHDLyXstwkqB70SEU/772bsUA7e0 l+w7T4HubOEEvwoRWtsoNBXWFB++0PxLDurPABEBAAG0BWljcDRhiQE5BBMBCAAj BQJgobIAAhsvBwsJCAcDAgEGFQgCCQoLBBYCAwECHgECF4AACgkQfFz5ejnxNlAc PwgAxA7Jh6a4IKzlkLtI5FXabjZMVu81HjtrgRd4ZxnjciOHwdtjPaNZLd8HoSko MniMWlUdHsyzFiBAQG1ohSg2CzotzwJe5m0zH09bji7P6DLd39tWraolOaqbHdZS gLhNf50xfqVcq8uw/v/mFsc8eSczdrcxVH3wlWzczdmPGHFLnHsbhAlIJ/PLzN1l H/Nlm259peZ7V5uAIcq1wLLKvpRWYU0/weGXfcnQYKHkEPHWDNv+kRjD8Q89Vby+ iDbn11I2GoJQeWYzCA7CXGrdeXO57MHSDOULQh22Aioq3CxmV3CRUCmATMYHw9oT RWIGtCYOx2BHh1HRAeB1vlOzIw== =SIpv -----END PGP PUBLIC KEY BLOCK-----
- Create a file icp4a-pubkey-from-2023.gpg and add the following public key
in the GNU Privacy Guard (GPG) format. This key can be used to pull images from March 2023 to
November 2024 (up to
24.0.0-IF003).
-----BEGIN PGP PUBLIC KEY BLOCK----- mQINBGPJZX8BEADAO/bfaez4vdjXIuZfNFqpOpAOHzs89EhBguxGVHUdx2mtGUZo NEZB3/FWVO+IlmW5clZrNSvoBDCF1oV63UDBiZUcoE1lS0HsKQJuhEKxZqBURZOB 5E12EjfVbS6xn+R3EubdepBwlNwv1rCq2un4KDhxY7phl0iwA1uWuxn4yU0LKQ/B /J/6jZL/ecSjlzITYNsbfOwmCFeRhjmeSxuMobzWd9A/cLA6sPh7sDTzSmyJp/27 6ch3MijuxHLAdEFdR/oWvyh4XK04dRRQh2ecsJ2m5+EsS1DeYbFhwdgvMGtBVz6f fDKK7BBMt/csgT9wZX4BD97KDPFdAsANNC55ipYIxMKiDDrsuHJ1eD1UqaUGdTOn MuT+AC1Rfsjcbxwl0FItfdQ0rBUFmHEw1qTScDNa+WSKflj386lPV5hWneOG58UG u1vQuGHJchwcGYRIDvgeYC+lw/q/jECqgeLrnJx9JVcMUmkTbDxfTDGe82mIqbiw B38/boAujKCpCkvZFhP5OIylEmyCfRCZ/0ul8hvzS3kCjG5QSjBVcHolK75++CXb 6yYNawmQYVjPk1KuNe6Y+TVl0nsYqtSEjnknO4LRsKX2ZHxkASimFqJCjbAEQiEx 0B0mZ3RTUXR92Y/Uy7XXtusymGleCkW+bHs2F0+9i32l9Nuxgl/D7g1WywARAQAB tC9JQk0gQ2xvdWQgUGFrIGZvciBBdXRvbWF0aW9uIDxwc2lydEB1cy5pYm0uY29t PokCOgQTAQgAJAUCY8llfwIbDwULCQgHAgYVCgkICwIEFgIDAQIeAQUJA8Jm/wAK CRBxj1JAiOfS1LE1EAC+EnV5Mx3etxyOQT6rgaWlyfoiSmXaxUOZwY5EWt0Zu5P4 mJ30KOdlqBjlLs43uFwxrXY7tjUpcSOpvK18SE4Z5UO3MB0WqKynN4bX2CDuDPuY ltDFsr2+hPpaicKkVw3uSHjxlaX67o/c3Hw9xBpgl1TfBXqjreYzmlCvzER6MZQx R7I+ZmiFqTWAdwfZnvUMmEsfXPpkOFBaVLgDaOjKYBTk0ddz8vf/7rdvTaKizg1j iBrai2JsILI//Ph+xHlh9GejAkbkP/59YVmu/1rVr86WkuWplYjMkiU8eJz2ob52 omzGqRWY6Z2HwT7vV8ffQ1Uo4dKAUqzqoIBVcX58UkC27uMON3/DcTzpk+xjlcvu IxJ4j3vKcaZlgXI55Hd1BLhhj668gYoH8eGTFRBfM8V41sadB5ZL8NnNMPPntcHx ZlljbKkxay44OPGa6Fs/dMkfp4rIFkzriaVkW8s9tCNwZGIS8sI9mQYUzV5Dmurn NVAa0JnoZYgJmk9HjEJVBOOdHcJA/GQkF2tvKSmkFMUsUOTeLaytiG9btOnvf6fz AEFoJLzQldqvba10uT9XxVxEENn7qDO4Nihtk/aDuPQcUeHqvDGvNSqaXq9Dq4T4 ESeuzJRr1X2AKu1WFZdhFSCKr5nF4iChCIj05iAiUar3LqlT3OJxvcAOdWKJzg== =CUKh -----END PGP PUBLIC KEY BLOCK-----
- Create a file icp4a-pubkey-from-2024.gpg and add the following public key
in the GNU Privacy Guard (GPG) format. This key can be used to pull images from December 2024 and
onwards (starting with
24.0.0-IF004).
-----BEGIN PGP PUBLIC KEY BLOCK----- mQINBGcyQU0BEADAO/bfaez4vdjXIuZfNFqpOpAOHzs89EhBguxGVHUdx2mtGUZo NEZB3/FWVO+IlmW5clZrNSvoBDCF1oV63UDBiZUcoE1lS0HsKQJuhEKxZqBURZOB 5E12EjfVbS6xn+R3EubdepBwlNwv1rCq2un4KDhxY7phl0iwA1uWuxn4yU0LKQ/B /J/6jZL/ecSjlzITYNsbfOwmCFeRhjmeSxuMobzWd9A/cLA6sPh7sDTzSmyJp/27 6ch3MijuxHLAdEFdR/oWvyh4XK04dRRQh2ecsJ2m5+EsS1DeYbFhwdgvMGtBVz6f fDKK7BBMt/csgT9wZX4BD97KDPFdAsANNC55ipYIxMKiDDrsuHJ1eD1UqaUGdTOn MuT+AC1Rfsjcbxwl0FItfdQ0rBUFmHEw1qTScDNa+WSKflj386lPV5hWneOG58UG u1vQuGHJchwcGYRIDvgeYC+lw/q/jECqgeLrnJx9JVcMUmkTbDxfTDGe82mIqbiw B38/boAujKCpCkvZFhP5OIylEmyCfRCZ/0ul8hvzS3kCjG5QSjBVcHolK75++CXb 6yYNawmQYVjPk1KuNe6Y+TVl0nsYqtSEjnknO4LRsKX2ZHxkASimFqJCjbAEQiEx 0B0mZ3RTUXR92Y/Uy7XXtusymGleCkW+bHs2F0+9i32l9Nuxgl/D7g1WywARAQAB tC9JQk0gQ2xvdWQgUGFrIGZvciBBdXRvbWF0aW9uIDxwc2lydEB1cy5pYm0uY29t PokCOgQTAQgAJAUCZzJBTQIbDwULCQgHAgYVCgkICwIEFgIDAQIeAQUJAAAAAAAK CRC0lqyjOeABc5p+D/4uVq6HmZQ7B2oTYYBoOa6xBMdnI91GQPaoGRhAwAPzQh8W jw5fNiBJCLPVzTCIh26MJUwBWLXSZtlBDIg7zFEgXqUMqtS4qMuLTnBHyovx30hQ zJyH6DkCCeBTqS06oq2N3comsCk+pbLlHSEMZlDR1WrZE2omi7P42ET9wQn4Px+c iHmy07qJDoV4HyZEYAJ6LSyEXy8l0XTaqhMEerrFMKcLQGXsy0y0Al4/kvmtSuyw hZaAadMsaPV+2rSz8yfyjNUDf7ZPh2whelV3VYfaVHnuy7S+RRCFqAeOtIAxOpai ++hxazlf03mgnPQH7WGSvjaz8sWtEUUMYFE0mnwusrK0DObOXd76qghkifN1IRiS bUPvfa15U1/CwC0C5xFRWQfgrX2EwqUYNMiHqKRYxz8+LEC+vdT03naLzyxpAKwM 6bZ2laNJYNofQd7dYU+Co4oWrCTGfFLD/LYnejzWYR7Drt5Ppz1qgW1q5J1Qi7+V s7+w4ga8n61Ta2zaDcccgdn/TG0IO8bWnxgwKwZS8w3wj+GFx70o4fIlH++PhL1/ zdI2jfH4XqvjT+mx3LNpfEXUOquIl9ikkRZMG787lqdjr1L58YF9BdZPtqs5RufU mGzh82sCEmw9GaSJiGQb/fcoSIolqbLmEj4Aqy/hA6QSthBu58CGLOs91SevQQ== =Jn52 -----END PGP PUBLIC KEY BLOCK-----
Creating a policy to require signed images
A security policy can deny or allow images to be pulled, or require a trust relationship for pulling images. This can be done for entire image registries or specific parts of image registries. For more information, see Controlling what image sources can be deployed.
The following policy is least intrusive, as it requires images that are pulled from
cp.icr.io/cp/cp4a
to be signed by using any of the GPG keys listed in the
keyPaths
array. Images from any other container registry and other parts inside of
cp.icr.io
are accepted without signatures.
If you can provide public keys for signature validation of all applications and their
dependencies in your Red Hat OpenShift cluster, you can set the default type to
reject
.
Create a file and name it policy.json, then include the following content:
{
"default": [
{
"type": "insecureAcceptAnything"
}
],
"transports": {
"docker": {
"cp.icr.io/cp/cp4a": [
{
"type": "signedBy",
"keyType": "GPGKeys",
"keyPaths": ["/etc/pki/icp4a-pubkey-upto-2021.gpg", "/etc/pki/icp4a-pubkey-2021-2023.gpg", "/etc/pki/icp4a-pubkey-from-2023.gpg", "/etc/pki/icp4a-pubkey-from-2024.gpg"]
}
]
}
}
}
You can use a MachineConfig
object to inject the GPG public key files and the
policy.json
file into the nodes. The following example includes all GPG public key
files inline in the URL encoded format (machine-config.yaml
).
