Verifying the image

Edit online

Verify the integrity of the IBM Digital Asset Haven Hybrid plugin by downloading the archive provided by IBM Support and validating its signature using the IBM GPG key and skopeo verification commands.

Before you begin

Download the plugin by following the instructions provided in
Download the public key issued by IBM, visit https://public.dhe.ibm.com/systems/digitalassets/digital-asset-haven-gpg-public-key.pem

About this task

Before deploying or upgrading the HSM Signer or IBM Digital Asset Haven plugin, it is critical to verify the integrity of the container image. This ensures the image is authentic and has not been tampered with.

Procedure

Verify the image signature by running the command:

 mkdir /opt/<installation_directory> 
cd /opt/<installation_directory> 
tar -zxvf IBM_DIGITAL_ASSET_HAVEN_HYBRID_v1.1.0.tgz

The compressed IBM_DIGITAL_ASSET_HAVEN_HYBRID.tgz file consists of the following files:

IBM_DIGITAL_ASSET_HAVEN_HYBRID_v1.1.0.tgz
IBM_DIGITAL_ASSET_HAVEN_HYBRID.asc

To verify the integrity of IBM Digital Asset Haven Hybrid image tar gz file, run the following command by using the signature file with the .asc suffix, and the public key that you downloaded with the suffix .pem, along with the image tar gz file.
```
gpg --import digital-asset-haven-hybrid-gpg-public-key.pem
gpg --verify IBM_DIGITAL_ASSET_HAVEN_HYBRID_v1.1.0.tgz.asc IBM_DIGITAL_ASSET_HAVEN_HYBRID_v1.1.0.tgz
```