Verifying images
Learn how to verify the signatures on the IBM® Netcool® Operations Insight® images.
Digital signatures provide a way for consumers of content to ensure that what they download is both authentic (it originated from the expected source) and that it has integrity (it is what it is expected to be). All images for IBM Netcool Operations Insight are signed.
Prerequisites
The following items are the prerequisites to run a signature verification:
- Install the following tools on your machine (these tools are usually installed on Linux by using
the package manager):
- GNU Privacy Guard v2
- OpenSSL
- Skopeo
- The IBM
Netcool Operations Insight public key
must exist on the same machine where you installed the tools. Copy the following text exactly as
shown into a text editor, and save it in a file named
noi-public.gpg:
-----BEGIN PGP PUBLIC KEY BLOCK----- mQENBF/7lQABCACmsz/31ap1wV2G520Eg2D2++Zv7R7wfz0rM77AhsdhOEsndzU5 I2dDLvU867TgmSXXQwUhZieN8OXxgfjz1VOV6YDIAYVlRsd7/picln3eg+x9ZDKE rdugLG5M8WeNiN4T5nGlo51PMdk5na0whO9LXfBJPBbwvoxoPG3uDiwnsCWtnZAP Zminon86/PU7IqzcsWEosXT+3F5bbu1V4IUttaBCFV0MiDVdDmeiWbWEDvNpBXJA j9vJYy4K2TbUntxbJAp8Wv9ZYUHbG3Miou75cU3ki8jOAyHUeprELbBCqXNus3wh g/sp/zlvXJ7co8BYzPfzd5Cfuz6K/GsnJDo5ABEBAAG0GE5ldGNvb2xPcGVyYXRp b25zSW5zaWdodIkBOQQTAQgAIwUCX/uVAAIbLwcLCQgHAwIBBhUIAgkKCwQWAgMB Ah4BAheAAAoJEA4H6KT8tB3P7EUH/RUcBVPb2fViYo4L0+TWPMKXM0GIJtVjGY86 wjZT0CajQWJ6mapvWl89TiPD9L+GRZ1rEiVpZgzgmvzGCQK3SFs2ceumlJHZnCVl hI6Es6dzbjKDQd3PI7DvO/k0Q9tum/PwnFDJQZAlS3QYgU9aP3c1/J4KmygaXnpw /MCI6goiqdPOESzGyjG5RzuCBvcjXdvplmtdMAMhjUKU31A5ENIOoVEgSABr7t8J LwqwlcjcTcuveACBgU5tatDI6L0Ba3IEe9Eyq+iS7unxE1doIbEuOUDW5oTU6o4J IJD46QCauCOjSwTyrS2HXM/hidioKyRyybEhiJSdnrRHoDoxDWM= =RpJD -----END PGP PUBLIC KEY BLOCK-----
- To check the certificate validity, the following two certificates must exist on the same machine
where you installed the tools.
Copy the following text exactly as shown into a text editor, and save it in a file named NetcoolOperationsInsight.pem.
-----BEGIN CERTIFICATE----- MIIFczCCBFugAwIBAgIQCEsxHbfq2+Kdo7IzbDggEzANBgkqhkiG9w0BAQsFADBy MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 d3cuZGlnaWNlcnQuY29tMTEwLwYDVQQDEyhEaWdpQ2VydCBTSEEyIEFzc3VyZWQg SUQgQ29kZSBTaWduaW5nIENBMB4XDTIxMDExMTAwMDAwMFoXDTIzMDExODIzNTk1 OVowgbAxCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhOZXcgWW9yazEPMA0GA1UEBxMG QXJtb25rMTQwMgYDVQQKEytJbnRlcm5hdGlvbmFsIEJ1c2luZXNzIE1hY2hpbmVz IENvcnBvcmF0aW9uMREwDwYDVQQLEwhJQk0gQ0NTUzE0MDIGA1UEAxMrSW50ZXJu