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
labels:
machineconfiguration.openshift.io/role: worker
name: image-signature
spec:
config:
ignition:
version: 3.2.0
storage:
files:
- contents:
source: >-
data:,-----BEGIN%20PGP%20PUBLIC%20KEY%20BLOCK-----%0AmQENBF0UBwABCADAk2QMLvahhx2owpDyasQo0E36I7VM%2FYdK1J9lAAgsHBJFvn%2FP%0A0PznCfnnFAw2cCj49ftYBN8orxJOSkuQE3p3hz%2Fg21C9jrsrqwoNfNbo5WRUsIxA%0A0hL9ywV8EvuOLAKdNY0ACOBHv2g82KSa%2FbZMg3bPA3Ir1jZZ3jjQrAzwAzvhp2Bo%0Av5FwU0xYqm9DwCb%2Fd4yYaEJ28jFWrwGdRnVHuoohu5PyUoQMpt4rwiU1yb3CabaN%0AEpGo4ZF2%2F07sVdhSv1ieqfQMa%2FrC6XcFALygt%2FvxzQDeSkPlxWb8wBqzq%2FsgI5Jb%0AwG6I55f3EMP67d%2FvWzA62FNbXk8DWMRLzWDHABEBAAG0BWljcDRhiQE5BBMBCAAj%0ABQJdFAcAAhsvBwsJCAcDAgEGFQgCCQoLBBYCAwECHgECF4AACgkQcjTsJWhPPpnT%0Ahgf%2FZYjAuPqiiHtJkmm1Nrw5HSCKHMsiHwUc1y5lb+J+xxfz7B3Jm07r%2FR82h6zI%0AZNnUTpgWzbEM7NazSAPcfL%2FKQXd3jw713hIXr2D4wzyMnvVAPJz0U%2FFUXDkZeTil%0AU04PT4T9BF5b+kIh560TuouY4bot2QFhuBMnKasLMMrXx1PXbySH9OHWc5bnx3J6%0Aj+%2Fd7TMj7MsdVgraoqmPtM68fOQUXyn0FCsx2M4kQRllGp7Wv0rIXVVh5lbT7VFs%0AOP+8LBBj1DEfCuffQc%2F21jO4DkC3nalWhXW5jAcAnTLlzKWsAxm%2FYJLfRYzeAOHa%0Amgv9nt%2FuDfwf0GasJw0cEeNq0A%3D%3D%0A%3D9hbX%0A-----END%20PGP%20PUBLIC%20KEY%20BLOCK-----
filesystem: root
mode: 420
path: /etc/pki/icp4a-pubkey-upto-2021.gpg
- contents:
source: >-
data:,-----BEGIN%20PGP%20PUBLIC%20KEY%20BLOCK-----%0AmQENBGChsgABCADZ1OhWUebPgUYn8V2GDYpWeTKu8Yq2ghAIgooas8mAqdK8Bxid%0AoA6X4KcPY+RwXvVGjIfaVfR2pAqw6ZwwwVZ5CEo1eTtf9gGfdchYE7+beTOGTuzk%0A5uhz86fpYvmq7TVki2SnpsF40LnqcHGkOyQ1Lqcys4J+6qAYSv43sgOWvlTr%2FGJS%0AnDbqpES0N%2F4Lk2s4nb2iPJqB4zpwj1dtWJXvxLReclV5KFgrdpikHTfUgrxt1HbU%0ANgRpXd8XLT8ovoP0I32Qc%2FayyUGHon%2FvdNOMwHDLyXstwkqB70SEU%2F772bsUA7e0%0Al+w7T4HubOEEvwoRWtsoNBXWFB++0PxLDurPABEBAAG0BWljcDRhiQE5BBMBCAAj%0ABQJgobIAAhsvBwsJCAcDAgEGFQgCCQoLBBYCAwECHgECF4AACgkQfFz5ejnxNlAc%0APwgAxA7Jh6a4IKzlkLtI5FXabjZMVu81HjtrgRd4ZxnjciOHwdtjPaNZLd8HoSko%0AMniMWlUdHsyzFiBAQG1ohSg2CzotzwJe5m0zH09bji7P6DLd39tWraolOaqbHdZS%0AgLhNf50xfqVcq8uw%2Fv%2FmFsc8eSczdrcxVH3wlWzczdmPGHFLnHsbhAlIJ%2FPLzN1l%0AH%2FNlm259peZ7V5uAIcq1wLLKvpRWYU0%2FweGXfcnQYKHkEPHWDNv+kRjD8Q89Vby+%0AiDbn11I2GoJQeWYzCA7CXGrdeXO57MHSDOULQh22Aioq3CxmV3CRUCmATMYHw9oT%0ARWIGtCYOx2BHh1HRAeB1vlOzIw%3D%3D%0A%3DSIpv%0A-----END%20PGP%20PUBLIC%20KEY%20BLOCK-----
filesystem: root
mode: 420
path: /etc/pki/icp4a-pubkey-2021-2023.gpg
- contents:
source: >-
data:,-----BEGIN%20PGP%20PUBLIC%20KEY%20BLOCK-----%0AmQINBGPJZX8BEADAO%2Fbfaez4vdjXIuZfNFqpOpAOHzs89EhBguxGVHUdx2mtGUZo%0ANEZB3%2FFWVO+IlmW5clZrNSvoBDCF1oV63UDBiZUcoE1lS0HsKQJuhEKxZqBURZOB%0A5E12EjfVbS6xn+R3EubdepBwlNwv1rCq2un4KDhxY7phl0iwA1uWuxn4yU0LKQ%2FB%0A%2FJ%2F6jZL%2FecSjlzITYNsbfOwmCFeRhjmeSxuMobzWd9A%2FcLA6sPh7sDTzSmyJp%2F27%0A6ch3MijuxHLAdEFdR%2FoWvyh4XK04dRRQh2ecsJ2m5+EsS1DeYbFhwdgvMGtBVz6f%0AfDKK7BBMt%2FcsgT9wZX4BD97KDPFdAsANNC55ipYIxMKiDDrsuHJ1eD1UqaUGdTOn%0AMuT+AC1Rfsjcbxwl0FItfdQ0rBUFmHEw1qTScDNa+WSKflj386lPV5hWneOG58UG%0Au1vQuGHJchwcGYRIDvgeYC+lw%2Fq%2FjECqgeLrnJx9JVcMUmkTbDxfTDGe82mIqbiw%0AB38%2FboAujKCpCkvZFhP5OIylEmyCfRCZ%2F0ul8hvzS3kCjG5QSjBVcHolK75++CXb%0A6yYNawmQYVjPk1KuNe6Y+TVl0nsYqtSEjnknO4LRsKX2ZHxkASimFqJCjbAEQiEx%0A0B0mZ3RTUXR92Y%2FUy7XXtusymGleCkW+bHs2F0+9i32l9Nuxgl%2FD7g1WywARAQAB%0AtC9JQk0gQ2xvdWQgUGFrIGZvciBBdXRvbWF0aW9uIDxwc2lydEB1cy5pYm0uY29t%0APokCOgQTAQgAJAUCY8llfwIbDwULCQgHAgYVCgkICwIEFgIDAQIeAQUJA8Jm%2FwAK%0ACRBxj1JAiOfS1LE1EAC+EnV5Mx3etxyOQT6rgaWlyfoiSmXaxUOZwY5EWt0Zu5P4%0AmJ30KOdlqBjlLs43uFwxrXY7tjUpcSOpvK18SE4Z5UO3MB0WqKynN4bX2CDuDPuY%0AltDFsr2+hPpaicKkVw3uSHjxlaX67o%2Fc3Hw9xBpgl1TfBXqjreYzmlCvzER6MZQx%0AR7I+ZmiFqTWAdwfZnvUMmEsfXPpkOFBaVLgDaOjKYBTk0ddz8vf%2F7rdvTaKizg1j%0AiBrai2JsILI%2F%2FPh+xHlh9GejAkbkP%2F59YVmu%2F1rVr86WkuWplYjMkiU8eJz2ob52%0AomzGqRWY6Z2HwT7vV8ffQ1Uo4dKAUqzqoIBVcX58UkC27uMON3%2FDcTzpk+xjlcvu%0AIxJ4j3vKcaZlgXI55Hd1BLhhj668gYoH8eGTFRBfM8V41sadB5ZL8NnNMPPntcHx%0AZlljbKkxay44OPGa6Fs%2FdMkfp4rIFkzriaVkW8s9tCNwZGIS8sI9mQYUzV5Dmurn%0ANVAa0JnoZYgJmk9HjEJVBOOdHcJA%2FGQkF2tvKSmkFMUsUOTeLaytiG9btOnvf6fz%0AAEFoJLzQldqvba10uT9XxVxEENn7qDO4Nihtk%2FaDuPQcUeHqvDGvNSqaXq9Dq4T4%0AESeuzJRr1X2AKu1WFZdhFSCKr5nF4iChCIj05iAiUar3LqlT3OJxvcAOdWKJzg%3D%3D%0A%3DCUKh%0A-----END%20PGP%20PUBLIC%20KEY%20BLOCK-----
filesystem: root
mode: 420
path: /etc/pki/icp4a-pubkey-from-2023.gpg
- contents:
source: >-
data:,-----BEGIN%20PGP%20PUBLIC%20KEY%20BLOCK-----mQINBGcyQU0BEADAO%2Fbfaez4vdjXIuZfNFqpOpAOHzs89EhBguxGVHUdx2mtGUZo%NEZB3%2FFWVO+IlmW5clZrNSvoBDCF1oV63UDBiZUcoE1lS0HsKQJuhEKxZqBURZOB%5E12EjfVbS6xn+R3EubdepBwlNwv1rCq2un4KDhxY7phl0iwA1uWuxn4yU0LKQ%2FB%%2FJ%2F6jZL%2FecSjlzITYNsbfOwmCFeRhjmeSxuMobzWd9A%2FcLA6sPh7sDTzSmyJp%2F27%6ch3MijuxHLAdEFdR%2FoWvyh4XK04dRRQh2ecsJ2m5+EsS1DeYbFhwdgvMGtBVz6f%fDKK7BBMt%2FcsgT9wZX4BD97KDPFdAsANNC55ipYIxMKiDDrsuHJ1eD1UqaUGdTOn%MuT+AC1Rfsjcbxwl0FItfdQ0rBUFmHEw1qTScDNa+WSKflj386lPV5hWneOG58UG%u1vQuGHJchwcGYRIDvgeYC+lw%2Fq%2FjECqgeLrnJx9JVcMUmkTbDxfTDGe82mIqbiw%B38%2FboAujKCpCkvZFhP5OIylEmyCfRCZ%2F0ul8hvzS3kCjG5QSjBVcHolK75++CXb%6yYNawmQYVjPk1KuNe6Y+TVl0nsYqtSEjnknO4LRsKX2ZHxkASimFqJCjbAEQiEx%0B0mZ3RTUXR92Y%2FUy7XXtusymGleCkW+bHs2F0+9i32l9Nuxgl%2FD7g1WywARAQAB%tC9JQk0gQ2xvdWQgUGFrIGZvciBBdXRvbWF0aW9uIDxwc2lydEB1cy5pYm0uY29t%PokCOgQTAQgAJAUCZzJBTQIbDwULCQgHAgYVCgkICwIEFgIDAQIeAQUJAAAAAAAK%CRC0lqyjOeABc5p+D%2F4uVq6HmZQ7B2oTYYBoOa6xBMdnI91GQPaoGRhAwAPzQh8W%jw5fNiBJCLPVzTCIh26MJUwBWLXSZtlBDIg7zFEgXqUMqtS4qMuLTnBHyovx30hQ%zJyH6DkCCeBTqS06oq2N3comsCk+pbLlHSEMZlDR1WrZE2omi7P42ET9wQn4Px+c%iHmy07qJDoV4HyZEYAJ6LSyEXy8l0XTaqhMEerrFMKcLQGXsy0y0Al4%2FkvmtSuyw%hZaAadMsaPV+2rSz8yfyjNUDf7ZPh2whelV3VYfaVHnuy7S+RRCFqAeOtIAxOpai%++hxazlf03mgnPQH7WGSvjaz8sWtEUUMYFE0mnwusrK0DObOXd76qghkifN1IRiS%bUPvfa15U1%2FCwC0C5xFRWQfgrX2EwqUYNMiHqKRYxz8+LEC+vdT03naLzyxpAKwM%6bZ2laNJYNofQd7dYU+Co4oWrCTGfFLD%2FLYnejzWYR7Drt5Ppz1qgW1q5J1Qi7+V%s7+w4ga8n61Ta2zaDcccgdn%2FTG0IO8bWnxgwKwZS8w3wj+GFx70o4fIlH++PhL1%2F%zdI2jfH4XqvjT+mx3LNpfEXUOquIl9ikkRZMG787lqdjr1L58YF9BdZPtqs5RufU%mGzh82sCEmw9GaSJiGQb%2FfcoSIolqbLmEj4Aqy%2FhA6QSthBu58CGLOs91SevQQ%0A%0A%%0AJn52-----END%20PGP%20PUBLIC%20KEY%20BLOCK-----
filesystem: root
mode: 420
path: /etc/pki/icp4a-pubkey-from-2024.gpg
- contents:
source: >-
