IBM Hybrid Cloud Mesh (Mesh)
downloads and installs Red Hat® Service Interconnect images in your application
clusters. If you want to manually verify that your Red Hat Service Interconnect images
are authentic, use this procedure to check the container images.
Before you begin
Run the install_cosign.sh
script to install Cosign. For more
information, see Sigstore Installation.
Procedure
Use the IBM Cloud Container Registry (ICR) to verify the signatures of the Red Hat Service Interconnect images that are running as containers in your cloud-native
infrastructure. Complete the following steps:
-
Get the Secure Hash Algorithm (SHA) of the images in your Kubernetes infrastructure by running
the following command:
kubectl describe <pod-name> | grep 'Image'
Output that is similar to the following example is
shown:
Image: icr.io/container-registry-production/amd64_skupper-agent:0.0.0-def456
Image ID: icr.io/container-registry-production/amd64_skupper-agent@sha256:abc123
In
the example output, the SHA is:
abc123
- Log in to the ICR.
For example, run a command like this:
echo <icr_password> | docker login -u <icr_username> --password-stdin icr.io/container-registry-production
-
Pull the signed images from the ICR. Check that the SHA of the images matches the SHA that you
obtained from your infrastructure. Run a command like this:
docker pull icr.io/container-registry-production/amd64_skupper-agent:0.0.0-def456
...
docker inspect --format "{{.Id}}" icr.io/container-registry-production/amd64_skupper-agent:0.0.0-def456
sha256:abc123
-
Copy the following public key into the
cosign.pub
file, which is used for
signing images:
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEtTKXKRfuX2aDUG6e6oB1mv9bMp
/h2amIbRSJFcQdzNIg0SlIMlQ49dpCWouZY1UfnJTdz0vcZvLUroThmzc/EA==
-----END PUBLIC KEY-----
-
Run a command like this to verify the signatures of the images that you pulled from the
ICR:
cosign verify --key ~/cosign.pub icr.io/container-registry-production/amd64_skupper-agent:0.0.0-def456 | jq -r