YXRpb25hbCBCdXNpbmVzcyBNYWNoaW5lcyBDb3Jwb3JhdGlvbjCCASIwDQYJKoZI hvcNAQEBBQADggEPADCCAQoCggEBAKazP/fVqnXBXYbnbQSDYPb75m/tHvB/PSsz vsCGx2E4Syd3NTkjZ0Mu9TzrtOCZJddDBSFmJ43w5fGB+PPVU5XpgMgBhWVGx3v+ mJyWfd6D7H1kMoSt26AsbkzxZ42I3hPmcaWjnU8x2TmdrTCE70td8Ek8FvC+jGg8 be4OLCewJa2dkA9maKeifzr89TsirNyxYSixdP7cXltu7VXghS21oEIVXQyINV0O Z6JZtYQO82kFckCP28ljLgrZNtSe3FskCnxa/1lhQdsbcyKi7vlxTeSLyM4DIdR6 msQtsEKpc26zfCGD+yn/OW9cntyjwFjM9/N3kJ+7Por8ayckOjkCAwEAAaOCAcQw ggHAMB8GA1UdIwQYMBaAFFrEuXsqCqOl6nEDwGD5LfZldQ5YMB0GA1UdDgQWBBRk 7LOa18LL1p5Z1SV/SdGZvAvv7TAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYI KwYBBQUHAwMwdwYDVR0fBHAwbjA1oDOgMYYvaHR0cDovL2NybDMuZGlnaWNlcnQu Y29tL3NoYTItYXNzdXJlZC1jcy1nMS5jcmwwNaAzoDGGL2h0dHA6Ly9jcmw0LmRp Z2ljZXJ0LmNvbS9zaGEyLWFzc3VyZWQtY3MtZzEuY3JsMEsGA1UdIAREMEIwNgYJ YIZIAYb9bAMBMCkwJwYIKwYBBQUHAgEWG2h0dHA6Ly93d3cuZGlnaWNlcnQuY29t L0NQUzAIBgZngQwBBAEwgYQGCCsGAQUFBwEBBHgwdjAkBggrBgEFBQcwAYYYaHR0 cDovL29jc3AuZGlnaWNlcnQuY29tME4GCCsGAQUFBzAChkJodHRwOi8vY2FjZXJ0 cy5kaWdpY2VydC5jb20vRGlnaUNlcnRTSEEyQXNzdXJlZElEQ29kZVNpZ25pbmdD QS5jcnQwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQsFAAOCAQEAuneboihgit2+ Gb/o/92lyL96EBIbNY+1ude4bzZROIGtm0LawaQGWFy7RpvGgxQUUMfbe9q5Rvkc dAltfioJT8D+G5Gy0NTGI64RX+hETWPi3l4GaxdYQV3Tqa+Zk2TDpJE7dcpDr2NP bgm8ZYzwTKh5GhXwCDhytMnzQDKhocZ9JsVG/0C/lxMaBWCwBw4gLbb3lEFkrNEv SI8X0Y/l5RDPu4NQcXrJFCSz2DM70gDcUCvR3uZ0bOUNKqDeRXca5db6O7c1bjWH bSfZiDI4TkTx9rVB5JzxEnNK+bmE4sdVdxEBbXuASflIyrXym0+dZueKj4Yl0X3f XhnLAFDL/Q== -----END CERTIFICATE-----
- Copy the following text exactly as shown into a text editor, and save it in a file named
NetcoolOperationsInsight-chain0.pem.
-----BEGIN CERTIFICATE----- MIIFMDCCBBigAwIBAgIQBAkYG1/Vu2Z1U0O1b5VQCDANBgkqhkiG9w0BAQsFADBl MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 d3cuZGlnaWNlcnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJv b3QgQ0EwHhcNMTMxMDIyMTIwMDAwWhcNMjgxMDIyMTIwMDAwWjByMQswCQYDVQQG EwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNl cnQuY29tMTEwLwYDVQQDEyhEaWdpQ2VydCBTSEEyIEFzc3VyZWQgSUQgQ29kZSBT aWduaW5nIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA+NOzHH8O Ea9ndwfTCzFJGc/Q+0WZsTrbRPV/5aid2zLXcep2nQUut4/6kkPApfmJ1DcZ17aq 8JyGpdglrA55KDp+6dFn08b7KSfH03sjlOSRI5aQd4L5oYQjZhJUM1B0sSgmuyRp wsJS8hRniolF1C2ho+mILCCVrhxKhwjfDPXiTWAYvqrEsq5wMWYzcT6scKKrzn/p fMuSoeU7MRzP6vIK5Fe7SrXpdOYr/mzLfnQ5Ng2Q7+S1TqSp6moKq4TzrGdOtcT3 jNEgJSPrCGQ+UpbB8g8S9MWOD8Gi6CxR93O8vYWxYoNzQYIH5DiLanMg0A9kczye n6Yzqf0Z3yWT0QIDAQABo4IBzTCCAckwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNV