Verifying images
Learn how to verify the signatures on the IBM® Netcool® Operations Insight® images.
Digital signatures provide a way for consumers of content to ensure that what they download is both authentic and has integrity. In other words, it originated from the expected source and is what it is expected to be. All images for IBM Netcool Operations Insight are signed.
Prerequisites
The following items are the prerequisites to run a signature verification:
- Install the following tools on your workstation (these tools are usually installed on Linux® by using the package manager):
- GNU Privacy Guard v2
- OpenSSL
- Skopeo
- The IBM
Netcool Operations Insight public key
must exist on the same workstation where you installed the tools. Copy the following text exactly as
shown into a text editor and save it in a file named
eventmanager-public.pub.asc:
-----BEGIN PGP PUBLIC KEY BLOCK----- mQINBGPdLz0BEAC5kThOAzdrGCIsvN4wJ1LFW1H1fOOhqZSSxYFyMWkbYpw7cv0Y LNrWZ/DGA7/DFW7gLiNgQuEkCvWD5uuVZFoQjdh7VGlDqwZqkLcfacLJwha4lM9V bsuhdB8JoNTqbifzPdMtj4rey9slJb1hp88JnVeyXfCJkXZTyzZUDcpNpSMWw4jh TU44Zw/bluudM5HzNIbRkJBj2wT7NLrvGVOkVSCFcgs9LFqRNASy/yGOQ0rIukUp YTpO7mR/Iy1HymbARt4OPlH8BzcvLIUhViQPJQP6fly1sv4XAPLXsskDVV5D5s94 RAJeLow5Un/4AKkb9xQM3IzwQ/0Pu4TVkzqMfpibmsr0HNT25lI17mSzZnDjUQMY E47an9B/DzqltT8R7LOfkN8/phXb65tE+F9dxIze+0butck9w+H/qHNnojq/S2QJ jxogLPT9Em1KtjBzD4qPUw5ANsSvEOAribkCSpMJkvlbl31v+v2768B00q7LWTzy JtlKkpexOlxOoEJgWpRx2Qu+Gz3IPQjFjIUBRuqcLk0D50gAOpDmRk7L690jLVra eRPF/wL0jtUC8QPCs2tzOvOKGXKWslAT7PqZfQ9prFsFyspz5DtHiBuVXacakEF7 77PXnVAYxeDeK2o8QYWAR1riQABloYKQeHzq6Ljl06AbV3Oo5bhotHvApQARAQAB tD5JbnRlcm5hdGlvbmFsIEJ1c2luZXNzIE1hY2hpbmVzIENvcnBvcmF0aW9uIDxw c2lydEB1cy5pYm0uY29tPokCOgQTAQgAJAUCY90vPQIbDwULCQgHAgYVCgkICwIE FgIDAQIeAQUJB4TOAAAKCRBYVkydKlBIwnnnD/9JfyTAMPW6/A6DyQDct2gpzxfn dawABG3WX9VgYhFssAOYtchQPx8PPSuC2D3W/2jcSJY/ZxYo8SCm0soFESGOZsVU yUfOu4mFohf3/pRsw4nWza9tCQXtXylG36LHe0SpNVZvtil9wN73hXvrGHpTbTVP L66lhCdO7HawGSV6RtHj0ox5NSa9Xf21bBBE3tAxYxCjnIcfmwttpByEcYAseud8 mMqsjsQCMBTcVsbh56ucz8ntKq6hvpilmRC8sGEoN2gYN55lGqAxMjtL2PHOmArY lc3tuvoSkHADYwB5LMJcdlzAWMFPYFqwgKbb+PtvnUWzNgPmKuVyhkRw1y/R0F9G BMNgk36oJ+QHUubXm7h/yAuJvLoAl8sLj2I0Ei+nTXWhBu2hCbhwkgx/7JVCO5jJ klG0h4I9Q9jxUlAoP6E/8r+8w9m+MsYEKS9FcUyR9HSSraiJXWtTGg68d9RZfBRj 3o//pXxJs7m0nNDiB32fE5EY6XXl2FBEejwOkpR1WBRtUSFn9gNeOg6YHciP6EdX yAxm1gE08qK0yIk/zdPMiXiMvk71pDrlpezUn5x7qHEDKGhK81aEcGZ0CHuylWwC CpA9r7ZTOgqIOqc2ij2UY6MWWliFD92D2FiVdDPg4Qi1vvos+4Z8C72pD7BIcq+s 31LHGuOWfELQqtEOOw== =dYYD -----END PGP PUBLIC KEY BLOCK-----
- Copy the following text exactly as shown into a text editor and save it in a file named
eventmanager-public.pem.cer.
