Verifying images

Learn how to verify the signatures on the IBM® Netcool® Operations Insight® images.

Digital signatures provide a way for consumers of content to ensure that what they download is both authentic (it originated from the expected source) and that it has integrity (it is what it is expected to be). All images for IBM Netcool Operations Insight are signed.

Prerequisites

The following items are the prerequisites to run a signature verification:

  1. Install the following tools on your machine (these tools are usually installed on Linux by using the package manager):
    • GNU Privacy Guard v2
    • OpenSSL
    • Skopeo
  2. The IBM Netcool Operations Insight public key must exist on the same machine where you installed the tools. Copy the following text exactly as shown into a text editor, and save it in a file named noi-public.gpg:
    -----BEGIN PGP PUBLIC KEY BLOCK-----
    
    mQENBF/7lQABCACmsz/31ap1wV2G520Eg2D2++Zv7R7wfz0rM77AhsdhOEsndzU5
    I2dDLvU867TgmSXXQwUhZieN8OXxgfjz1VOV6YDIAYVlRsd7/picln3eg+x9ZDKE
    rdugLG5M8WeNiN4T5nGlo51PMdk5na0whO9LXfBJPBbwvoxoPG3uDiwnsCWtnZAP
    Zminon86/PU7IqzcsWEosXT+3F5bbu1V4IUttaBCFV0MiDVdDmeiWbWEDvNpBXJA
    j9vJYy4K2TbUntxbJAp8Wv9ZYUHbG3Miou75cU3ki8jOAyHUeprELbBCqXNus3wh
    g/sp/zlvXJ7co8BYzPfzd5Cfuz6K/GsnJDo5ABEBAAG0GE5ldGNvb2xPcGVyYXRp
    b25zSW5zaWdodIkBOQQTAQgAIwUCX/uVAAIbLwcLCQgHAwIBBhUIAgkKCwQWAgMB
    Ah4BAheAAAoJEA4H6KT8tB3P7EUH/RUcBVPb2fViYo4L0+TWPMKXM0GIJtVjGY86
    wjZT0CajQWJ6mapvWl89TiPD9L+GRZ1rEiVpZgzgmvzGCQK3SFs2ceumlJHZnCVl
    hI6Es6dzbjKDQd3PI7DvO/k0Q9tum/PwnFDJQZAlS3QYgU9aP3c1/J4KmygaXnpw
    /MCI6goiqdPOESzGyjG5RzuCBvcjXdvplmtdMAMhjUKU31A5ENIOoVEgSABr7t8J
    LwqwlcjcTcuveACBgU5tatDI6L0Ba3IEe9Eyq+iS7unxE1doIbEuOUDW5oTU6o4J
    IJD46QCauCOjSwTyrS2HXM/hidioKyRyybEhiJSdnrRHoDoxDWM=
    =RpJD
    -----END PGP PUBLIC KEY BLOCK-----
    
  3. To check the certificate validity, the following two certificates must exist on the same machine where you installed the tools.

    Copy the following text exactly as shown into a text editor, and save it in a file named NetcoolOperationsInsight.pem.