data:,%7B%0D%0A%20%20%20%20%22default%22%3A%20%5B%0D%0A%20%20%20%20%20%20%7B%0D%0A%20%20%20%20%20%20%20%22type%22%3A%20%22insecureAcceptAnything%22%0D%0A%20%20%20%20%20%20%7D%0D%0A%20%20%20%20%5D,%0D%0A%20%20%20%20%22transports%22%3A%20%7B%0D%0A%20%20%20%20%20%20%22docker%22%3A%20%7B%0D%0A%20%20%20%20%20%20%20%20%22cp.icr.io%2Fcp%2Fcp4a%22%3A%20%5B%0D%0A%20%20%20%20%20%20%20%20%20%20%7B%0D%0A%20%20%20%20%20%20%20%20%20%20%20%20%22type%22%3A%20%22signedBy%22,%0D%0A%20%20%20%20%20%20%20%20%20%20%20%20%22keyType%22%3A%20%22GPGKeys%22,%0D%0A%20%20%20%20%20%20%20%20%20%20%20%20%22keyPaths%22%3A%20%5B%22%2Fetc%2Fpki%2Ficp4a-pubkey-upto-2021.gpg%22,%20%22%2Fetc%2Fpki%2Ficp4a-pubkey-2021-2023.gpg%22,%20%22%2Fetc%2Fpki%2Ficp4a-pubkey-from-2023.gpg,%20%22%2Fetc%2Fpki%2Ficp4a-pubkey-from-2024.gpg%22%5D%0D%0A%20%20%20%20%20%20%20%20%20%20%7D%0D%0A%20%20%20%20%20%20%20%20%5D%0D%0A%20%20%20%20%20%20%7D%0D%0A%20%20%20%20%7D%0D%0A%7D
filesystem: root
mode: 420
path: /etc/containers/policy.json
You can decode the files into clear text by using a URL decoder, and then apply the
MachineConfig
resource:
oc apply -f machine-config.yaml
You can watch the rebooted worker nodes as they apply the updated policy:
oc get mcp
If you are running a starter pattern, PodDisruptionBudgets
on some pods might
prevent a node from restarting gracefully. You can force deletion of pods on the nodes by first
identifying a node for which scheduling is disabled:
oc get node
Use the node name to delete the pods on this node:
node=...
oc delete pod --field-selector="spec.nodeName=$node" --all-namespaces
Signature validation in Linux command-line tools
When it comes to inspecting and transporting images, skopeo is a useful tool as it does not need a docker or a daemon. It can be used easily in continuous integration (CI) pipelines to copy images between two registries, provide credentials for secured registries, or to promote images from a development registry into production.
If you pull the images from the IBM Entitled Registry with skopeo, you can enable the container
image signature verification. The icp4a-pubkey-upto-2021.gpg
,
icp4a-pubkey-2021-2023.gpg
, icp4a-pubkey-from-2023.gpg
, and
icp4a-pubkey-from-2024.gpg
files that you created can be used to verify the images
under a certain repository and path.
In the following example, images are pulled from cp.icr.io/cp/cp4a
and verified
with the GPG public key that is in the icp4a-pubkey-from-2024.gpg
file. All images
are rejected, except the signed images in the cp4a
folder.
The keyPaths
array is not supported in podman
and
skopeo
. Instead, you need to point to a specific key file by using the
keyPath
parameter (icp4a-pubkey-from-2024.gpg
).
Create a file and name it policy-2.json, then include the following content:
{
"default": [
{
"type": "reject"
}
],
"transports": {
"docker": {
"cp.icr.io/cp/cp4a": [
{
"type": "signedBy",
"keyType": "GPGKeys",
"keyPath": "icp4a-pubkey-from-2024.gpg"
}
]
}
}
}
cp.icr.io
is specified, all of the images that are not signed under this
folder are rejected. The skopeo command has the useful option --policy
policy-2.json
, which sets a specific policy file instead of using the default
/etc/containers/policy.json
file.The following sample pulls one image into the local file system and validates its signature.
skopeo --policy ./policy-2.json copy docker://cp.icr.io/cp/cp4a/ban/navigator:21.0.3-IF018-amd64 dir:./ban
When you pull images by using podman
, you can provide a
--signature-policy policy2.json
option to point to a policy file.
Referencing the correct public key for signature validation, images can be pulled.
podman pull --signature-policy policy-2.json cp.icr.io/cp/cp4a/ban/navigator:21.0.3-IF018-amd64
Trying to pull cp.icr.io/cp/cp4a/ban/navigator:21.0.3-IF018-amd64...
Getting image source signatures
Checking if image destination supports signatures
...
Pulling images fail when the policy file references another public key.
podman pull --signature-policy policy-1.json cp.icr.io/cp/cp4a/ban/navigator:21.0.3-IF018-amd64
Trying to pull cp.icr.io/cp/cp4a/ban/navigator:21.0.3-IF018-amd64...
None of the signatures were accepted, reasons: Invalid GPG signature: gpgme.Signature{Summary:128, Fingerprint:"7C5CF97A39F13650", Status:gpgme.Error{err:0x7000009}, Timestamp:time.Time{wall:0x0, ext:63812637354, loc:(*time.Location)(0x55fc881421a0)}, ExpTimestamp:time.Time{wall:0x0, ext:62135596800, loc:(*time.Location)(0x55fc881421a0)}, WrongKeyUsage:false, PKATrust:0x0, ChainModel:false, Validity:0, ValidityReason:error(nil), PubkeyAlgo:1, HashAlgo:8}; Invalid GPG signature: gpgme.Signature{Summary:128, Fingerprint:"7C5CF97A39F13650", Status:gpgme.Error{err:0x7000009}, Timestamp:time.Time{wall:0x0, ext:63812637429, loc:(*time.Location)(0x55fc881421a0)}, ExpTimestamp:time.Time{wall:0x0, ext:62135596800, loc:(*time.Location)(0x55fc881421a0)}, WrongKeyUsage:false, PKATrust:0x0, ChainModel:false, Validity:0, ValidityReason:error(nil), PubkeyAlgo:1, HashAlgo:8}
Error: error pulling image "cp.icr.io/cp/cp4a/ban/navigator:21.0.3-IF018-amd64": unable to pull cp.icr.io/cp/cp4a/ban/navigator:21.0.3-IF018-amd64: unable to pull image: Source image rejected: None of the signatures were accepted, reasons: Invalid GPG signature: gpgme.Signature{Summary:128, Fingerprint:"7C5CF97A39F13650", Status:gpgme.Error{err:0x7000009}, Timestamp:time.Time{wall:0x0, ext:63812637354, loc:(*time.Location)(0x55fc881421a0)}, ExpTimestamp:time.Time{wall:0x0, ext:62135596800, loc:(*time.Location)(0x55fc881421a0)}, WrongKeyUsage:false, PKATrust:0x0, ChainModel:false, Validity:0, ValidityReason:error(nil), PubkeyAlgo:1, HashAlgo:8}; Invalid GPG signature: gpgme.Signature{Summary:128, Fingerprint:"7C5CF97A39F13650", Status:gpgme.Error{err:0x7000009}, Timestamp:time.Time{wall:0x0, ext:63812637429, loc:(*time.Location)(0x55fc881421a0)}, ExpTimestamp:time.Time{wall:0x0, ext:62135596800, loc:(*time.Location)(0x55fc881421a0)}, WrongKeyUsage:false, PKATrust:0x0, ChainModel:false, Validity:0, ValidityReason:error(nil), PubkeyAlgo:1, HashAlgo:8}
Verifying key material
You can verify the public keys once, and you do not need to repeat the process when you apply policies to multiple clusters.