-----BEGIN CERTIFICATE----- MIIHrDCCBZSgAwIBAgIQAgp0f2/kpdy4Quhrn1JKTzANBgkqhkiG9w0BAQsFADBp MQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMT OERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0 IDIwMjEgQ0ExMB4XDTIzMDEyMDAwMDAwMFoXDTI0MDIxNDIzNTk1OVowgbAxCzAJ BgNVBAYTAlVTMREwDwYDVQQIEwhOZXcgWW9yazEPMA0GA1UEBxMGQXJtb25rMTQw MgYDVQQKEytJbnRlcm5hdGlvbmFsIEJ1c2luZXNzIE1hY2hpbmVzIENvcnBvcmF0 aW9uMREwDwYDVQQLEwhJQk0gQ0NTUzE0MDIGA1UEAxMrSW50ZXJuYXRpb25hbCBC dXNpbmVzcyBNYWNoaW5lcyBDb3Jwb3JhdGlvbjCCAiIwDQYJKoZIhvcNAQEBBQAD ggIPADCCAgoCggIBALmROE4DN2sYIiy83jAnUsVbUfV846GplJLFgXIxaRtinDty /Rgs2tZn8MYDv8MVbuAuI2BC4SQK9YPm65VkWhCN2HtUaUOrBmqQtx9pwsnCFriU z1Vuy6F0Hwmg1OpuJ/M90y2Pit7L2yUlvWGnzwmdV7Jd8ImRdlPLNlQNyk2lIxbD iOFNTjhnD9uW650zkfM0htGQkGPbBPs0uu8ZU6RVIIVyCz0sWpE0BLL/IY5DSsi6 RSlhOk7uZH8jLUfKZsBG3g4+UfwHNy8shSFWJA8lA/p+XLWy/hcA8teyyQNVXkPm z3hEAl4ujDlSf/gAqRv3FAzcjPBD/Q+7hNWTOox+mJuayvQc1PbmUjXuZLNmcONR AxgTjtqf0H8POqW1PxHss5+Q3z+mFdvrm0T4X13EjN77Ru61yT3D4f+oc2eiOr9L ZAmPGiAs9P0SbUq2MHMPio9TDkA2xK8Q4CuJuQJKkwmS+VuXfW/6/bvrwHTSrstZ PPIm2UqSl7E6XE6gQmBalHHZC74bPcg9CMWMhQFG6pwuTQPnSAA6kOZGTsvr3SMt Wtp5E8X/AvSO1QLxA8Kza3M684oZcpayUBPs+pl9D2msWwXKynPkO0eIG5VdpxqQ QXvvs9edUBjF4N4rajxBhYBHWuJAAGWhgpB4fOrouOXToBtXc6jluGi0e8ClAgMB AAGjggIGMIICAjAfBgNVHSMEGDAWgBRoN+Drtjv4XxGG+/5hewiIZfROQjAdBgNV HQ4EFgQUB6zmxS0ZU2V6GxmoJ98fphxte48wDgYDVR0PAQH/BAQDAgeAMBMGA1Ud JQQMMAoGCCsGAQUFBwMDMIG1BgNVHR8Ega0wgaowU6BRoE+GTWh0dHA6Ly9jcmwz LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5 NlNIQTM4NDIwMjFDQTEuY3JsMFOgUaBPhk1odHRwOi8vY3JsNC5kaWdpY2VydC5j b20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIx Q0ExLmNybDA+BgNVHSAENzA1MDMGBmeBDAEEATApMCcGCCsGAQUFBwIBFhtodHRw Oi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwgZQGCCsGAQUFBwEBBIGHMIGEMCQGCCsG AQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wXAYIKwYBBQUHMAKGUGh0 dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVT aWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3J0MAwGA1UdEwEB/wQCMAAwDQYJ KoZIhvcNAQELBQADggIBANHcOGUu2pu4rMAhb9GT/TbIAxf4B4lD0OjiEI9FHqTE zh+ylfXhHLIIhI96ga472b02oj+xaWYLLCYTD9piWtcHe87v8gCkF9yR5Am7Apu9 jbIFs6/S4K9SkSgoOMR93QTA6IbMzgvDMrPF9SVPH/3uNB0aWqrjJ+Hxks5njyzE aCVo5i0D3VIa/2W7DIaQm1I9A9p+pJCXOFhtQQgQaxhvTBs2vt79Ey9Yd0EJiRUe MJ6vFmYxgDWrpnq2Ma/uCeHHrZijodQmK6myB6KLtP/qb2n6rVi6RZ3GzEZ2zaIi M2BKbnczTaa3h3SufkaWPAiWvvdKHVCzvajjxEJmtIAPGJO5rQGFu7sODgMl5eWQ vE76KOIBNe1mrpWGuWtDasrTPVOScROLvwknsrEht3KEzOHFyBHW4bgXjQyhtP43 UcMxWl2hBFFAz7jIyssPW/01kCXS3OAhOWYLyJboGzrfM11eLsQxMqm/WYIo979i RjHE0wgw0u5+9/PLYYspY1quVLVDPaYtGNUUIMM7+ZZ4BP5Hw8TP+0XFIIw1F2U9 msFjOE30K+7kjMb+/+f7iK55oYbJs4soOXoY5fcFzlzD/9wexHqh+hiufNtTs+fd tRTLwJG46381tc8hXc+ra7pEsRkNMKBtWWEr5sURRHtlJHgkyWyc05oLdlwckY7I -----END CERTIFICATE-----
- Copy the following text exactly as shown into a text editor and save it in a file named
eventmanager-public.pem.chain.