    -----BEGIN CERTIFICATE-----
    MIIFczCCBFugAwIBAgIQCEsxHbfq2+Kdo7IzbDggEzANBgkqhkiG9w0BAQsFADBy
    MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
    d3cuZGlnaWNlcnQuY29tMTEwLwYDVQQDEyhEaWdpQ2VydCBTSEEyIEFzc3VyZWQg
    SUQgQ29kZSBTaWduaW5nIENBMB4XDTIxMDExMTAwMDAwMFoXDTIzMDExODIzNTk1
    OVowgbAxCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhOZXcgWW9yazEPMA0GA1UEBxMG
    QXJtb25rMTQwMgYDVQQKEytJbnRlcm5hdGlvbmFsIEJ1c2luZXNzIE1hY2hpbmVz
    IENvcnBvcmF0aW9uMREwDwYDVQQLEwhJQk0gQ0NTUzE0MDIGA1UEAxMrSW50ZXJu
    YXRpb25hbCBCdXNpbmVzcyBNYWNoaW5lcyBDb3Jwb3JhdGlvbjCCASIwDQYJKoZI
    hvcNAQEBBQADggEPADCCAQoCggEBAKazP/fVqnXBXYbnbQSDYPb75m/tHvB/PSsz
    vsCGx2E4Syd3NTkjZ0Mu9TzrtOCZJddDBSFmJ43w5fGB+PPVU5XpgMgBhWVGx3v+
    mJyWfd6D7H1kMoSt26AsbkzxZ42I3hPmcaWjnU8x2TmdrTCE70td8Ek8FvC+jGg8
    be4OLCewJa2dkA9maKeifzr89TsirNyxYSixdP7cXltu7VXghS21oEIVXQyINV0O
    Z6JZtYQO82kFckCP28ljLgrZNtSe3FskCnxa/1lhQdsbcyKi7vlxTeSLyM4DIdR6
    msQtsEKpc26zfCGD+yn/OW9cntyjwFjM9/N3kJ+7Por8ayckOjkCAwEAAaOCAcQw
    ggHAMB8GA1UdIwQYMBaAFFrEuXsqCqOl6nEDwGD5LfZldQ5YMB0GA1UdDgQWBBRk
    7LOa18LL1p5Z1SV/SdGZvAvv7TAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYI
    KwYBBQUHAwMwdwYDVR0fBHAwbjA1oDOgMYYvaHR0cDovL2NybDMuZGlnaWNlcnQu
    Y29tL3NoYTItYXNzdXJlZC1jcy1nMS5jcmwwNaAzoDGGL2h0dHA6Ly9jcmw0LmRp
    Z2ljZXJ0LmNvbS9zaGEyLWFzc3VyZWQtY3MtZzEuY3JsMEsGA1UdIAREMEIwNgYJ
    YIZIAYb9bAMBMCkwJwYIKwYBBQUHAgEWG2h0dHA6Ly93d3cuZGlnaWNlcnQuY29t
    L0NQUzAIBgZngQwBBAEwgYQGCCsGAQUFBwEBBHgwdjAkBggrBgEFBQcwAYYYaHR0
    cDovL29jc3AuZGlnaWNlcnQuY29tME4GCCsGAQUFBzAChkJodHRwOi8vY2FjZXJ0
    cy5kaWdpY2VydC5jb20vRGlnaUNlcnRTSEEyQXNzdXJlZElEQ29kZVNpZ25pbmdD
    QS5jcnQwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQsFAAOCAQEAuneboihgit2+
    Gb/o/92lyL96EBIbNY+1ude4bzZROIGtm0LawaQGWFy7RpvGgxQUUMfbe9q5Rvkc
    dAltfioJT8D+G5Gy0NTGI64RX+hETWPi3l4GaxdYQV3Tqa+Zk2TDpJE7dcpDr2NP
    bgm8ZYzwTKh5GhXwCDhytMnzQDKhocZ9JsVG/0C/lxMaBWCwBw4gLbb3lEFkrNEv
    SI8X0Y/l5RDPu4NQcXrJFCSz2DM70gDcUCvR3uZ0bOUNKqDeRXca5db6O7c1bjWH
    bSfZiDI4TkTx9rVB5JzxEnNK+bmE4sdVdxEBbXuASflIyrXym0+dZueKj4Yl0X3f
    XhnLAFDL/Q==
    -----END CERTIFICATE-----
    