If you want to verify the icp4a-pubkey-from-2024.gpg
file, which is used to sign
images from December 2024:
-
Create a file
icp4a-cert-from-2024.pem
and add the following public certificate in the PEM format.-----BEGIN CERTIFICATE----- MIIHljCCBX6gAwIBAgIQBqryQeC8iRAuWmp8GI81ZDANBgkqhkiG9w0BAQsFADBp MQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMT OERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0 IDIwMjEgQ0ExMB4XDTI0MTAxMDAwMDAwMFoXDTI2MTAwOTIzNTk1OVowgZ0xCzAJ BgNVBAYTAlVTMREwDwYDVQQIEwhOZXcgWW9yazEPMA0GA1UEBxMGQXJtb25rMTQw MgYDVQQKEytJbnRlcm5hdGlvbmFsIEJ1c2luZXNzIE1hY2hpbmVzIENvcnBvcmF0 aW9uMTQwMgYDVQQDEytJbnRlcm5hdGlvbmFsIEJ1c2luZXNzIE1hY2hpbmVzIENv cnBvcmF0aW9uMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAwDv232ns +L3Y1yLmXzRaqTqQDh87PPRIQYLsRlR1HcdprRlGaDRGQd/xVlTviJZluXJWazUr 6AQwhdaFet1AwYmVHKBNZUtB7CkCboRCsWagVEWTgeRNdhI31W0usZ/kdxLm3XqQ cJTcL9awqtrp+Cg4cWO6YZdIsANblrsZ+MlNCykPwfyf+o2S/3nEo5cyE2DbG3zs JghXkYY5nksbjKG81nfQP3CwOrD4e7A080psiaf9u+nIdzIo7sRywHRBXUf6Fr8o eFytOHUUUIdnnLCdpufhLEtQ3mGxYcHYLzBrQVc+n3wyiuwQTLf3LIE/cGV+AQ/e ygzxXQLADTQueYqWCMTCogw67LhydXg9VKmlBnUzpzLk/gAtUX7I3G8cJdBSLX3U NKwVBZhxMNak0nAzWvlkin5Y9/OpT1eYVp3jhufFBrtb0LhhyXIcHBmESA74HmAv pcP6v4xAqoHi65ycfSVXDFJpE2w8X0wxnvNpiKm4sAd/P26ALoygqQpL2RYT+TiM pRJsgn0Qmf9LpfIb80t5AoxuUEowVXB6JSu+fvgl2+smDWsJkGFYz5NSrjXumPk1 ZdJ7GKrUhI55JzuC0bCl9mR8ZAEophaiQo2wBEIhMdAdJmd0U1F0fdmP1Mu117br MphpXgpFvmx7NhdPvYt9pfTbsYJfw+4NVssCAwEAAaOCAgMwggH/MB8GA1UdIwQY MBaAFGg34Ou2O/hfEYb7/mF7CIhl9E5CMB0GA1UdDgQWBBTEsx2YOiP6YqWh6lsj gTXn4F3PqjA+BgNVHSAENzA1MDMGBmeBDAEEATApMCcGCCsGAQUFBwIBFhtodHRw Oi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQM MAoGCCsGAQUFBwMDMIG1BgNVHR8Ega0wgaowU6BRoE+GTWh0dHA6Ly9jcmwzLmRp Z2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNI QTM4NDIwMjFDQTEuY3JsMFOgUaBPhk1odHRwOi8vY3JsNC5kaWdpY2VydC5jb20v RGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0Ex LmNybDCBlAYIKwYBBQUHAQEEgYcwgYQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3Nw LmRpZ2ljZXJ0LmNvbTBcBggrBgEFBQcwAoZQaHR0cDovL2NhY2VydHMuZGlnaWNl cnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0 MjAyMUNBMS5jcnQwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAgEAZv157KwX lQBf4jjavOplJqEkGMjSe5o5PvJE1+vQkFHpuJ19Kw5fW5EgKHQunzXu0ae+UwRT +sUl3XXiszZ3WUTL8PD/OAE1t3k9FHccIlhSuySKGecu0YE4b4cXhDcIzVh7Gic2 pBGgiD48+wg4JrnpFhol6fGFN5OJx30VJmSedgJ/fwADRyqAZCF1/xtU9HugmELg 7Hvbc+CFjeW5PLmdxLxf4zDX6LHEblXT9Pphria4aats0qe2DziMHIkZuBWDqBDa wDbfRThezGeLtyQq+JHtl7t6/lMlEck/uKpnMlwNah7FE7vzxgCyGMBPhDJBsbVt Q74U5SJqTGn9LpormoK5pXKKmwuEQqydurNrnL0Mqy4jnlRA/c77QedvGa+moo0R EkxGOtXvydkzQnE/hXTFsGTFlhy1DVFvaKnBCJtY6YZLJ2VVRnCeQcwlTq1rzn4v B0x7yb7XaN+Ww1R1wG3kfZ2VTi+cPCtDH9AEVsJZyJOMQ+u2corlOgpmz7nB2w1I C8alYEIbrAfDq3Mg74Yu2jXyIPKxzZRlRAvx3n6cr8omtWNU7pIoN9Vm6q4+nH0+ 7XzeF74EjXosS9AKseTyrHMuXOFQDT2nea2T3BpQyfluo5DzWEGit8Pz5IU7sFvT 6G2qgpCwQDwWS6ygsCyxzVcmb/3GIkcJ+xY= -----END CERTIFICATE-----
- Create a file
icp4a-issuer-from-2024.pem
and add the following issuer public certificate in the PEM format.-----BEGIN CERTIFICATE----- MIIGsDCCBJigAwIBAgIQCK1AsmDSnEyfXs2pvZOu2TANBgkqhkiG9w0BAQwFADBi MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 d3cuZGlnaWNlcnQuY29tMSEwHwYDVQQDExhEaWdpQ2VydCBUcnVzdGVkIFJvb3Qg RzQwHhcNMjEwNDI5MDAwMDAwWhcNMzYwNDI4MjM1OTU5WjBpMQswCQYDVQQGEwJV UzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRy dXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMIIC IjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA1bQvQtAorXi3XdU5WRuxiEL1 M4zrPYGXcMW7xIUmMJ+kjmjYXPXrNCQH4UtP03hD9BfXHtr50tVnGlJPDqFX/IiZ wZHMgQM+TXAkZLON4gh9NH1MgFcSa0OamfLFOx/y78tHWhOmTLMBICXzENOLsvsI 8IrgnQnAZaf6mIBJNYc9URnokCF4RS6hnyzhGMIazMXuk0lwQjKP+8bqHPNlaJGi TUyCEUhSaN4QvRRXXegYE2XFf7JPhSxIpFaENdb5LpyqABXRN/4aBpTCfMjqGzLm ysL0p6MDDnSlrzm2q2AS4+jWufcx4dyt5Big2MEjR0ezoQ9uo6ttmAaDG7dqZy3S vUQakhCBj7A7CdfHmzJawv9qYFSLScGT7eG0XOBv6yb5jNWy+TgQ5urOkfW+0/tv k2E0XLyTRSiDNipmKF+wc86LJiUGsoPUXPYVGUztYuBeM/Lo6OwKp7ADK5GyNnm+ 960IHnWmZcy740hQ83eRGv7bUKJGyGFYmPV8AhY8gyitOYbs1LcNU9D4R+Z1MI3s MJN2FKZbS110YU0/EpF23r9Yy3IQKUHw1cVtJnZoEUETWJrcJisB9IlNWdt4z4FK PkBHX8mBUHOFECMhWWCKZFTBzCEa6DgZfGYczXg4RTCZT/9jT0y7qg0IU0F8WD1H s/q27IwyCQLMbDwMVhECAwEAAaOCAVkwggFVMBIGA1UdEwEB/wQIMAYBAf8CAQAw HQYDVR0OBBYEFGg34Ou2O/hfEYb7/mF7CIhl9E5CMB8GA1UdIwQYMBaAFOzX44LS cV1kTN8uZz/nupiuHA9PMA4GA1UdDwEB/wQEAwIBhjATBgNVHSUEDDAKBggrBgEF BQcDAzB3BggrBgEFBQcBAQRrMGkwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRp Z2ljZXJ0LmNvbTBBBggrBgEFBQcwAoY1aHR0cDovL2NhY2VydHMuZGlnaWNlcnQu Y29tL0RpZ2lDZXJ0VHJ1c3RlZFJvb3RHNC5jcnQwQwYDVR0fBDwwOjA4oDagNIYy aHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZFJvb3RHNC5j cmwwHAYDVR0gBBUwEzAHBgVngQwBAzAIBgZngQwBBAEwDQYJKoZIhvcNAQEMBQAD ggIBADojRD2NCHbuj7w6mdNW4AIapfhINPMstuZ0ZveUcrEAyq9sMCcTEp6QRJ9L /Z6jfCbVN7w6XUhtldU/SfQnuxaBRVD9nL22heB2fjdxyyL3WqqQz/WTauPrINHV UHmImoqKwba9oUgYftzYgBoRGRjNYZmBVvbJ43bnxOQbX0P4PpT/djk9ntSZz0rd KOtfJqGVWEjVGv7XJz/9kNF2ht0csGBc8w2o7uCJob054ThO2m67Np375SFTWsPK 6Wrxoj7bQ7gzyE84FJKZ9d3OVG3ZXQIUH0AzfAPilbLCIXVzUstG2MQ0HKKlS43N b3Y3LIU/Gs4m6Ri+kAewQ3+ViCCCcPDMyu/9KTVcH4k4Vfc3iosJocsL6TEa/y4Z XDlx4b6cpwoG1iZnt5LmTl/eeqxJzy6kdJKt2zyknIYf48FWGysj/4+16oh7cGvm oLr9Oj9FpsToFpFSi0HASIRLlk2rREDjjfAVKM7t8RhWByovEMQMCGQ8M4+uKIw8 y4+ICw2/O/TOHnuO77Xry7fwdxPm5yg/rBKupS8ibEH5glwVZsxsDsrFhsP2JjMM B0ug0wcCampAMEhLNKhRILutG4UI4lkNbcoFUCvqShyepf2gpx8GdOfy1lKQ/a+F SCH5Vzu0nAPthkX0tGFuv2jiJmCG6sivqf6UHedjGzqGVnhO -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIFkDCCA3igAwIBAgIQBZsbV56OITLiOQe9p3d1XDANBgkqhkiG9w0BAQwFADBi MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 d3cuZGlnaWNlcnQuY29tMSEwHwYDVQQDExhEaWdpQ2VydCBUcnVzdGVkIFJvb3Qg