Verifying image signatures

Digital signatures provide a way for consumers of content to ensure that what they download is both authentic (it originated from the expected source) and has integrity (it is what we expect it to be). Some images for IBM Cloud Pak® for Integration are signed. This page describes how to verify the signatures on those images.

Prerequisites

To perform signature verification:

  • Your machine must have these command line tools installed (they can usually be installed on Linux using the package manager):

  • The IBM Cloud Pak for Integration public keys must exist on the same machine as the one used previously. There are three public keys: one for images published before 2022-07-22, one for images published between 2022-07-23 and 2023-03-22, and one for images published after 2023-03-22. Copy the following text block exactly as shown into a text editor, and save it in a file named cp4i-public.gpg:

    -----BEGIN PGP PUBLIC KEY BLOCK-----

mQENBF8PmIABCADhk5bSsNY7Oi3sA5uxqXjNY2vHFEIgaHhhdWc6Y61mRcowcJPl
JclMvNJltmQCFgInQ8uhuXYq2N+q1Yk+Q6PzRRUmbFtA88O43ZoW8hd7A+Ukh55b
to/tSYtwRdR4l05kX4dZsP/kpYEzU+hc3buhn3y/LvM9uNcK05t+M402cRzROx48
Vl22lSX+DsuZMj78ECREZU9uDEyAOCyGuuk94mLJkvD7QRN8IFjQXVSt7+aOb/LX
Ox5jRORg9m1aOPQOgwRCMR+A2uwdyFA6LFddC0uEzvttiNe+/yN23VoSM+uoF8wS
H1TIV6QCaqemZ1FajQyuW76cykXfUB+KnkCbABEBAAG0CGNwNGlzaWduiQE5BBMB
CAAjBQJfD5iAAhsvBwsJCAcDAgEGFQgCCQoLBBYCAwECHgECF4AACgkQaRnhuFDQ
5lvoaAgAt7nKxRv2FZ5geYyDW31n1J4LJn2BW/6KoMV9hlv9pSqPbaneMjaX0w4A
jABoaolmDjrjPmaLJY+Gh7KahCwmnJkrrHZmpUIw0rgNJFRlMiWrs61+qFFJEmst
PO33He6JxL5MbJDIKP16Zvxg1+4Vjkd+Hl0ZA0HvfFpdPXl0TMaVelqaZhmavQJx
cLq34lglHOUC3NuAa4ab5YSdCXQ5j6RQKV4M81TVBbgtm2fsvHp+wK09Ruu8s71h
i4Xq2eTopdnn1hKUfDPwXolaa/dChnWMkvXOdVjZn+nTSyYigfqoLCnr0aAnCb8O
3DzzaOf293Klj0JCwRDOGpJEiyfKmg==
=a1wb
-----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2

