Validating Red Hat Service Interconnect container signatures

IBM Hybrid Cloud Mesh (Mesh) downloads and installs Red Hat® Service Interconnect images in your application clusters. If you want to manually verify that your Red Hat Service Interconnect images are authentic, use this procedure to check the container images.

Before you begin

Run the install_cosign.sh script to install Cosign. For more information, see Sigstore Installation.

Procedure

Use the IBM Cloud Container Registry (ICR) to verify the signatures of the Red Hat Service Interconnect images that are running as containers in your cloud-native infrastructure. Complete the following steps:

  1. Get the Secure Hash Algorithm (SHA) of the images in your Kubernetes infrastructure by running the following command:
    kubectl describe <pod-name> | grep 'Image'
    Output that is similar to the following example is shown:
    Image:          icr.io/container-registry-production/amd64_skupper-agent:0.0.0-def456
    Image ID:       icr.io/container-registry-production/amd64_skupper-agent@sha256:abc123
    In the example output, the SHA is: abc123
  2. Log in to the ICR.
    For example, run a command like this:
    echo <icr_password> | docker login -u <icr_username> --password-stdin icr.io/container-registry-production
  3. Pull the signed images from the ICR. Check that the SHA of the images matches the SHA that you obtained from your infrastructure. Run a command like this:
    docker pull icr.io/container-registry-production/amd64_skupper-agent:0.0.0-def456
    ...
    docker inspect --format "{{.Id}}" icr.io/container-registry-production/amd64_skupper-agent:0.0.0-def456
    sha256:abc123
  4. Copy the following public key into the cosign.pub file, which is used for signing images:
    -----BEGIN PUBLIC KEY-----
    MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEtTKXKRfuX2aDUG6e6oB1mv9bMp
    /h2amIbRSJFcQdzNIg0SlIMlQ49dpCWouZY1UfnJTdz0vcZvLUroThmzc/EA==
    -----END PUBLIC KEY-----
  5. Run a command like this to verify the signatures of the images that you pulled from the ICR:
    cosign verify --key ~/cosign.pub icr.io/container-registry-production/amd64_skupper-agent:0.0.0-def456 | jq -r