  4. Copy the following text exactly as shown into a text editor, and save it in a file named NetcoolOperationsInsight-chain0.pem.
    -----BEGIN CERTIFICATE-----
    MIIFMDCCBBigAwIBAgIQBAkYG1/Vu2Z1U0O1b5VQCDANBgkqhkiG9w0BAQsFADBl
    MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
    d3cuZGlnaWNlcnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJv
    b3QgQ0EwHhcNMTMxMDIyMTIwMDAwWhcNMjgxMDIyMTIwMDAwWjByMQswCQYDVQQG
    EwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNl
    cnQuY29tMTEwLwYDVQQDEyhEaWdpQ2VydCBTSEEyIEFzc3VyZWQgSUQgQ29kZSBT
    aWduaW5nIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA+NOzHH8O
    Ea9ndwfTCzFJGc/Q+0WZsTrbRPV/5aid2zLXcep2nQUut4/6kkPApfmJ1DcZ17aq
    8JyGpdglrA55KDp+6dFn08b7KSfH03sjlOSRI5aQd4L5oYQjZhJUM1B0sSgmuyRp
    wsJS8hRniolF1C2ho+mILCCVrhxKhwjfDPXiTWAYvqrEsq5wMWYzcT6scKKrzn/p
    fMuSoeU7MRzP6vIK5Fe7SrXpdOYr/mzLfnQ5Ng2Q7+S1TqSp6moKq4TzrGdOtcT3
    jNEgJSPrCGQ+UpbB8g8S9MWOD8Gi6CxR93O8vYWxYoNzQYIH5DiLanMg0A9kczye
    n6Yzqf0Z3yWT0QIDAQABo4IBzTCCAckwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNV
    HQ8BAf8EBAMCAYYwEwYDVR0lBAwwCgYIKwYBBQUHAwMweQYIKwYBBQUHAQEEbTBr
    MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wQwYIKwYBBQUH
    MAKGN2h0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEFzc3VyZWRJ
    RFJvb3RDQS5jcnQwgYEGA1UdHwR6MHgwOqA4oDaGNGh0dHA6Ly9jcmw0LmRpZ2lj
    ZXJ0LmNvbS9EaWdpQ2VydEFzc3VyZWRJRFJvb3RDQS5jcmwwOqA4oDaGNGh0dHA6
    Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEFzc3VyZWRJRFJvb3RDQS5jcmww
    TwYDVR0gBEgwRjA4BgpghkgBhv1sAAIEMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8v
    d3d3LmRpZ2ljZXJ0LmNvbS9DUFMwCgYIYIZIAYb9bAMwHQYDVR0OBBYEFFrEuXsq
    CqOl6nEDwGD5LfZldQ5YMB8GA1UdIwQYMBaAFEXroq/0ksuCMS1Ri6enIZ3zbcgP
    MA0GCSqGSIb3DQEBCwUAA4IBAQA+7A1aJLPzItEVyCx8JSl2qB1dHC06GsTvMGHX
    fgtg/cM9D8Svi/3vKt8gVTew4fbRknUPUbRupY5a4l4kgU4QpO4/cY5jDhNLrddf
    RHnzNhQGivecRk5c/5CxGwcOkRX7uq+1UcKNJK4kxscnKqEpKBo6cSgCPC6Ro8Al
    EeKcFEehemhor5unXCBc2XGxDI+7qPjFEmifz0DLQESlE/DmZAwlCEIysjaKJAL+
    L3J+HNdJRZboWR3p+nRka7LrZkPas7CM1ekN3fYBIM6ZMWM9CBoYs4GbT8aTEAb8
    B4H6i9r5gkn3Ym6hU/oSlBiFLpKR6mhsRDKyZqHnGKSaZFHv
    -----END CERTIFICATE-----
    