-----BEGIN CERTIFICATE----- MIIGsDCCBJigAwIBAgIQCK1AsmDSnEyfXs2pvZOu2TANBgkqhkiG9w0BAQwFADBi MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 d3cuZGlnaWNlcnQuY29tMSEwHwYDVQQDExhEaWdpQ2VydCBUcnVzdGVkIFJvb3Qg RzQwHhcNMjEwNDI5MDAwMDAwWhcNMzYwNDI4MjM1OTU5WjBpMQswCQYDVQQGEwJV UzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRy dXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMIIC IjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA1bQvQtAorXi3XdU5WRuxiEL1 M4zrPYGXcMW7xIUmMJ+kjmjYXPXrNCQH4UtP03hD9BfXHtr50tVnGlJPDqFX/IiZ wZHMgQM+TXAkZLON4gh9NH1MgFcSa0OamfLFOx/y78tHWhOmTLMBICXzENOLsvsI 8IrgnQnAZaf6mIBJNYc9URnokCF4RS6hnyzhGMIazMXuk0lwQjKP+8bqHPNlaJGi TUyCEUhSaN4QvRRXXegYE2XFf7JPhSxIpFaENdb5LpyqABXRN/4aBpTCfMjqGzLm ysL0p6MDDnSlrzm2q2AS4+jWufcx4dyt5Big2MEjR0ezoQ9uo6ttmAaDG7dqZy3S vUQakhCBj7A7CdfHmzJawv9qYFSLScGT7eG0XOBv6yb5jNWy+TgQ5urOkfW+0/tv k2E0XLyTRSiDNipmKF+wc86LJiUGsoPUXPYVGUztYuBeM/Lo6OwKp7ADK5GyNnm+ 960IHnWmZcy740hQ83eRGv7bUKJGyGFYmPV8AhY8gyitOYbs1LcNU9D4R+Z1MI3s MJN2FKZbS110YU0/EpF23r9Yy3IQKUHw1cVtJnZoEUETWJrcJisB9IlNWdt4z4FK PkBHX8mBUHOFECMhWWCKZFTBzCEa6DgZfGYczXg4RTCZT/9jT0y7qg0IU0F8WD1H s/q27IwyCQLMbDwMVhECAwEAAaOCAVkwggFVMBIGA1UdEwEB/wQIMAYBAf8CAQAw HQYDVR0OBBYEFGg34Ou2O/hfEYb7/mF7CIhl9E5CMB8GA1UdIwQYMBaAFOzX44LS cV1kTN8uZz/nupiuHA9PMA4GA1UdDwEB/wQEAwIBhjATBgNVHSUEDDAKBggrBgEF BQcDAzB3BggrBgEFBQcBAQRrMGkwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRp Z2ljZXJ0LmNvbTBBBggrBgEFBQcwAoY1aHR0cDovL2NhY2VydHMuZGlnaWNlcnQu Y29tL0RpZ2lDZXJ0VHJ1c3RlZFJvb3RHNC5jcnQwQwYDVR0fBDwwOjA4oDagNIYy aHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZFJvb3RHNC5j cmwwHAYDVR0gBBUwEzAHBgVngQwBAzAIBgZngQwBBAEwDQYJKoZIhvcNAQEMBQAD ggIBADojRD2NCHbuj7w6mdNW4AIapfhINPMstuZ0ZveUcrEAyq9sMCcTEp6QRJ9L /Z6jfCbVN7w6XUhtldU/SfQnuxaBRVD9nL22heB2fjdxyyL3WqqQz/WTauPrINHV UHmImoqKwba9oUgYftzYgBoRGRjNYZmBVvbJ43bnxOQbX0P4PpT/djk9ntSZz0rd KOtfJqGVWEjVGv7XJz/9kNF2ht0csGBc8w2o7uCJob054ThO2m67Np375SFTWsPK 6Wrxoj7bQ7gzyE84FJKZ9d3OVG3ZXQIUH0AzfAPilbLCIXVzUstG2MQ0HKKlS43N b3Y3LIU/Gs4m6Ri+kAewQ3+ViCCCcPDMyu/9KTVcH4k4Vfc3iosJocsL6TEa/y4Z XDlx4b6cpwoG1iZnt5LmTl/eeqxJzy6kdJKt2zyknIYf48FWGysj/4+16oh7cGvm