HQ8BAf8EBAMCAYYwEwYDVR0lBAwwCgYIKwYBBQUHAwMweQYIKwYBBQUHAQEEbTBr MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wQwYIKwYBBQUH MAKGN2h0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEFzc3VyZWRJ RFJvb3RDQS5jcnQwgYEGA1UdHwR6MHgwOqA4oDaGNGh0dHA6Ly9jcmw0LmRpZ2lj ZXJ0LmNvbS9EaWdpQ2VydEFzc3VyZWRJRFJvb3RDQS5jcmwwOqA4oDaGNGh0dHA6 Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEFzc3VyZWRJRFJvb3RDQS5jcmww TwYDVR0gBEgwRjA4BgpghkgBhv1sAAIEMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8v d3d3LmRpZ2ljZXJ0LmNvbS9DUFMwCgYIYIZIAYb9bAMwHQYDVR0OBBYEFFrEuXsq CqOl6nEDwGD5LfZldQ5YMB8GA1UdIwQYMBaAFEXroq/0ksuCMS1Ri6enIZ3zbcgP MA0GCSqGSIb3DQEBCwUAA4IBAQA+7A1aJLPzItEVyCx8JSl2qB1dHC06GsTvMGHX fgtg/cM9D8Svi/3vKt8gVTew4fbRknUPUbRupY5a4l4kgU4QpO4/cY5jDhNLrddf RHnzNhQGivecRk5c/5CxGwcOkRX7uq+1UcKNJK4kxscnKqEpKBo6cSgCPC6Ro8Al EeKcFEehemhor5unXCBc2XGxDI+7qPjFEmifz0DLQESlE/DmZAwlCEIysjaKJAL+ L3J+HNdJRZboWR3p+nRka7LrZkPas7CM1ekN3fYBIM6ZMWM9CBoYs4GbT8aTEAb8 B4H6i9r5gkn3Ym6hU/oSlBiFLpKR6mhsRDKyZqHnGKSaZFHv -----END CERTIFICATE-----
- Review the certificate details for
NetcoolOperationsInsight.pem.
openssl x509 -text -noout -in NetcoolOperationsInsight.pem Certificate: Data: Version: 3 (0x2) Serial Number: 08:4b:31:1d:b7:ea:db:e2:9d:a3:b2:33:6c:38:20:13 Signature Algorithm: sha256WithRSAEncryption Issuer: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 Assured ID Code Signing CA Validity Not Before: Jan 11 00:00:00 2021 GMT Not After : Jan 18 23:59:59 2023 GMT Subject: C = US, ST = New York, L = Armonk, O = International Business Machines Corporation, OU = IBM CCSS, CN = International Business Machines Corporation Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:a6:b3:3f:f7:d5:aa:75:c1:5d:86:e7:6d:04:83: 60:f6:fb:e6:6f:ed:1e:f0:7f:3d:2b:33:be:c0:86: c7:61:38:4b:27:77:35:39:23:67:43:2e:f5:3c:eb: b4:e0:99:25:d7:43:05:21:66:27:8d:f0:e5:f1:81: f8:f3:d5:53:95:e9:80:c8:01:85:65:46:c7:7b:fe: 98:9c:96:7d:de:83:ec:7d:64:32:84:ad:db:a0:2c: 6e:4c:f1:67:8d:88:de:13:e6:71:a5:a3:9d:4f:31: d9:39:9d:ad:30:84:ef:4b:5d:f0:49:3c:16:f0:be: 8c:68:3c:6d:ee:0e:2c:27:b0:25:ad:9d:90:0f:66: 68:a7:a2:7f:3a:fc:f5:3b:22:ac:dc:b1:61:28:b1: 74:fe:dc:5e:5b:6e:ed:55:e0:85:2d:b5:a0:42:15: 5d:0c:88:35:5d:0e:67:a2:59:b5:84:0e:f3:69:05: 72:40:8f:db:c9:63:2e:0a:d9:36:d4:9e:dc:5b:24: 0a:7c:5a:ff:59:61:41:db:1b:73:22:a2:ee:f9:71: 4d:e4:8b:c8:ce:03:21:d4:7a:9a:c4:2d:b0:42:a9: 73:6e:b3:7c:21:83:fb:29:ff:39:6f:5c:9e:dc:a3: c0:58:cc:f7:f3:77:90:9f:bb:3e:8a:fc:6b:27:24: 3a:39 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Authority Key