  5. Review the certificate details for NetcoolOperationsInsight.pem.
    openssl x509 -text -noout -in NetcoolOperationsInsight.pem
    Certificate:
        Data:
            Version: 3 (0x2)
            Serial Number:
                08:4b:31:1d:b7:ea:db:e2:9d:a3:b2:33:6c:38:20:13
            Signature Algorithm: sha256WithRSAEncryption
            Issuer: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 Assured ID Code Signing CA
            Validity
                Not Before: Jan 11 00:00:00 2021 GMT
                Not After : Jan 18 23:59:59 2023 GMT
            Subject: C = US, ST = New York, L = Armonk, O = International Business Machines Corporation, OU = IBM CCSS, CN = International Business Machines Corporation
            Subject Public Key Info:
                Public Key Algorithm: rsaEncryption
                    RSA Public-Key: (2048 bit)
                    Modulus:
                        00:a6:b3:3f:f7:d5:aa:75:c1:5d:86:e7:6d:04:83:
                        60:f6:fb:e6:6f:ed:1e:f0:7f:3d:2b:33:be:c0:86:
                        c7:61:38:4b:27:77:35:39:23:67:43:2e:f5:3c:eb:
                        b4:e0:99:25:d7:43:05:21:66:27:8d:f0:e5:f1:81:
                        f8:f3:d5:53:95:e9:80:c8:01:85:65:46:c7:7b:fe:
                        98:9c:96:7d:de:83:ec:7d:64:32:84:ad:db:a0:2c:
                        6e:4c:f1:67:8d:88:de:13:e6:71:a5:a3:9d:4f:31:
                        d9:39:9d:ad:30:84:ef:4b:5d:f0:49:3c:16:f0:be:
                        8c:68:3c:6d:ee:0e:2c:27:b0:25:ad:9d:90:0f:66:
                        68:a7:a2:7f:3a:fc:f5:3b:22:ac:dc:b1:61:28:b1:
                        74:fe:dc:5e:5b:6e:ed:55:e0:85:2d:b5:a0:42:15:
                        5d:0c:88:35:5d:0e:67:a2:59:b5:84:0e:f3:69:05:
                        72:40:8f:db:c9:63:2e:0a:d9:36:d4:9e:dc:5b:24:
                        0a:7c:5a:ff:59:61:41:db:1b:73:22:a2:ee:f9:71:
                        4d:e4:8b:c8:ce:03:21:d4:7a:9a:c4:2d:b0:42:a9:
                        73:6e:b3:7c:21:83:fb:29:ff:39:6f:5c:9e:dc:a3:
                        c0:58:cc:f7:f3:77:90:9f:bb:3e:8a:fc:6b:27:24:
                        3a:39
                    Exponent: 65537 (0x10001)
            X509v3 extensions:
                X509v3 Authority Key Identifier: 
                    keyid:5A:C4:B9:7B:2A:0A:A3:A5:EA:71:03:C0:60:F9:2D:F6:65:75:0E:58
    
                X509v3 Subject Key Identifier: 
                    64:EC:B3:9A:D7:C2:CB:D6:9E:59:D5:25:7F:49:D1:99:BC:0B:EF:ED
                X509v3 Key Usage: critical
                    Digital Signature
                X509v3 Extended Key Usage: 
                    Code Signing
                X509v3 CRL Distribution Points: 
    
                    Full Name:
                      URI:http://crl3.digicert.com/sha2-assured-cs-g1.crl
    
                    Full Name:
                      URI:http://crl4.digicert.com/sha2-assured-cs-g1.crl
    
                X509v3 Certificate Policies: 
                    Policy: 2.16.840.1.114412.3.1
                      CPS: http://www.digicert.com/CPS
                    Policy: 2.23.140.1.4.1
    
                Authority Information Access: 
                    OCSP - URI:http://ocsp.digicert.com
                    CA Issuers - URI:http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt
    
                X509v3 Basic Constraints: critical
                    CA:FALSE
        Signature Algorithm: sha256WithRSAEncryption
             ba:77:9b:a2:28:60:8a:dd:be:19:bf:e8:ff:dd:a5:c8:bf:7a:
             10:12:1b:35:8f:b5:b9:d7:b8:6f:36:51:38:81:ad:9b:42:da:
             c1:a4:06:58:5c:bb:46:9b:c6:83:14:14:50:c7:db:7b:da:b9:
             46:f9:1c:74:09:6d:7e:2a:09:4f:c0:fe:1b:91:b2:d0:d4:c6:
             23:ae:11:5f:e8:44:4d:63:e2:de:5e:06:6b:17:58:41:5d:d3:
             a9:af:99:93:64:c3:a4:91:3b:75:ca:43:af:63:4f:6e:09:bc:
             65:8c:f0:4c:a8:79:1a:15:f0:08:38:72:b4:c9:f3:40:32:a1:
             a1:c6:7d:26:c5:46:ff:40:bf:97:13:1a:05:60:b0:07:0e:20:
             2d:b6:f7:94:41:64:ac:d1:2f:48:8f:17:d1:8f:e5:e5:10:cf:
             bb:83:50:71:7a:c9:14:24:b3:d8:33:3b:d2:00:dc:50:2b:d1:
             de:e6:74:6c:e5:0d:2a:a0:de:45:77:1a:e5:d6:fa:3b:b7:35:
             6e:35:87:6d:27:d9:88:32:38:4e:44:f1:f6:b5:41:e4:9c:f1:
             12:73:4a:f9:b9:84:e2:c7:55:77:11:01:6d:7b:80:49:f9:48:
             ca:b5:f2:9b:4f:9d:66:e7:8a:8f:86:25:d1:7d:df:5e:19:cb:
             00:50:cb:fd
    