mQINBGLLaAABEAC6oFMtVrdFn2JaQ9he6J75+7mKvnouSzbqBPVVxpdyOIY93/Xi
fG+01JPkDCFA968xDxK+f9pt7fDXpY1EkWQI5K2ejxFz1NutaKERdYflFY5etXht
w90h1Yz5rBhp5eAMzHxog++MhPXOt1kYG5nb99zMuiOgFQFtussmDiFCjOaY8rzL
Bl3h0YFehACGi1U06uzZRv85ZaxpDBMA1/dkUUXPMAYC7HM/pL1lWn0IWwpdpQ9n
MPqTlWsubweB+Gb01HdDKpG9NVV95pB9oki0qN8yh26cgxkGd0td7MTMiSr+CMdS
WZL84LvscFpcrdCBIPnWL3shOvKHNkP7flj0sF4QBR+iIFE9BdKrDksHxz4wLBFb
qm0A2RTDP4RhoKHD5byRzv+aYYxiD7z+z9614ET3//kzsCa7cr122LAtHJ4QwudR
Nm7hPIg4AY2+cMZl/GqRecR+FuoGbLJunzwqIEdyZHEhwWOtXgcvSnGhWSEEvi0w
w4EmWk6UKhS4RGn7JyvO8GVcgf1o/1cFgV92nOiKHkZMFEfwgr8F3Nt17xij4os5
yk0oWkpmqojRhYwL7Ub4XwpWBwowKBhUxFAKnf15OOysu8DRpEG5a9JkSE/kRS2i
FyPhgFo5t/mocsgVkzYC+MQq2rJ5waOCGMHovqdbeKjrcMTEZVxuAXOIbwARAQAB
tAhjcDRpc2lnbokCOQQTAQgAIwUCYstoAAIbLwcLCQgHAwIBBhUIAgkKCwQWAgMB
Ah4BAheAAAoJEDw8drvUQ1QP1KcQALgBc8T4C82csYaPmZbPmb6yrZMOA6RyD4gD
MVO5iorx7EBcI//VSGOxvb8+NnY2P0xjVskV3kKnrr8IsZdZVrYL5irjKkB5HTMK
DYAOIYNrvV2x0QRBwXrvtVvP4LKMfNzISPVADbWNcV3aBZ7cZsEQOs6YJ1eM2wbl
437+8dKRCDs8Yo4D3deyxXRv/mTnvmPwLYDFWjCQMrJrkHMIrIQJMRQ66rGUDMgh
XyaAd6om/ir3WRuLVyTBVdnCqMCdEjFnzzLX6NK2MLBTyONPNRr/419DYDoumbhR
JHrew59kx9c+HAJqdk54xfOy5GJSt1opQt5oQ3gke/3bdg6/uiUTSwdM2OE46zB+
dQs3FZqlUAs7T1l616XccI0+h/tIkCQFg3i7dk2RRZ6sFhbj19lziUHnTszO+FxV
iI32w4UExM7xpfs2RalGCYMFUjq+xlMcxm1t3y6GwLxH2O92di99HRqrJPT//Qd+
vuENqqByW83CSB5oc/WHsoXIh5FAkt5PLp9bymqcoUloB8FDb4h5smszUIsgXrsq
HSK7uKsJAiRYFKdig85PK85vtEvyIPfrcx9nhbAKUfexKsQne/G3B+ebj+UDmNyA
/4fMqyR8ZTqCM4MkuYQXaIObu1bN8sCbstJuGTYvBfTI4ElXVHWk9tdlPub1HatR
2SdIxtM7
=PgzJ
-----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBGP3eKsBEADesGAGhDZL/IVcB48Y/68Lcp/thTLp44WDcTGQ0fVXAtNWzW+X
1iTW/sn+2XAQv1NoN1bTVsatfvFNKKW7WKSYSi4qnz942yjEAb7wRyylOtb3aMlL
zlTISHFRwhl98K6J+555vToxK2iGeuTv0CvzGB+2KF4mrB3VlIhHm8JK+QQsD9O6
IDcar+GzLkd3ZBx5zN7ivEvDcZ/qxiEeFnFIQ2jknqoZ+gsDkpYfHOQtNDR45+WN
Y3VGkUVPYdAHWbU8uJeGcfhT87pdeMx6zQ+mrkFM2eptsL7muQF66Q5PLvIDWGXs
N1eCbOAITgXdd1CbhkM11U2pgYZ7ONyAJp22dUJP+43UC3aQt3IVGhDJa2LryUVT
HfsoJ84T38lH/GQHAxjw7a/0Sq8xy0iEtA81lukiK9D50796mbs25kanxslfDBoX
5a2UQrX45Grq1h5+vR3QVx/wRmfHCyAo0sMImnHG2SVDZpVhJWChYxWwQOgIDZDE
scxa+QU3bPy0bNKJdsSBb/4rW4mCYbX5K1119VrtTr0tRHU7ItkW21uzz5oxb9eb
LsGsM9hwKbQXCaU83UAJy/V7JtJk3nJ+JihLpaUhszoMPgiuvXu+jH3uqoHhLjwc
SzfSX3aXLzsIvYcDPiKWWrYK5JxWx/AWGP8o1QCflobS4MaAH5UXHBOBCwARAQAB
tD5JbnRlcm5hdGlvbmFsIEJ1c2luZXNzIE1hY2hpbmVzIENvcnBvcmF0aW9uIDxw
c2lydEB1cy5pYm0uY29tPokCOgQTAQgAJAUCY/d4qwIbDwULCQgHAgYVCgkICwIE
FgIDAQIeAQUJAAAAAAAKCRCVFASm54U5I/ThEACDegHJz7Dl4aAz2XHC6c/C5ZrJ
7W++tckc3tX3wFg2Ux8AWUwc/3oaT63nG3J7JsF0y+FmD2Loi5grReKRIE7IAAga
aA6y/S73VOm7sApIz4hRvQ8DoWYcuu/pFMZaQKLKh3d7n0Uhlg+IxcnDWYT/xKvn
1RrCOLhokEu22zRDg+VGClmmiyQ8qZdyA8c6OqjT9U2RFwSUnNPkLsdoCU5KVT5l
1znNG5gEovgxIRBbeJuoYXBRIlUO7bH0w3poTZ8dPFzOSLTfG5hLF1sZVMfGBlCf
c94rtLUJyU5LBBe7Py2y0q89v9L1a/BwNRe1ron39PLsmXPUFqV5f796wAnMif9l
5FI1HDHpkjn3RRHjPMUQSeMOJP9HMLjhEIg9I0bDxsbqCg4XW2xfk8J0YE3GhF2p
X5BKFThsMQWAKwwCRrD2EMW3YMv7/E385m3QA3xTU4z2SFEyp/KaoTxFw+Z9Z6ta
7tzdE4NqmcEcVSrOvktIQ3xi9UlngOp7OACe10WhmJiDkAfaTOExHfRLVzvo3ryA
5pNJ6FkV+eJVljBMUzRSkyyGrnesh6c6ViBcV0rZpiE1f7T4gp9tg2YQaOMaoI6P
M9LfRKfyxSklz/aX811eRfmJRPkA9pF0DlCV6j9XJwFaSKZhxoVQVu2/pIGzQwuu
uBfw3hQI0oUbrt3dIw==
=yKDk
-----END PGP PUBLIC KEY BLOCK-----
  • You must have a list of images to verify. To get a current list of container images used in Cloud Pak for Integration (image names and tags), refer to the procedure in Downloading container images.
    Note: The following procedure uses the example image icr.io/cpopen/ibm-integration-platform-navigator-catalog:0.0.0-0000-00-00-0000-a1234567, which is an example for demonstration purposes, not something you can use in your own implementation.