Identifier: keyid:5A:C4:B9:7B:2A:0A:A3:A5:EA:71:03:C0:60:F9:2D:F6:65:75:0E:58 X509v3 Subject Key Identifier: 64:EC:B3:9A:D7:C2:CB:D6:9E:59:D5:25:7F:49:D1:99:BC:0B:EF:ED X509v3 Key Usage: critical Digital Signature X509v3 Extended Key Usage: Code Signing X509v3 CRL Distribution Points: Full Name: URI:http://crl3.digicert.com/sha2-assured-cs-g1.crl Full Name: URI:http://crl4.digicert.com/sha2-assured-cs-g1.crl X509v3 Certificate Policies: Policy: 2.16.840.1.114412.3.1 CPS: http://www.digicert.com/CPS Policy: 2.23.140.1.4.1 Authority Information Access: OCSP - URI:http://ocsp.digicert.com CA Issuers - URI:http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt X509v3 Basic Constraints: critical CA:FALSE Signature Algorithm: sha256WithRSAEncryption ba:77:9b:a2:28:60:8a:dd:be:19:bf:e8:ff:dd:a5:c8:bf:7a: 10:12:1b:35:8f:b5:b9:d7:b8:6f:36:51:38:81:ad:9b:42:da: c1:a4:06:58:5c:bb:46:9b:c6:83:14:14:50:c7:db:7b:da:b9: 46:f9:1c:74:09:6d:7e:2a:09:4f:c0:fe:1b:91:b2:d0:d4:c6: 23:ae:11:5f:e8:44:4d:63:e2:de:5e:06:6b:17:58:41:5d:d3: a9:af:99:93:64:c3:a4:91:3b:75:ca:43:af:63:4f:6e:09:bc: 65:8c:f0:4c:a8:79:1a:15:f0:08:38:72:b4:c9:f3:40:32:a1: a1:c6:7d:26:c5:46:ff:40:bf:97:13:1a:05:60:b0:07:0e:20: 2d:b6:f7:94:41:64:ac:d1:2f:48:8f:17:d1:8f:e5:e5:10:cf: bb:83:50:71:7a:c9:14:24:b3:d8:33:3b:d2:00:dc:50:2b:d1: de:e6:74:6c:e5:0d:2a:a0:de:45:77:1a:e5:d6:fa:3b:b7:35: 6e:35:87:6d:27:d9:88:32:38:4e:44:f1:f6:b5:41:e4:9c:f1: 12:73:4a:f9:b9:84:e2:c7:55:77:11:01:6d:7b:80:49:f9:48: ca:b5:f2:9b:4f:9d:66:e7:8a:8f:86:25:d1:7d:df:5e:19:cb: 00:50:cb:fd
- Review the certificate details for intermediate certificate
NetcoolOperationsInsight-chain0.pem.
openssl x509 -text -noout -in NetcoolOperationsInsight-chain0.pem Certificate: Data: Version: 3 (0x2) Serial Number: 04:09:18:1b:5f:d5:bb:66:75:53:43:b5:6f:95:50:08 Signature Algorithm: sha256WithRSAEncryption Issuer: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Assured ID Root CA Validity Not Before: Oct 22 12:00:00 2013 GMT Not After : Oct 22 12:00:00 2028 GMT Subject: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 Assured ID Code Signing CA Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:f8:d3:b3:1c:7f:0e:11:af:67:77:07:d3:0b:31: 49:19:cf:d0:fb:45:99:b1:3a:db:44:f5:7f:e5:a8: 9d:db:32:d7:71:ea:76:9d:05:2e:b7:8f:fa:92:43: c0:a5:f9:89:d4:37:19:d7:b6:aa:f0:9c:86:a5:d8: 25:ac:0e:79:28:3a:7e:e9:d1:67:d3:c6:fb:29:27: c7:d3:7b:23:94:e4:91:23:96:90:77:82:f9:a1:84: 23:66:12:54:33:50:74:b1:28:26:bb:24:69:c2:c2: 52:f2:14:67:8a:89:45:d4:2d:a1:a3:e9:88:2c:20: 