  6. Review the certificate details for intermediate certificate NetcoolOperationsInsight-chain0.pem.
    openssl x509 -text -noout -in NetcoolOperationsInsight-chain0.pem 
    Certificate:
        Data:
            Version: 3 (0x2)
            Serial Number:
                04:09:18:1b:5f:d5:bb:66:75:53:43:b5:6f:95:50:08
            Signature Algorithm: sha256WithRSAEncryption
            Issuer: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Assured ID Root CA
            Validity
                Not Before: Oct 22 12:00:00 2013 GMT
                Not After : Oct 22 12:00:00 2028 GMT
            Subject: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 Assured ID Code Signing CA
            Subject Public Key Info:
                Public Key Algorithm: rsaEncryption
                    RSA Public-Key: (2048 bit)
                    Modulus:
                        00:f8:d3:b3:1c:7f:0e:11:af:67:77:07:d3:0b:31:
                        49:19:cf:d0:fb:45:99:b1:3a:db:44:f5:7f:e5:a8:
                        9d:db:32:d7:71:ea:76:9d:05:2e:b7:8f:fa:92:43:
                        c0:a5:f9:89:d4:37:19:d7:b6:aa:f0:9c:86:a5:d8:
                        25:ac:0e:79:28:3a:7e:e9:d1:67:d3:c6:fb:29:27:
                        c7:d3:7b:23:94:e4:91:23:96:90:77:82:f9:a1:84:
                        23:66:12:54:33:50:74:b1:28:26:bb:24:69:c2:c2:
                        52:f2:14:67:8a:89:45:d4:2d:a1:a3:e9:88:2c:20:
                        95:ae:1c:4a:87:08:df:0c:f5:e2:4d:60:18:be:aa:
                        c4:b2:ae:70:31:66:33:71:3e:ac:70:a2:ab:ce:7f:
                        e9:7c:cb:92:a1:e5:3b:31:1c:cf:ea:f2:0a:e4:57:
                        bb:4a:b5:e9:74:e6:2b:fe:6c:cb:7e:74:39:36:0d:
                        90:ef:e4:b5:4e:a4:a9:ea:6a:0a:ab:84:f3:ac:67:
                        4e:b5:c4:f7:8c:d1:20:25:23:eb:08:64:3e:52:96:
                        c1:f2:0f:12:f4:c5:8e:0f:c1:a2:e8:2c:51:f7:73:
                        bc:bd:85:b1:62:83:73:41:82:07:e4:38:8b:6a:73:
                        20:d0:0f:64:73:3c:9e:9f:a6:33:a9:fd:19:df:25:
                        93:d1
                    Exponent: 65537 (0x10001)
            X509v3 extensions:
                X509v3 Basic Constraints: critical
                    CA:TRUE, pathlen:0
                X509v3 Key Usage: critical
                    Digital Signature, Certificate Sign, CRL Sign
                X509v3 Extended Key Usage: 
                    Code Signing
                Authority Information Access: 
                    OCSP - URI:http://ocsp.digicert.com
                    CA Issuers - URI:http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt
    
                X509v3 CRL Distribution Points: 
    
                    Full Name:
                      URI:http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl
    
                    Full Name:
                      URI:http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl
    
                X509v3 Certificate Policies: 
                    Policy: 2.16.840.1.114412.0.2.4
                      CPS: https://www.digicert.com/CPS
                    Policy: 2.16.840.1.114412.3
    