oLr9Oj9FpsToFpFSi0HASIRLlk2rREDjjfAVKM7t8RhWByovEMQMCGQ8M4+uKIw8 y4+ICw2/O/TOHnuO77Xry7fwdxPm5yg/rBKupS8ibEH5glwVZsxsDsrFhsP2JjMM B0ug0wcCampAMEhLNKhRILutG4UI4lkNbcoFUCvqShyepf2gpx8GdOfy1lKQ/a+F SCH5Vzu0nAPthkX0tGFuv2jiJmCG6sivqf6UHedjGzqGVnhO -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIFkDCCA3igAwIBAgIQBZsbV56OITLiOQe9p3d1XDANBgkqhkiG9w0BAQwFADBi MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 d3cuZGlnaWNlcnQuY29tMSEwHwYDVQQDExhEaWdpQ2VydCBUcnVzdGVkIFJvb3Qg RzQwHhcNMTMwODAxMTIwMDAwWhcNMzgwMTE1MTIwMDAwWjBiMQswCQYDVQQGEwJV UzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQu Y29tMSEwHwYDVQQDExhEaWdpQ2VydCBUcnVzdGVkIFJvb3QgRzQwggIiMA0GCSqG SIb3DQEBAQUAA4ICDwAwggIKAoICAQC/5pBzaN675F1KPDAiMGkz7MKnJS7JIT3y ithZwuEppz1Yq3aaza57G4QNxDAf8xukOBbrVsaXbR2rsnnyyhHS5F/WBTxSD1If xp4VpX6+n6lXFllVcq9ok3DCsrp1mWpzMpTREEQQLt+C8weE5nQ7bXHiLQwb7iDV ySAdYyktzuxeTsiT+CFhmzTrBcZe7FsavOvJz82sNEBfsXpm7nfISKhmV1efVFiO DCu3T6cw2Vbuyntd463JT17lNecxy9qTXtyOj4DatpGYQJB5w3jHtrHEtWoYOAMQ jdjUN6QuBX2I9YI+EJFwq1WCQTLX2wRzKm6RAXwhTNS8rhsDdV14Ztk6MUSaM0C/ CNdaSaTC5qmgZ92kJ7yhTzm1EVgX9yRcRo9k98FpiHaYdj1ZXUJ2h4mXaXpI8OCi EhtmmnTK3kse5w5jrubU75KSOp493ADkRSWJtppEGSt+wJS00mFt6zPZxd9LBADM fRyVw4/3IbKyEbe7f/LVjHAsQWCqsWMYRJUadmJ+9oCw++hkpjPRiQfhvbfmQ6QY uKZ3AeEPlAwhHbJUKSWJbOUOUlFHdL4mrLZBdd56rF+NP8m800ERElvlEFDrMcXK chYiCd98THU/Y+whX8QgUWtvsauGi0/C1kVfnSD8oR7FwI+isX4KJpn15GkvmB0t 9dmpsh3lGwIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIB hjAdBgNVHQ4EFgQU7NfjgtJxXWRM3y5nP+e6mK4cD08wDQYJKoZIhvcNAQEMBQAD ggIBALth2X2pbL4XxJEbw6GiAI3jZGgPVs93rnD5/ZpKmbnJeFwMDF/k5hQpVgs2 SV1EY+CtnJYYZhsjDT156W1r1lT40jzBQ0CuHVD1UvyQO7uYmWlrx8GnqGikJ9yd +SeuMIW59mdNOj6PWTkiU0TryF0Dyu1Qen1iIQqAyHNm0aAFYF/opbSnr6j3bTWc fFqK1qI4mfN4i/RN0iAL3gTujJtHgXINwBQy7zBZLq7gcfJW5GqXb5JQbZaNaHqa sjYUegbyJLkJEVDXCLG4iXqEI2FCKeWjzaIgQdfRnGTZ6iahixTXTBmyUEFxPT9N cCOGDErcgdLMMpSEDQgJlxxPwO5rIHQw0uA5NBCFIRUBCOhVMt5xSdkoF1BN5r5N 0XWs0Mr7QbhDparTwwVETyw2m+L64kW4I1NsBm9nVX9GtUw/bihaeSbSpKhil9Ie 4u1Ki7wb/UdKDd9nZn6yW0HQO+T0O/QEY+nvwlQAUaCKKsnOeMzV6ocEGLPOr0mI r/OSmbaz5mEP0oUA51Aa5BuVnRmhuZyxm7EAHu/QD09CbMkKvO5D+jpxpchNJqU1 /YldvIViHTLSoCtU7ZpXwdv6EM8Zt4tKG48BtieVU+i2iW1bvGjUI+iLUaJW+fCm gKDWHrO8Dw9TdSmq6hN35N6MgSGtBxBHEa2HPQfRdbzP82Z+ -----END CERTIFICATE-----