95:ae:1c:4a:87:08:df:0c:f5:e2:4d:60:18:be:aa: c4:b2:ae:70:31:66:33:71:3e:ac:70:a2:ab:ce:7f: e9:7c:cb:92:a1:e5:3b:31:1c:cf:ea:f2:0a:e4:57: bb:4a:b5:e9:74:e6:2b:fe:6c:cb:7e:74:39:36:0d: 90:ef:e4:b5:4e:a4:a9:ea:6a:0a:ab:84:f3:ac:67: 4e:b5:c4:f7:8c:d1:20:25:23:eb:08:64:3e:52:96: c1:f2:0f:12:f4:c5:8e:0f:c1:a2:e8:2c:51:f7:73: bc:bd:85:b1:62:83:73:41:82:07:e4:38:8b:6a:73: 20:d0:0f:64:73:3c:9e:9f:a6:33:a9:fd:19:df:25: 93:d1 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:TRUE, pathlen:0 X509v3 Key Usage: critical Digital Signature, Certificate Sign, CRL Sign X509v3 Extended Key Usage: Code Signing Authority Information Access: OCSP - URI:http://ocsp.digicert.com CA Issuers - URI:http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt X509v3 CRL Distribution Points: Full Name: URI:http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl Full Name: URI:http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl X509v3 Certificate Policies: Policy: 2.16.840.1.114412.0.2.4 CPS: https://www.digicert.com/CPS Policy: 2.16.840.1.114412.3 X509v3 Subject Key Identifier: 5A:C4:B9:7B:2A:0A:A3:A5:EA:71:03:C0:60:F9:2D:F6:65:75:0E:58 X509v3 Authority Key Identifier: keyid:45:EB:A2:AF:F4:92:CB:82:31:2D:51:8B:A7:A7:21:9D:F3:6D:C8:0F Signature Algorithm: sha256WithRSAEncryption 3e:ec:0d:5a:24:b3:f3:22:d1:15:c8:2c:7c:25:29:76:a8:1d: 5d:1c:2d:3a:1a:c4:ef:30:61:d7:7e:0b:60:fd:c3:3d:0f:c4: af:8b:fd:ef:2a:df:20:55:37:b0:e1:f6:d1:92:75:0f:51:b4: 6e:a5:8e:5a:e2:5e:24:81:4e:10:a4:ee:3f:71:8e:63:0e:13: 4b:ad:d7:5f:44:79:f3:36:14:06:8a:f7:9c:46:4e:5c:ff:90: b1:1b:07:0e:91:15:fb:ba:af:b5:51:c2:8d:24:ae:24:c6:c7: 27:2a:a1:29:28:1a:3a:71:28:02:3c:2e:91:a3:c0:25:11:e2: 9c:14:47:a1:7a:68:68:af:9b:a7:5c:20:5c:d9:71:b1:0c:8f: bb:a8:f8:c5:12:68:9f:cf:40:cb:40:44:a5:13:f0:e6:64:0c: 25:08:42:32:b2:36:8a:24:02:fe:2f:72:7e:1c:d7:49:45:96: e8:59:1d:e9:fa:74:64:6b:b2:eb:66:43:da:b3:b0:8c:d5:e9: 0d:dd:f6:01:20:ce:99:31:63:3d:08:1a:18:b3:81:9b:4f:c6: 93:10:06:fc:07:81:fa:8b:da:f9:82:49:f7:62:6e:a1:53:fa: 12:94:18:85:2e:92:91:ea:68:6c:44:32:b2:66:a1:e7:18:a4: 9a:64:51:ef
- Check the public key.
sha256sum noi-public.gpg d25e291385267ee435c29d0377e38279499432de9e7a4b06fddf7c0c44b62dee public.gpg
Procedure
- Install the certificate in the public keyring.
gpg2 --import noi-public.gpg gpg: /root/.gnupg/trustdb.gpg: trustdb created gpg: key 0E07E8A4FCB41DCF: public key "NetcoolOperationsInsight" imported gpg: Total number processed: 1 gpg: imported: 1
- Use Online Certificate Status Protocol to check the certificate
validity.