                X509v3 Subject Key Identifier: 
                    5A:C4:B9:7B:2A:0A:A3:A5:EA:71:03:C0:60:F9:2D:F6:65:75:0E:58
                X509v3 Authority Key Identifier: 
                    keyid:45:EB:A2:AF:F4:92:CB:82:31:2D:51:8B:A7:A7:21:9D:F3:6D:C8:0F
    
        Signature Algorithm: sha256WithRSAEncryption
             3e:ec:0d:5a:24:b3:f3:22:d1:15:c8:2c:7c:25:29:76:a8:1d:
             5d:1c:2d:3a:1a:c4:ef:30:61:d7:7e:0b:60:fd:c3:3d:0f:c4:
             af:8b:fd:ef:2a:df:20:55:37:b0:e1:f6:d1:92:75:0f:51:b4:
             6e:a5:8e:5a:e2:5e:24:81:4e:10:a4:ee:3f:71:8e:63:0e:13:
             4b:ad:d7:5f:44:79:f3:36:14:06:8a:f7:9c:46:4e:5c:ff:90:
             b1:1b:07:0e:91:15:fb:ba:af:b5:51:c2:8d:24:ae:24:c6:c7:
             27:2a:a1:29:28:1a:3a:71:28:02:3c:2e:91:a3:c0:25:11:e2:
             9c:14:47:a1:7a:68:68:af:9b:a7:5c:20:5c:d9:71:b1:0c:8f:
             bb:a8:f8:c5:12:68:9f:cf:40:cb:40:44:a5:13:f0:e6:64:0c:
             25:08:42:32:b2:36:8a:24:02:fe:2f:72:7e:1c:d7:49:45:96:
             e8:59:1d:e9:fa:74:64:6b:b2:eb:66:43:da:b3:b0:8c:d5:e9:
             0d:dd:f6:01:20:ce:99:31:63:3d:08:1a:18:b3:81:9b:4f:c6:
             93:10:06:fc:07:81:fa:8b:da:f9:82:49:f7:62:6e:a1:53:fa:
             12:94:18:85:2e:92:91:ea:68:6c:44:32:b2:66:a1:e7:18:a4:
             9a:64:51:ef
    
  7. Check the public key.
    sha256sum noi-public.gpg 
    d25e291385267ee435c29d0377e38279499432de9e7a4b06fddf7c0c44b62dee public.gpg
    

Procedure

  1. Install the certificate in the public keyring.
    gpg2 --import noi-public.gpg 
    gpg: /root/.gnupg/trustdb.gpg: trustdb created
    gpg: key 0E07E8A4FCB41DCF: public key "NetcoolOperationsInsight" imported
    gpg: Total number processed: 1
    gpg:               imported: 1
    
  2. Use Online Certificate Status Protocol to check the certificate validity.
    openssl ocsp -no_nonce -issuer NetcoolOperationsInsight-chain0.pem -cert ./NetcoolOperationsInsight.pem -VAfile NetcoolOperationsInsight-chain0.pem -text -url http://ocsp.digicert.com -respout ocsptest 
    OCSP Request Data:
        Version: 1 (0x0)
        Requestor List:
            Certificate ID:
              Hash Algorithm: sha1
              Issuer Name Hash: A7478168C4B2E423BBE4BEC50816566DFA5187DE
              Issuer Key Hash: 5AC4B97B2A0AA3A5EA7103C060F92DF665750E58
              Serial Number: 084B311DB7EADBE29DA3B2336C382013
    OCSP Response Data:
        OCSP Response Status: successful (0x0)
        Response Type: Basic OCSP Response
        Version: 1 (0x0)
        Responder Id: 5AC4B97B2A0AA3A5EA7103C060F92DF665750E58
        Produced At: Oct 11 17:36:46 2021 GMT
        Responses:
        Certificate ID:
          Hash Algorithm: sha1
          Issuer Name Hash: A7478168C4B2E423BBE4BEC50816566DFA5187DE
          Issuer Key Hash: 5AC4B97B2A0AA3A5EA7103C060F92DF665750E58
          Serial Number: 084B311DB7EADBE29DA3B2336C382013
        Cert Status: good
        This Update: Oct 11 17:21:02 2021 GMT
        Next Update: Oct 18 16:36:02 2021 GMT
    