RzQwHhcNMTMwODAxMTIwMDAwWhcNMzgwMTE1MTIwMDAwWjBiMQswCQYDVQQGEwJV UzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQu Y29tMSEwHwYDVQQDExhEaWdpQ2VydCBUcnVzdGVkIFJvb3QgRzQwggIiMA0GCSqG SIb3DQEBAQUAA4ICDwAwggIKAoICAQC/5pBzaN675F1KPDAiMGkz7MKnJS7JIT3y ithZwuEppz1Yq3aaza57G4QNxDAf8xukOBbrVsaXbR2rsnnyyhHS5F/WBTxSD1If xp4VpX6+n6lXFllVcq9ok3DCsrp1mWpzMpTREEQQLt+C8weE5nQ7bXHiLQwb7iDV ySAdYyktzuxeTsiT+CFhmzTrBcZe7FsavOvJz82sNEBfsXpm7nfISKhmV1efVFiO DCu3T6cw2Vbuyntd463JT17lNecxy9qTXtyOj4DatpGYQJB5w3jHtrHEtWoYOAMQ jdjUN6QuBX2I9YI+EJFwq1WCQTLX2wRzKm6RAXwhTNS8rhsDdV14Ztk6MUSaM0C/ CNdaSaTC5qmgZ92kJ7yhTzm1EVgX9yRcRo9k98FpiHaYdj1ZXUJ2h4mXaXpI8OCi EhtmmnTK3kse5w5jrubU75KSOp493ADkRSWJtppEGSt+wJS00mFt6zPZxd9LBADM fRyVw4/3IbKyEbe7f/LVjHAsQWCqsWMYRJUadmJ+9oCw++hkpjPRiQfhvbfmQ6QY uKZ3AeEPlAwhHbJUKSWJbOUOUlFHdL4mrLZBdd56rF+NP8m800ERElvlEFDrMcXK chYiCd98THU/Y+whX8QgUWtvsauGi0/C1kVfnSD8oR7FwI+isX4KJpn15GkvmB0t 9dmpsh3lGwIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIB hjAdBgNVHQ4EFgQU7NfjgtJxXWRM3y5nP+e6mK4cD08wDQYJKoZIhvcNAQEMBQAD ggIBALth2X2pbL4XxJEbw6GiAI3jZGgPVs93rnD5/ZpKmbnJeFwMDF/k5hQpVgs2 SV1EY+CtnJYYZhsjDT156W1r1lT40jzBQ0CuHVD1UvyQO7uYmWlrx8GnqGikJ9yd +SeuMIW59mdNOj6PWTkiU0TryF0Dyu1Qen1iIQqAyHNm0aAFYF/opbSnr6j3bTWc fFqK1qI4mfN4i/RN0iAL3gTujJtHgXINwBQy7zBZLq7gcfJW5GqXb5JQbZaNaHqa sjYUegbyJLkJEVDXCLG4iXqEI2FCKeWjzaIgQdfRnGTZ6iahixTXTBmyUEFxPT9N cCOGDErcgdLMMpSEDQgJlxxPwO5rIHQw0uA5NBCFIRUBCOhVMt5xSdkoF1BN5r5N 0XWs0Mr7QbhDparTwwVETyw2m+L64kW4I1NsBm9nVX9GtUw/bihaeSbSpKhil9Ie 4u1Ki7wb/UdKDd9nZn6yW0HQO+T0O/QEY+nvwlQAUaCKKsnOeMzV6ocEGLPOr0mI r/OSmbaz5mEP0oUA51Aa5BuVnRmhuZyxm7EAHu/QD09CbMkKvO5D+jpxpchNJqU1 /YldvIViHTLSoCtU7ZpXwdv6EM8Zt4tKG48BtieVU+i2iW1bvGjUI+iLUaJW+fCm gKDWHrO8Dw9TdSmq6hN35N6MgSGtBxBHEa2HPQfRdbzP82Z+ -----END CERTIFICATE-----
- Run the following commands to verify the GPG key and its issuer with the
icp4a-cert-from-2024.pem
andicp4a-issuer-from-2024.pem
files.Table 2. Commands to verify certificate issuance and validity for icp4a-pubkey-from-2024.gpg Command Description openssl x509 -text -in icp4a-cert-from-2024.pem
Displays the IBM Cloud Pak for Business Automation public certificate. Verify that the "Subject" line is IBM, and the "Issuer" is www.digicert.com. The icp4a-cert-from-2024.pem certificate is signed by Digicert. gpg2 -v --list-packets icp4a-pubkey-from-2024.gpg
Displays the GPG public key. Verify that pkey[0] is the same as the "Modulus" of icp4a-cert-from-2024.pem. The command validates that icp4a-pubkey-from-2024.gpg is the public key (in GPG format) for IBM Cloud Pak for Business Automation. openssl ocsp -no_nonce \ -issuer icp4a-issuer-from-2024.pem \ -cert icp4a-cert-from-2024.pem \ -VAfile icp4a-issuer-from-2024.pem \ -text -url http://ocsp.digicert.com
Verifies that the certificate icp4a.pem comes from Digicert by using the Online Certificate Status Protocol (OCSP).
If you want to verify the icp4a-pubkey-from-2023.gpg
file, which is used to sign
images from March 2023:
-
Create a file
icp4a-cert-from-2023.pem
and add the following public certificate in the PEM format.-----BEGIN CERTIFICATE----- MIIHrDCCBZSgAwIBAgIQDw7smApOleo+HxSb9Nw/nTANBgkqhkiG9w0BAQsFADBp MQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMT OERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0 IDIwMjEgQ0ExMB4XDTIzMDExNjAwMDAwMFoXDTI0MTEwNzIzNTk1OVowgbAxCzAJ BgNVBAYTAlVTMREwDwYDVQQIEwhOZXcgWW9yazEPMA0GA1UEBxMGQXJtb25rMTQw MgYDVQQKEytJbnRlcm5hdGlvbmFsIEJ1c2luZXNzIE1hY2hpbmVzIENvcnBvcmF0 aW9uMREwDwYDVQQLEwhJQk0gQ0NTUzE0MDIGA1UEAxMrSW50ZXJuYXRpb25hbCBC dXNpbmVzcyBNYWNoaW5lcyBDb3Jwb3JhdGlvbjCCAiIwDQYJKoZIhvcNAQEBBQAD ggIPADCCAgoCggIBAMA79t9p7Pi92Nci5l80Wqk6kA4fOzz0SEGC7EZUdR3Haa0Z Rmg0RkHf8VZU74iWZblyVms1K+gEMIXWhXrdQMGJlRygTWVLQewpAm6EQrFmoFRF k4HkTXYSN9VtLrGf5HcS5t16kHCU3C/WsKra6fgoOHFjumGXSLADW5a7GfjJTQsp D8H8n/qNkv95xKOXMhNg2xt87CYIV5GGOZ5LG4yhvNZ30D9wsDqw+HuwNPNKbImn /bvpyHcyKO7EcsB0QV1H+ha/KHhcrTh1FFCHZ5ywnabn4SxLUN5hsWHB2C8wa0FX Pp98MorsEEy39yyBP3BlfgEP3soM8V0CwA00LnmKlgjEwqIMOuy4cnV4PVSppQZ1 M6cy5P4ALVF+yNxvHCXQUi191DSsFQWYcTDWpNJwM1r5ZIp+WPfzqU9XmFad44bn xQa7W9C4YclyHBwZhEgO+B5gL6XD+r+MQKqB4uucnH0lVwxSaRNsPF9MMZ7zaYip uLAHfz9ugC6MoKkKS9kWE/k4jKUSbIJ9EJn/S6XyG/NLeQKMblBKMFVweiUrvn74 JdvrJg1rCZBhWM+TUq417pj5NWXSexiq1ISOeSc7gtGwpfZkfGQBKKYWokKNsARC ITHQHSZndFNRdH3Zj9TLtde26zKYaV4KRb5sezYXT72LfaX027GCX8PuDVbLAgMB AAGjggIGMIICAjAfBgNVHSMEGDAWgBRoN+Drtjv4XxGG+/5hewiIZfROQjAdBgNV HQ4EFgQUxLMdmDoj+mKloepbI4E15+Bdz6owDgYDVR0PAQH/BAQDAgeAMBMGA1Ud JQQMMAoGCCsGAQUFBwMDMIG1BgNVHR8Ega0wgaowU6BRoE+GTWh0dHA6Ly9jcmwz LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5 NlNIQTM4NDIwMjFDQTEuY3JsMFOgUaBPhk1odHRwOi8vY3JsNC5kaWdpY2VydC5j b20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIx Q0ExLmNybDA+BgNVHSAENzA1MDMGBmeBDAEEATApMCcGCCsGAQUFBwIBFhtodHRw Oi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwgZQGCCsGAQUFBwEBBIGHMIGEMCQGCCsG AQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wXAYIKwYBBQUHMAKGUGh0 dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVT aWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3J0MAwGA1UdEwEB/wQCMAAwDQYJ KoZIhvcNAQELBQADggIBAF/Liexfoe54yBVD5kArBWUM+pLn6QL77paywkbg6knP iBvQMRiyTcCcyVwrBSw+Y0WS2TfJ8PH+0YozF20DD9XCmnQ6ESTdGK5PWN1jnz1p pS6yiksvgYCmqr3bTxnTQRnX7UTNX0JcAKa147T0dXj7cOd1pgZ0u6jDCXkLkQ4H AvM/jFcPohe3zdyHJIbGmCUbV895KqQqBwj8znhL24mSQOTiYZPLh33A/UfqLaPN ws1iGCwViDk5pD4+ygVQ7Fcxx77GrTmqU1DmJrcG2/tkPmJsdHdxI01k1RaExVnL 0kLL7QsagtdxxRpkwbA87s6l2wu+yakdk642OIJqNcH1b+E7mO1tgCR4zzkOrr70 TWbxI8Rgfm6AuVJMwdnbHRCX1vqxf+B1s0MxMeC8Q0ihC17T+j5BE0T6ghgbceE7 oYa49bOv2Gl/mvWtEJdMEg2fhLEdemgUubOf7zGDy5Y2rkIgvHgX2PC7xyxE8gjH gRE2vbo59f/5cbkrttdh0ydmM0qJassAFJBTAtIyQGHEIRhynO3/OkFOeqbnd8Rx cSbCS8NI0lXuoFjvfYGCjRA3p7EdUbc2WZGsfM729cYoJCkT8ReTyxK+/uLD7Vw8 5R+S47yuqQWWHh+nBThRrVNUbwz3DI2Hi5+GlBWH7giDKYxdWzb83pJEYvbvdTHz -----END CERTIFICATE-----