Procedure

  1. Import the Cloud Pak for Integration public key on the machine you prepared according to the Prerequisites section:

    sudo gpg2 --import cp4i-public.gpg

    This step needs to be done only once on each machine you use for signature verification.

  2. Calculate the fingerprints:

    fingerprint=$(sudo gpg2 --fingerprint --with-colons | grep 'cp4i\|ibm' -B1 | grep fpr | tr -d 'fpr:')

    This command stores the fingerprints for all keys in an environment variable called fingerprint, which is needed to verify the signature. When you exit your shell session, the variable will be deleted. The next time you log in to your machine, you can set it again by rerunning the command.

  3. Create a directory for the image and use skopeo to pull it into local storage:

    mkdir images
skopeo copy docker://icr.io/cpopen/ibm-integration-platform-navigator-catalog:0.0.0-0000-00-00-0000-a1234567 dir:./images
    This command downloads the image as a set of files and places them in the images directory (or another directory that you choose).
    Tip: One of these files is a manifest file named images/manifest.json, and a signature file named images/signature-1. You reference both these files in the next step (in the command to verify the signature).

  4. Verify the signature:

    for fp in ${fingerprint}; do sudo skopeo standalone-verify ./images/manifest.json icr.io/cpopen/ibm-integration-platform-navigator-catalog:0.0.0-0000-00-00-0000-a1234567 ${fp} ./images/signature-1; done

    You get a confirmation similar to this:

    FATA[0000] Error verifying signature: Signature by 0000000000000000000000000000000000000000 does not match expected fingerprint 1111111111111111111111111111111111111111
FATA[0000] Error verifying signature: Signature by 0000000000000000000000000000000000000000 does not match expected fingerprint 2222222222222222222222222222222222222222
Signature verified, digest sha256:0000000000000000000000000000000000000000000000000000000000000000

    In this case, the image has not been signed by the first key or the second key, which is the cause of the first two errors. However, it has been verified as signed by the final key. If the image to be verified is signed by one of the other keys, the message order will be different.