        Signature Algorithm: sha256WithRSAEncryption
             88:e1:31:5a:c7:28:9f:7d:25:8c:44:ed:dc:13:de:b1:5f:f5:
             83:f0:54:30:95:cc:95:e3:ef:34:9f:1c:f0:e3:b5:83:35:e0:
             15:ea:da:eb:9d:a2:9f:95:df:59:35:f1:16:28:4f:f7:0e:52:
             1f:b1:54:b6:75:33:68:78:a7:fb:6e:a6:39:fb:54:e2:b9:1f:
             2f:37:7b:cd:a6:92:d3:85:c9:bd:97:15:22:1b:b0:14:2a:35:
             77:3f:36:24:83:1c:e6:0b:61:44:ed:8b:fb:27:44:b0:5c:51:
             99:bd:ac:70:26:fa:4c:68:3a:65:28:0e:a9:34:a8:99:9a:db:
             d3:6b:ce:7c:9f:d3:4f:7f:51:7b:4a:d7:ce:94:59:76:67:47:
             d5:b0:f6:c2:5f:df:42:5d:b6:71:28:e8:ba:09:e7:db:77:cd:
             ff:6b:e1:60:f6:db:fd:4d:b0:25:98:83:d1:f1:e6:8a:ea:a7:
             8f:21:1f:1b:51:70:f8:e8:5d:42:b0:3b:f4:ec:7c:5c:bb:49:
             e1:4d:e3:68:6f:42:aa:b4:16:14:2f:ef:82:53:01:ff:f5:35:
             ad:49:ed:82:67:fa:e1:ab:5e:4f:e3:19:57:08:ec:2e:f1:06:
             fa:ce:1a:f3:a4:d6:4e:fa:6a:9e:41:7e:d1:44:3f:29:e7:27:
             71:ac:43:b6
    Response verify OK
    ./NetcoolOperationsInsight.pem: good
    	This Update: Oct 11 17:21:02 2021 GMT
    	Next Update: Oct 18 16:36:02 2021 GMT
    
  3. Use a policy to verify the images.
    A policy might be specified so that tools such as Skopeo and Podman are prevented from downloading the images that are not signed and verified. This is the approved method for verifying images on bastion hosts during airgap deployments.
    cat /etc/containers/policy.json
    {
        "default": [
            {
                "type": "reject"
            }
        ],
        "transports":
            {
                "docker":
                    {
                        "": [{ "type": "signedBy", "keyType": "GPGKeys", "keyPath": "noi-public.gpg"}]
                    }
            }
    }
    

    Where <keyPath> is the path to the Netcool Operations Insight public certificate. An attempt to download an unsigned or unauthenticated image results in failure.

  4. Manually verify an image signature.

    Skopeo might be used to manually verify an image signature. To manually verify an image signature, the image must be saved to a local directory.

    For example, to verify the image signature on the cp.icr.io/cp/noi-operator:1.6.6-2022-000000000000 example image, follow the steps as mentioned:

    • Create a directory to save the image files.
      %> mkdir -p /tmp/images/noi-operator
    • Copy the image from the image repository to the local directory.
      %> skopeo copy --src-creds SRC_CREDS docker://cp.icr.io/cp/noi-operator:1.6.6-2022-000000000000 dir:/tmp/images/noi-operator
      Where SRC_CREDS is the username and password (source credentials) for downloading the image, for example: --src-creds=testuser:testpassword
    • Read the Netcool Operations Insight public key fingerprint.
      %> FINGERPRINT=$( sudo gpg2 --fingerprint --with-colons NetcoolOperationsInsight | grep fpr | tr -d 'fpr:')
    • Use the skopeo standalone-verify command to verify the image signature.
      %> skopeo standalone-verify /tmp/images/noi-operator/manifest.json cp.icr.io/cp/noi-operator:1.6.6-2022-000000000000 ${FINGERPRINT}
       /tmp/images/noi-operator/signature-1
      Signature verified, digest sha256:0000000000000000000000000000000000000