Verifying code signed images

You can verify that the images were created and uploaded by IBM. You also can verify the Mono2Micro-CLI.zip file, which provides the Mono2Micro command line tool.

Prerequisites

Ensure that the following command-line tools are installed on your computer. On Linux, you typically can install the images with the package manager.

On the computer where the command-line tools are installed, copy the following text block exactly as shown into a text editor, and save it in a file named mono2micro-public.gpg. This text block represents the IBM Mono2Micro certified container public key in the GNU Privacy Guard format.

-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBGPYPvwBEACdeDJ9kFRIusRtKPGDbwA1aHntPdrPC14x6vlIx7MoTcf/dGYS
cq3tG/KrwlL7ho29MuKmHVgqICAc6Npdz/vtsH5qKL9HnyiAqiV3wduv9JHYLr8S
Htq27rMRlhpW8O6gBEh1De25nv5nPLZuvnTgz+x/JVyMGBdyY2Fu46MUiDWm251A
TVNHUi7U4umoH9rBll1NCsiDR3S7RtsNsNI46NqetlwwE8hJ1SApAn/DXof6Ln57
fTa3zQniEyh4N9n8WThSXn8e9Xt0vePu5TaSBP7jWU4IfidD3PsayjvRPjtWxCOd
w7g/H0rqzCsR9IgieHHG/Bo5E1g1VFsLLliIrCmuKAmRP2xV5IrYD2Wgl+5qjEDO
LiKh9cEJlcK1TLrJgOy40qHxAVk7vQmavtpDffhfOB75RDjAsroJMLMoV0aV6MPQ
OrZVC/sq1bT6cnxwnNq3DtAVs8B8jLRP9Ul5lzWPAwNu83orD0DoD1atw0lW/cTx
1i+Sk7ohyd2DYuX++68LxGajeP42nC3XQ+s2zVDHMj88gv9qG/Sw1kzedbzNAyor
zKs+rOcau4eaqJIs3fLSN8eBuWqfadNHRWDqL2NKy5ac/QjrOI7Ct1qPFnYYAyA/
OCnzJan7JFryj3XthT7ek/RhlLD0VUXEZiO6E/9mLXUn99VC2eEq5/6APwARAQAB
tD5JbnRlcm5hdGlvbmFsIEJ1c2luZXNzIE1hY2hpbmVzIENvcnBvcmF0aW9uIDxw
c2lydEB1cy5pYm0uY29tPokCOgQTAQgAJAUCY9g+/AIbDwULCQgHAgYVCgkICwIE
FgIDAQIeAQUJB4TOAAAKCRD6VivgkEeHaJ1bD/9FOcKxrbivMThUHmK1et5bVEtl
YQhAJEqWkZiWXLg0iduKsgvLq6xFa90EecFFyrWK/qyRzpJOfSmKp+jM6Fgngsjy
gNQRsEACgUAcvl2gD8mfX9qckWgetNEe5khGE9WfFfX/os4SU9tDNYfzERK8wCDI
hrD71HPOZJxcCTFm3c84J4rKBeBwMhx8oQPEb/Sfh9juA1rz6MIjbanpW/3sPY8v
RTV4PSJ4VbzlCRXTd/alCk5bvgSL47YiRmZMqhnk3zpSG9nhEC72wh8449KqzAqv
IRqHtP1InOWpcENA1+mk7HazsCYCvqZFGwgiQuosBXtTcDcv/ToVQEUPYAQFNdgD
X+wfH868Kg6K6O78GH/uUxVx5vrsP5nMH2tPKjnRLYc81Pxe6Ev5G8vmrCr5xnfl
NWOV2IHWPAIL9TViWsGtF0TZPysQrBGF2N0B2InX9fRxD2c3HvMVf+yqat8r++kJ
2jSnffuihtLVbIW+69MbQmcheK93Pa2B4VGZ7JDKw6MsaPjzfiLbseONH+WNQbx9
DiGCRObkRF9zQTk7HQxIGgx2jf6PYaAL17MoQYWzbHI7Pg0BUvgWZih6cr1POctt
p/XgjghIu463RVuZZT6o09YlFj+2BfCpjMYrlyjGZvcUZY4AHaWCfkqkwdJz6AOA
PXTf5kkmNNfylhVbCA==
=LOiH
-----END PGP PUBLIC KEY BLOCK-----

Verifying the image with signature

You can verify the image with a signature for trial or for entitled registry (ER) installations.

  1. Import the IBM Mono2Micro certified container public key.
    gpg --import mono2micro-public.gpg

  2. Prepare the fingerprint.

    fingerprint=$(sudo gpg --fingerprint --with-colons International Business Machines Corporation | grep fpr | tr -d 'fpr:')

    This command stores the key's fingerprint in the fingerprint environment variable, which is needed for the command to verify the signature. When you exit your shell session, the variable is deleted. The next time that you log in to your computer, you can rerun the command to set the environment variable again.

  3. Check signatures of the pulled images.

    Based on the images that were installed with the Mono2Micro command line tool, run the docker images or podman images command to get the tags of the images that were used.

  4. Copy to a local directory for each repository. For example:

    skopeo copy docker://<repository_tag> dir:/<image_directory>

    For an ER installation, replace <repository_tag> with one of the following values.

    • icr.io/cp/mono2micro/mono2micro-cardinal:<version>
    • icr.io/cp/mono2micro/mono2micro-ui:<version>
    • icr.io/cp/mono2micro/mono2micro-aipl:<version>
    • icr.io/cp/mono2micro/mono2micro-bluejay:<version>

    For a trial installation, replace <repository_tag> with one of the following values.

    • icr.io/appcafe/mono2micro-cardinal:<version>
    • icr.io/appcafe/mono2micro-ui:<version>
    • icr.io/appcafe/mono2micro-aipl:<version>
    • icr.io/appcafe/mono2micro-bluejay:<version>

    For both ER and trial installations, replace <image_directory> with the location of the copied image.

  5. Verify the image using the downloaded signature and repository.

    For an ER or trial installation, run the following standalone-verify command to verify an image.

    skopeo standalone-verify <image_directory>/manifest.json \
<repository_tag> ${fingerprint} <image_directory>/signature-2

Verifying the Mono2Micro-CLI.zip file with jarsigner

When you install Mono2Micro, you download the Mono2Micro-CLI.zip file from http://ibm.biz/Mono2Micro-downloads and install the Mono2Micro command line tool. The downloaded Mono2Micro-CLI.zip file is signed and can be verified with the jarsigner tool that is shipped with Java®.

  1. Verify the Mono2Micro-CLI.zip file with jarsigner.

    Open a command line at the location of the ZIP file and run the following command.

    jarsigner -verify Mono2Micro-CLI.zip -certs -verbose

  2. Confirm that the signer output resembles the following output, which verifies the validity of the file.

    Signer
X.509, CN=International Business Machines Corporation, OU=IBM CCSS, O=International Business Machines Corporation, L=Armonk, ST=New York, C=US