- Create a file
icp4a-issuer-from-2023.pem
and add the following issuer public certificate in the PEM format.-----BEGIN CERTIFICATE----- MIIGsDCCBJigAwIBAgIQCK1AsmDSnEyfXs2pvZOu2TANBgkqhkiG9w0BAQwFADBi MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 d3cuZGlnaWNlcnQuY29tMSEwHwYDVQQDExhEaWdpQ2VydCBUcnVzdGVkIFJvb3Qg RzQwHhcNMjEwNDI5MDAwMDAwWhcNMzYwNDI4MjM1OTU5WjBpMQswCQYDVQQGEwJV UzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRy dXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMIIC IjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA1bQvQtAorXi3XdU5WRuxiEL1 M4zrPYGXcMW7xIUmMJ+kjmjYXPXrNCQH4UtP03hD9BfXHtr50tVnGlJPDqFX/IiZ wZHMgQM+TXAkZLON4gh9NH1MgFcSa0OamfLFOx/y78tHWhOmTLMBICXzENOLsvsI 8IrgnQnAZaf6mIBJNYc9URnokCF4RS6hnyzhGMIazMXuk0lwQjKP+8bqHPNlaJGi TUyCEUhSaN4QvRRXXegYE2XFf7JPhSxIpFaENdb5LpyqABXRN/4aBpTCfMjqGzLm ysL0p6MDDnSlrzm2q2AS4+jWufcx4dyt5Big2MEjR0ezoQ9uo6ttmAaDG7dqZy3S vUQakhCBj7A7CdfHmzJawv9qYFSLScGT7eG0XOBv6yb5jNWy+TgQ5urOkfW+0/tv k2E0XLyTRSiDNipmKF+wc86LJiUGsoPUXPYVGUztYuBeM/Lo6OwKp7ADK5GyNnm+ 960IHnWmZcy740hQ83eRGv7bUKJGyGFYmPV8AhY8gyitOYbs1LcNU9D4R+Z1MI3s MJN2FKZbS110YU0/EpF23r9Yy3IQKUHw1cVtJnZoEUETWJrcJisB9IlNWdt4z4FK PkBHX8mBUHOFECMhWWCKZFTBzCEa6DgZfGYczXg4RTCZT/9jT0y7qg0IU0F8WD1H s/q27IwyCQLMbDwMVhECAwEAAaOCAVkwggFVMBIGA1UdEwEB/wQIMAYBAf8CAQAw HQYDVR0OBBYEFGg34Ou2O/hfEYb7/mF7CIhl9E5CMB8GA1UdIwQYMBaAFOzX44LS cV1kTN8uZz/nupiuHA9PMA4GA1UdDwEB/wQEAwIBhjATBgNVHSUEDDAKBggrBgEF BQcDAzB3BggrBgEFBQcBAQRrMGkwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRp Z2ljZXJ0LmNvbTBBBggrBgEFBQcwAoY1aHR0cDovL2NhY2VydHMuZGlnaWNlcnQu Y29tL0RpZ2lDZXJ0VHJ1c3RlZFJvb3RHNC5jcnQwQwYDVR0fBDwwOjA4oDagNIYy aHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZFJvb3RHNC5j cmwwHAYDVR0gBBUwEzAHBgVngQwBAzAIBgZngQwBBAEwDQYJKoZIhvcNAQEMBQAD ggIBADojRD2NCHbuj7w6mdNW4AIapfhINPMstuZ0ZveUcrEAyq9sMCcTEp6QRJ9L /Z6jfCbVN7w6XUhtldU/SfQnuxaBRVD9nL22heB2fjdxyyL3WqqQz/WTauPrINHV UHmImoqKwba9oUgYftzYgBoRGRjNYZmBVvbJ43bnxOQbX0P4PpT/djk9ntSZz0rd KOtfJqGVWEjVGv7XJz/9kNF2ht0csGBc8w2o7uCJob054ThO2m67Np375SFTWsPK 6Wrxoj7bQ7gzyE84FJKZ9d3OVG3ZXQIUH0AzfAPilbLCIXVzUstG2MQ0HKKlS43N b3Y3LIU/Gs4m6Ri+kAewQ3+ViCCCcPDMyu/9KTVcH4k4Vfc3iosJocsL6TEa/y4Z XDlx4b6cpwoG1iZnt5LmTl/eeqxJzy6kdJKt2zyknIYf48FWGysj/4+16oh7cGvm oLr9Oj9FpsToFpFSi0HASIRLlk2rREDjjfAVKM7t8RhWByovEMQMCGQ8M4+uKIw8 y4+ICw2/O/TOHnuO77Xry7fwdxPm5yg/rBKupS8ibEH5glwVZsxsDsrFhsP2JjMM B0ug0wcCampAMEhLNKhRILutG4UI4lkNbcoFUCvqShyepf2gpx8GdOfy1lKQ/a+F SCH5Vzu0nAPthkX0tGFuv2jiJmCG6sivqf6UHedjGzqGVnhO -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIFkDCCA3igAwIBAgIQBZsbV56OITLiOQe9p3d1XDANBgkqhkiG9w0BAQwFADBi MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 d3cuZGlnaWNlcnQuY29tMSEwHwYDVQQDExhEaWdpQ2VydCBUcnVzdGVkIFJvb3Qg RzQwHhcNMTMwODAxMTIwMDAwWhcNMzgwMTE1MTIwMDAwWjBiMQswCQYDVQQGEwJV UzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQu Y29tMSEwHwYDVQQDExhEaWdpQ2VydCBUcnVzdGVkIFJvb3QgRzQwggIiMA0GCSqG SIb3DQEBAQUAA4ICDwAwggIKAoICAQC/5pBzaN675F1KPDAiMGkz7MKnJS7JIT3y ithZwuEppz1Yq3aaza57G4QNxDAf8xukOBbrVsaXbR2rsnnyyhHS5F/WBTxSD1If xp4VpX6+n6lXFllVcq9ok3DCsrp1mWpzMpTREEQQLt+C8weE5nQ7bXHiLQwb7iDV ySAdYyktzuxeTsiT+CFhmzTrBcZe7FsavOvJz82sNEBfsXpm7nfISKhmV1efVFiO DCu3T6cw2Vbuyntd463JT17lNecxy9qTXtyOj4DatpGYQJB5w3jHtrHEtWoYOAMQ jdjUN6QuBX2I9YI+EJFwq1WCQTLX2wRzKm6RAXwhTNS8rhsDdV14Ztk6MUSaM0C/ CNdaSaTC5qmgZ92kJ7yhTzm1EVgX9yRcRo9k98FpiHaYdj1ZXUJ2h4mXaXpI8OCi EhtmmnTK3kse5w5jrubU75KSOp493ADkRSWJtppEGSt+wJS00mFt6zPZxd9LBADM fRyVw4/3IbKyEbe7f/LVjHAsQWCqsWMYRJUadmJ+9oCw++hkpjPRiQfhvbfmQ6QY uKZ3AeEPlAwhHbJUKSWJbOUOUlFHdL4mrLZBdd56rF+NP8m800ERElvlEFDrMcXK chYiCd98THU/Y+whX8QgUWtvsauGi0/C1kVfnSD8oR7FwI+isX4KJpn15GkvmB0t 9dmpsh3lGwIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIB hjAdBgNVHQ4EFgQU7NfjgtJxXWRM3y5nP+e6mK4cD08wDQYJKoZIhvcNAQEMBQAD ggIBALth2X2pbL4XxJEbw6GiAI3jZGgPVs93rnD5/ZpKmbnJeFwMDF/k5hQpVgs2 SV1EY+CtnJYYZhsjDT156W1r1lT40jzBQ0CuHVD1UvyQO7uYmWlrx8GnqGikJ9yd +SeuMIW59mdNOj6PWTkiU0TryF0Dyu1Qen1iIQqAyHNm0aAFYF/opbSnr6j3bTWc fFqK1qI4mfN4i/RN0iAL3gTujJtHgXINwBQy7zBZLq7gcfJW5GqXb5JQbZaNaHqa sjYUegbyJLkJEVDXCLG4iXqEI2FCKeWjzaIgQdfRnGTZ6iahixTXTBmyUEFxPT9N cCOGDErcgdLMMpSEDQgJlxxPwO5rIHQw0uA5NBCFIRUBCOhVMt5xSdkoF1BN5r5N 0XWs0Mr7QbhDparTwwVETyw2m+L64kW4I1NsBm9nVX9GtUw/bihaeSbSpKhil9Ie 4u1Ki7wb/UdKDd9nZn6yW0HQO+T0O/QEY+nvwlQAUaCKKsnOeMzV6ocEGLPOr0mI r/OSmbaz5mEP0oUA51Aa5BuVnRmhuZyxm7EAHu/QD09CbMkKvO5D+jpxpchNJqU1 /YldvIViHTLSoCtU7ZpXwdv6EM8Zt4tKG48BtieVU+i2iW1bvGjUI+iLUaJW+fCm gKDWHrO8Dw9TdSmq6hN35N6MgSGtBxBHEa2HPQfRdbzP82Z+ -----END CERTIFICATE-----
- Run the following commands to verify the GPG key and its issuer with the
icp4a-cert-from-2023.pem
andicp4a-issuer-from-2023.pem
files.Table 3. Commands to verify certificate issuance and validity for icp4a-pubkey-from-2023.gpg Command Description openssl x509 -text -in icp4a-cert-from-2023.pem
Displays the IBM Cloud Pak for Business Automation public certificate. Verify that the "Subject" line is IBM, and the "Issuer" is www.digicert.com. The icp4a-cert-from-2023.pem certificate is signed by Digicert. gpg2 -v --list-packets icp4a-pubkey-from-2023.gpg
Displays the GPG public key. Verify that pkey[0] is the same as the "Modulus" of icp4a-cert-from-2023.pem. The command validates that icp4a-pubkey-from-2023.gpg is the public key (in GPG format) for IBM Cloud Pak for Business Automation. openssl ocsp -no_nonce \ -issuer icp4a-issuer-from-2023.pem \ -cert icp4a-cert-from-2023.pem \ -VAfile icp4a-issuer-from-2023.pem \ -text -url http://ocsp.digicert.com
Verifies that the certificate icp4a.pem comes from Digicert by using the Online Certificate Status Protocol (OCSP).