openssl ocsp -no_nonce -issuer NetcoolOperationsInsight-chain0.pem -cert ./NetcoolOperationsInsight.pem -VAfile NetcoolOperationsInsight-chain0.pem -text -url http://ocsp.digicert.com -respout ocsptest OCSP Request Data: Version: 1 (0x0) Requestor List: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: A7478168C4B2E423BBE4BEC50816566DFA5187DE Issuer Key Hash: 5AC4B97B2A0AA3A5EA7103C060F92DF665750E58 Serial Number: 084B311DB7EADBE29DA3B2336C382013 OCSP Response Data: OCSP Response Status: successful (0x0) Response Type: Basic OCSP Response Version: 1 (0x0) Responder Id: 5AC4B97B2A0AA3A5EA7103C060F92DF665750E58 Produced At: Oct 11 17:36:46 2021 GMT Responses: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: A7478168C4B2E423BBE4BEC50816566DFA5187DE Issuer Key Hash: 5AC4B97B2A0AA3A5EA7103C060F92DF665750E58 Serial Number: 084B311DB7EADBE29DA3B2336C382013 Cert Status: good This Update: Oct 11 17:21:02 2021 GMT Next Update: Oct 18 16:36:02 2021 GMT Signature Algorithm: sha256WithRSAEncryption 88:e1:31:5a:c7:28:9f:7d:25:8c:44:ed:dc:13:de:b1:5f:f5: 83:f0:54:30:95:cc:95:e3:ef:34:9f:1c:f0:e3:b5:83:35:e0: 15:ea:da:eb:9d:a2:9f:95:df:59:35:f1:16:28:4f:f7:0e:52: 1f:b1:54:b6:75:33:68:78:a7:fb:6e:a6:39:fb:54:e2:b9:1f: 2f:37:7b:cd:a6:92:d3:85:c9:bd:97:15:22:1b:b0:14:2a:35: 77:3f:36:24:83:1c:e6:0b:61:44:ed:8b:fb:27:44:b0:5c:51: 99:bd:ac:70:26:fa:4c:68:3a:65:28:0e:a9:34:a8:99:9a:db: d3:6b:ce:7c:9f:d3:4f:7f:51:7b:4a:d7:ce:94:59:76:67:47: d5:b0:f6:c2:5f:df:42:5d:b6:71:28:e8:ba:09:e7:db:77:cd: ff:6b:e1:60:f6:db:fd:4d:b0:25:98:83:d1:f1:e6:8a:ea:a7: 8f:21:1f:1b:51:70:f8:e8:5d:42:b0:3b:f4:ec:7c:5c:bb:49: e1:4d:e3:68:6f:42:aa:b4:16:14:2f:ef:82:53:01:ff:f5:35: ad:49:ed:82:67:fa:e1:ab:5e:4f:e3:19:57:08:ec:2e:f1:06: fa:ce:1a:f3:a4:d6:4e:fa:6a:9e:41:7e:d1:44:3f:29:e7:27: 71:ac:43:b6 Response verify OK ./NetcoolOperationsInsight.pem: good This Update: Oct 11 17:21:02 2021 GMT Next Update: Oct 18 16:36:02 2021 GMT
- Use a policy to verify the images.A policy might be specified so that tools such as Skopeo and Podman are prevented from downloading the images that are not signed and verified. This is the approved method for verifying images on bastion hosts during airgap deployments.
cat /etc/containers/policy.json { "default": [ { "type": "reject" } ], "transports": { "docker": { "": [{ "type": "signedBy", "keyType": "GPGKeys", "keyPath": "noi-public.gpg"}] } } }
Where <keyPath> is the path to the Netcool Operations Insight public certificate. An attempt to download an unsigned or unauthenticated image results in failure.
- Manually verify an image signature.
Skopeo might be used to manually verify an image signature. To manually verify an image signature, the image must be saved to a local directory.
For example, to verify the image signature on the
cp.icr.io/cp/noi-operator:1.6.6-2022-000000000000
example image, follow the steps as mentioned:- Create a directory to save the image
files.
%> mkdir -p /tmp/images/noi-operator
- Copy the image from the image repository to the local
directory.
Where SRC_CREDS is the username and password (source credentials) for downloading the image, for example:%> skopeo copy --src-creds SRC_CREDS docker://cp.icr.io/cp/noi-operator:1.6.6-2022-000000000000 dir:/tmp/images/noi-operator
--src-creds=testuser:testpassword
- Read the Netcool Operations Insight public key
fingerprint.
%> FINGERPRINT=$( sudo gpg2 --fingerprint --with-colons NetcoolOperationsInsight | grep fpr | tr -d 'fpr:')
- Use the skopeo standalone-verify command to verify the image
signature.
%> skopeo standalone-verify /tmp/images/noi-operator/manifest.json cp.icr.io/cp/noi-operator:1.6.6-2022-000000000000 ${FINGERPRINT} /tmp/images/noi-operator/signature-1 Signature verified, digest sha256:0000000000000000000000000000000000000
- Create a directory to save the image
files.