If you want to verify the icp4a-pubkey-2021-2023.gpg
file, which is used to sign
images from August 2021 (21.0.1-IF004) to March 2023:
-
Create a file
icp4a-cert-2021-2023.pem
and add the following public certificate in the PEM format.-----BEGIN CERTIFICATE----- MIIFdDCCBFygAwIBAgIQDofrKzCsbdRrg6R+pu8vWTANBgkqhkiG9w0BAQsFADBy MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 d3cuZGlnaWNlcnQuY29tMTEwLwYDVQQDEyhEaWdpQ2VydCBTSEEyIEFzc3VyZWQg SUQgQ29kZSBTaWduaW5nIENBMB4XDTE5MDYyNzAwMDAwMFoXDTIxMDcwMTEyMDAw MFowgbAxCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhOZXcgWW9yazEPMA0GA1UEBxMG QXJtb25rMTQwMgYDVQQKEytJbnRlcm5hdGlvbmFsIEJ1c2luZXNzIE1hY2hpbmVz IENvcnBvcmF0aW9uMREwDwYDVQQLEwhJQk0gQ0NTUzE0MDIGA1UEAxMrSW50ZXJu YXRpb25hbCBCdXNpbmVzcyBNYWNoaW5lcyBDb3Jwb3JhdGlvbjCCASIwDQYJKoZI hvcNAQEBBQADggEPADCCAQoCggEBAMCTZAwu9qGHHajCkPJqxCjQTfojtUz9h0rU n2UACCwcEkW+f8/Q/OcJ+ecUDDZwKPj1+1gE3yivEk5KS5ATeneHP+DbUL2Ouyur Cg181ujlZFSwjEDSEv3LBXwS+44sAp01jQAI4Ee/aDzYpJr9tkyDds8DcivWNlne ONCsDPADO+GnYGi/kXBTTFiqb0PAJv93jJhoQnbyMVavAZ1GdUe6iiG7k/JShAym 3ivCJTXJvcJpto0SkajhkXb/TuxV2FK/WJ6p9Axr+sLpdwUAvKC3+/HNAN5KQ+XF ZvzAGrOr+yAjklvAbojnl/cQw/rt3+9bMDrYU1teTwNYxEvNYMcCAwEAAaOCAcUw ggHBMB8GA1UdIwQYMBaAFFrEuXsqCqOl6nEDwGD5LfZldQ5YMB0GA1UdDgQWBBRh HPobjHmPzyDJZsLVBlf/zImp5jAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYI KwYBBQUHAwMwdwYDVR0fBHAwbjA1oDOgMYYvaHR0cDovL2NybDMuZGlnaWNlcnQu Y29tL3NoYTItYXNzdXJlZC1jcy1nMS5jcmwwNaAzoDGGL2h0dHA6Ly9jcmw0LmRp Z2ljZXJ0LmNvbS9zaGEyLWFzc3VyZWQtY3MtZzEuY3JsMEwGA1UdIARFMEMwNwYJ YIZIAYb9bAMBMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LmRpZ2ljZXJ0LmNv bS9DUFMwCAYGZ4EMAQQBMIGEBggrBgEFBQcBAQR4MHYwJAYIKwYBBQUHMAGGGGh0 dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBOBggrBgEFBQcwAoZCaHR0cDovL2NhY2Vy dHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0U0hBMkFzc3VyZWRJRENvZGVTaWduaW5n Q0EuY3J0MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQELBQADggEBACCmH7YUx2O/ 3s599Fk1I8kOJvtkGTccrsrwOEumDiS3BWQJbUKqilr2IhGUA2c1O/zfi0uA3Oem Fm3a4wwgtrvme7AkWJNgIdH9FeHGOVan6mB5E318UJ7WJGErPiqk0Xoq0bFGfsoh oDSX8INKi2hiEa0Aurt+3FZr0IoJkPyscUSoK/mWZx3dUI1+hXozLhfWZjKnC9wj 9pa6OKHqvS0Xfl/VQyzX59d3w4bzcalb+kK5N7/dbBlcopvWF5jCOD+WZxkn2Xhe aGrTT9LluqInVZ7UR5lQ4iDC7v09i37MoeBZiV20xMHUSVTj4F1ecSdthphymute GOc/2vekRHo= -----END CERTIFICATE-----
- Create a file
icp4a-issuer-2021-2023.pem
and add the following issuer public certificate in the PEM format.-----BEGIN CERTIFICATE----- MIIFMDCCBBigAwIBAgIQBAkYG1/Vu2Z1U0O1b5VQCDANBgkqhkiG9w0BAQsFADBl MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 d3cuZGlnaWNlcnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJv b3QgQ0EwHhcNMTMxMDIyMTIwMDAwWhcNMjgxMDIyMTIwMDAwWjByMQswCQYDVQQG EwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNl cnQuY29tMTEwLwYDVQQDEyhEaWdpQ2VydCBTSEEyIEFzc3VyZWQgSUQgQ29kZSBT aWduaW5nIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA+NOzHH8O Ea9ndwfTCzFJGc/Q+0WZsTrbRPV/5aid2zLXcep2nQUut4/6kkPApfmJ1DcZ17aq 8JyGpdglrA55KDp+6dFn08b7KSfH03sjlOSRI5aQd4L5oYQjZhJUM1B0sSgmuyRp wsJS8hRniolF1C2ho+mILCCVrhxKhwjfDPXiTWAYvqrEsq5wMWYzcT6scKKrzn/p fMuSoeU7MRzP6vIK5Fe7SrXpdOYr/mzLfnQ5Ng2Q7+S1TqSp6moKq4TzrGdOtcT3 jNEgJSPrCGQ+UpbB8g8S9MWOD8Gi6CxR93O8vYWxYoNzQYIH5DiLanMg0A9kczye n6Yzqf0Z3yWT0QIDAQABo4IBzTCCAckwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNV HQ8BAf8EBAMCAYYwEwYDVR0lBAwwCgYIKwYBBQUHAwMweQYIKwYBBQUHAQEEbTBr MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wQwYIKwYBBQUH MAKGN2h0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEFzc3VyZWRJ RFJvb3RDQS5jcnQwgYEGA1UdHwR6MHgwOqA4oDaGNGh0dHA6Ly9jcmw0LmRpZ2lj ZXJ0LmNvbS9EaWdpQ2VydEFzc3VyZWRJRFJvb3RDQS5jcmwwOqA4oDaGNGh0dHA6 Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEFzc3VyZWRJRFJvb3RDQS5jcmww TwYDVR0gBEgwRjA4BgpghkgBhv1sAAIEMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8v d3d3LmRpZ2ljZXJ0LmNvbS9DUFMwCgYIYIZIAYb9bAMwHQYDVR0OBBYEFFrEuXsq CqOl6nEDwGD5LfZldQ5YMB8GA1UdIwQYMBaAFEXroq/0ksuCMS1Ri6enIZ3zbcgP MA0GCSqGSIb3DQEBCwUAA4IBAQA+7A1aJLPzItEVyCx8JSl2qB1dHC06GsTvMGHX fgtg/cM9D8Svi/3vKt8gVTew4fbRknUPUbRupY5a4l4kgU4QpO4/cY5jDhNLrddf RHnzNhQGivecRk5c/5CxGwcOkRX7uq+1UcKNJK4kxscnKqEpKBo6cSgCPC6Ro8Al EeKcFEehemhor5unXCBc2XGxDI+7qPjFEmifz0DLQESlE/DmZAwlCEIysjaKJAL+ L3J+HNdJRZboWR3p+nRka7LrZkPas7CM1ekN3fYBIM6ZMWM9CBoYs4GbT8aTEAb8 B4H6i9r5gkn3Ym6hU/oSlBiFLpKR6mhsRDKyZqHnGKSaZFHv -----END CERTIFICATE-----
- Run the following commands to verify the GPG key and its issuer with the
icp4a-cert-2021-2023.pem
andicp4a-issuer-2021-2023.pem
files.Table 4. Commands to verify certificate issuance and validity for icp4a-pubkey-2021-2023.gpg Command Description openssl x509 -text -in icp4a-cert-2021-2023.pem
Displays the IBM Cloud Pak for Business Automation public certificate. Verify that the "Subject" line is IBM, and the "Issuer" is www.digicert.com. The icp4a-cert-2021-2023.pem certificate is signed by Digicert. gpg2 -v --list-packets icp4a-pubkey-2021-2023.gpg
Displays the GPG public key. Verify that pkey[0] is the same as the "Modulus" of icp4a-cert-2021-2023.pem. The command validates that icp4a-pubkey-2021-2023.gpg is the public key (in GPG format) for IBM Cloud Pak for Business Automation. openssl ocsp -no_nonce \ -issuer icp4a-issuer-2021-2023.pem \ -cert icp4a-cert-2021-2023.pem \ -VAfile icp4a-issuer-2021-2023.pem \ -text -url http://ocsp.digicert.com
Verifies that the certificate icp4a.pem comes from Digicert by using the Online Certificate Status Protocol (OCSP).
If you want to verify the icp4a-pubkey-upto-2021.gpg
file, which is used to sign
images up to August 2021 (21.0.1-IF004):
-
Create a file
icp4a-cert-upto-2021.pem
and add the following public certificate in the PEM format.-----BEGIN CERTIFICATE----- MIIFdDCCBFygAwIBAgIQDofrKzCsbdRrg6R+pu8vWTANBgkqhkiG9w0BAQsFADBy MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 d3cuZGlnaWNlcnQuY29tMTEwLwYDVQQDEyhEaWdpQ2VydCBTSEEyIEFzc3VyZWQg SUQgQ29kZSBTaWduaW5nIENBMB4XDTE5MDYyNzAwMDAwMFoXDTIxMDcwMTEyMDAw MFowgbAxCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhOZXcgWW9yazEPMA0GA1UEBxMG QXJtb25rMTQwMgYDVQQKEytJbnRlcm5hdGlvbmFsIEJ1c2luZXNzIE1hY2hpbmVz IENvcnBvcmF0aW9uMREwDwYDVQQLEwhJQk0gQ0NTUzE0MDIGA1UEAxMrSW50ZXJu YXRpb25hbCBCdXNpbmVzcyBNYWNoaW5lcyBDb3Jwb3JhdGlvbjCCASIwDQYJKoZI hvcNAQEBBQADggEPADCCAQoCggEBAMCTZAwu9qGHHajCkPJqxCjQTfojtUz9h0rU n2UACCwcEkW+f8/Q/OcJ+ecUDDZwKPj1+1gE3yivEk5KS5ATeneHP+DbUL2Ouyur Cg181ujlZFSwjEDSEv3LBXwS+44sAp01jQAI4Ee/aDzYpJr9tkyDds8DcivWNlne ONCsDPADO+GnYGi/kXBTTFiqb0PAJv93jJhoQnbyMVavAZ1GdUe6iiG7k/JShAym 3ivCJTXJvcJpto0SkajhkXb/TuxV2FK/WJ6p9Axr+sLpdwUAvKC3+/HNAN5KQ+XF ZvzAGrOr+yAjklvAbojnl/cQw/rt3+9bMDrYU1teTwNYxEvNYMcCAwEAAaOCAcUw ggHBMB8GA1UdIwQYMBaAFFrEuXsqCqOl6nEDwGD5LfZldQ5YMB0GA1UdDgQWBBRh HPobjHmPzyDJZsLVBlf/zImp5jAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYI KwYBBQUHAwMwdwYDVR0fBHAwbjA1oDOgMYYvaHR0cDovL2NybDMuZGlnaWNlcnQu Y29tL3NoYTItYXNzdXJlZC1jcy1nMS5jcmwwNaAzoDGGL2h0dHA6Ly9jcmw0LmRp Z2ljZXJ0LmNvbS9zaGEyLWFzc3VyZWQtY3MtZzEuY3JsMEwGA1UdIARFMEMwNwYJ YIZIAYb9bAMBMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LmRpZ2ljZXJ0LmNv bS9DUFMwCAYGZ4EMAQQBMIGEBggrBgEFBQcBAQR4MHYwJAYIKwYBBQUHMAGGGGh0 dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBOBggrBgEFBQcwAoZCaHR0cDovL2NhY2Vy dHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0U0hBMkFzc3VyZWRJRENvZGVTaWduaW5n Q0EuY3J0MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQELBQADggEBACCmH7YUx2O/ 3s599Fk1I8kOJvtkGTccrsrwOEumDiS3BWQJbUKqilr2IhGUA2c1O/zfi0uA3Oem Fm3a4wwgtrvme7AkWJNgIdH9FeHGOVan6mB5E318UJ7WJGErPiqk0Xoq0bFGfsoh oDSX8INKi2hiEa0Aurt+3FZr0IoJkPyscUSoK/mWZx3dUI1+hXozLhfWZjKnC9wj 9pa6OKHqvS0Xfl/VQyzX59d3w4bzcalb+kK5N7/dbBlcopvWF5jCOD+WZxkn2Xhe aGrTT9LluqInVZ7UR5lQ4iDC7v09i37MoeBZiV20xMHUSVTj4F1ecSdthphymute GOc/2vekRHo= -----END CERTIFICATE-----
- Create a file
icp4a-issuer-upto-2021.pem
and add the following issuer public certificate in the PEM format.-----BEGIN CERTIFICATE----- MIIFMDCCBBigAwIBAgIQBAkYG1/Vu2Z1U0O1b5VQCDANBgkqhkiG9w0BAQsFADBl MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 d3cuZGlnaWNlcnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJv b3QgQ0EwHhcNMTMxMDIyMTIwMDAwWhcNMjgxMDIyMTIwMDAwWjByMQswCQYDVQQG EwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNl cnQuY29tMTEwLwYDVQQDEyhEaWdpQ2VydCBTSEEyIEFzc3VyZWQgSUQgQ29kZSBT aWduaW5nIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA+NOzHH8O Ea9ndwfTCzFJGc/Q+0WZsTrbRPV/5aid2zLXcep2nQUut4/6kkPApfmJ1DcZ17aq 8JyGpdglrA55KDp+6dFn08b7KSfH03sjlOSRI5aQd4L5oYQjZhJUM1B0sSgmuyRp wsJS8hRniolF1C2ho+mILCCVrhxKhwjfDPXiTWAYvqrEsq5wMWYzcT6scKKrzn/p fMuSoeU7MRzP6vIK5Fe7SrXpdOYr/mzLfnQ5Ng2Q7+S1TqSp6moKq4TzrGdOtcT3 jNEgJSPrCGQ+UpbB8g8S9MWOD8Gi6CxR93O8vYWxYoNzQYIH5DiLanMg0A9kczye n6Yzqf0Z3yWT0QIDAQABo4IBzTCCAckwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNV HQ8BAf8EBAMCAYYwEwYDVR0lBAwwCgYIKwYBBQUHAwMweQYIKwYBBQUHAQEEbTBr MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wQwYIKwYBBQUH MAKGN2h0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEFzc3VyZWRJ RFJvb3RDQS5jcnQwgYEGA1UdHwR6MHgwOqA4oDaGNGh0dHA6Ly9jcmw0LmRpZ2lj ZXJ0LmNvbS9EaWdpQ2VydEFzc3VyZWRJRFJvb3RDQS5jcmwwOqA4oDaGNGh0dHA6 Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEFzc3VyZWRJRFJvb3RDQS5jcmww TwYDVR0gBEgwRjA4BgpghkgBhv1sAAIEMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8v d3d3LmRpZ2ljZXJ0LmNvbS9DUFMwCgYIYIZIAYb9bAMwHQYDVR0OBBYEFFrEuXsq CqOl6nEDwGD5LfZldQ5YMB8GA1UdIwQYMBaAFEXroq/0ksuCMS1Ri6enIZ3zbcgP MA0GCSqGSIb3DQEBCwUAA4IBAQA+7A1aJLPzItEVyCx8JSl2qB1dHC06GsTvMGHX fgtg/cM9D8Svi/3vKt8gVTew4fbRknUPUbRupY5a4l4kgU4QpO4/cY5jDhNLrddf RHnzNhQGivecRk5c/5CxGwcOkRX7uq+1UcKNJK4kxscnKqEpKBo6cSgCPC6Ro8Al EeKcFEehemhor5unXCBc2XGxDI+7qPjFEmifz0DLQESlE/DmZAwlCEIysjaKJAL+ L3J+HNdJRZboWR3p+nRka7LrZkPas7CM1ekN3fYBIM6ZMWM9CBoYs4GbT8aTEAb8 B4H6i9r5gkn3Ym6hU/oSlBiFLpKR6mhsRDKyZqHnGKSaZFHv -----END CERTIFICATE-----
- Run the following commands to verify the GPG key and its issuer with the
icp4a-cert-upto-2021.pem
andicp4a-issuer-upto-2021.pem
files.Table 5. Commands to verify certificate issuance and validity for icp4a-pubkey-upto-2021.gpg Command Description openssl x509 -text -in icp4a-cert-upto-2021.pem
Displays the IBM Cloud Pak for Business Automation public certificate. Verify that the "Subject" line is IBM, and the "Issuer" is www.digicert.com. The icp4a-cert-upto-2021.pem certificate is signed by Digicert. gpg2 -v --list-packets icp4a-pubkey-upto-2021.gpg
Displays the GPG public key. Verify that pkey[0] is the same as the "Modulus" of icp4a-cert-upto-2021.pem. The command validates that icp4a-pubkey-upto-2021.gpg is the public key (in GPG format) for IBM Cloud Pak for Business Automation. openssl ocsp -no_nonce \ -issuer icp4a-issuer-upto-2021.pem \ -cert icp4a-cert-upto-2021.pem \ -VAfile icp4a-issuer-upto-2021.pem \ -text -url http://ocsp.digicert.com
Verifies that the certificate icp4a.pem comes from Digicert by using the Online Certificate Status Protocol (OCSP).
Cleaning up local images and caches
Before any test or use of the image signature, you must clean up the container images and the
local cache, even if your image pull policy is "always
". If an image is cached
locally, it is not pulled again, and the image signature verification does not take place.
for node in $(oc get no -l node-role.kubernetes.io/worker --no-headers -o name); do
oc debug $node -- chroot /host sh -c "podman images | grep -e 'cp.icr.io/cp/cp4a' | awk '{print \$3}' | xargs podman rmi -f "
done
Scanning for vulnerabilities
All the container images pass rigorous image vulnerability scans during the development lifecycle, but new vulnerabilities are discovered almost every day. It is likely that most of the vulnerabilities that you find are related to the Linux® kernel or to a few embedded packages. IBM tracks these vulnerabilities and provides fixes for them in fix packs or subsequent releases. To find out more, you can contact IBM support.