Procedure
- Install the certificate in the public key
ring.
gpg2 --import eventmanager-public.pub.asc
Output resembles the following example:
gpg: key 58564C9D2A5048C2: "International Business Machines Corporation <psirt@us.ibm.com>" imported gpg: Total number processed: 1 gpg: imported: 1
- Use Online Certificate Status Protocol to check the certificate
validity.
openssl ocsp -no_nonce -issuer eventmanager-public.pem.chain -cert eventmanager-public.pem.cer -VAfile eventmanager-public.pem.chain -text -url http://ocsp.digicert.com -respout ocsptest
Output resembles the following example:
OCSP Request Data: Version: 1 (0x0) Requestor List: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: 915DEAC5D1E15E49646B8A94E04E470958C9BB89 Issuer Key Hash: 6837E0EBB63BF85F1186FBFE617B088865F44E42 Serial Number: 020A747F6FE4A5DCB842E86B9F524A4F OCSP Response Data: OCSP Response Status: successful (0x0) Response Type: Basic OCSP Response Version: 1 (0x0) Responder Id: 6837E0EBB63BF85F1186FBFE617B088865F44E42 Produced At: Mar 9 08:37:03 2023 GMT Responses: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: 915DEAC5D1E15E49646B8A94E04E470958C9BB89 Issuer Key Hash: 6837E0EBB63BF85F1186FBFE617B088865F44E42 Serial Number: 020A747F6FE4A5DCB842E86B9F524A4F Cert Status: good This Update: Mar 9 08:21:02 2023 GMT Next Update: Mar 16 07:36:02 2023 GMT Signature Algorithm: sha384WithRSAEncryption 66:a5:83:30:48:52:e7:1a:93:19:5e:71:07:f5:74:d4:61:72: 7e:a9:95:5a:05:38:c2:fb:e7:3d:14:2e:1c:d1:f4:cd:2c:a9: 36:50:69:13:c0:80:6e:37:74:7f:de:8e:3d:6e:d1:34:b0:42: 5e:8b:d2:b1:cd:a8:da:75:d9:3b:51:08:d0:ad:d3:d1:c2:9d: 95:b5:a2:19:26:a2:df:86:68:85:af:02:8d:40:45:af:1d:77: 85:a3:86:ce:e5:1a:f8:cd:cc:46:bc:0c:dd:04:49:63:6e:ec: cf:20:2d:da:de:7b:a2:4a:f9:01:68:60:cd:49:9b:7e:6a:32: 6f:a3:6e:14:44:68:3b:15:cd:15:37:a0:01:86:06:82:25:e9: 8f:ca:3d:9d:31:57:25:5f:d5:09:69:de:24:42:3e:c6:6c:6e: 87:d5:19:cf:ed:0c:f7:3a:d7:8f:a0:aa:27:07:3a:d7:54:3e: 8b:28:a3:d2:bc:9b:d0:be:00:c4:36:26:08:01:31:4c:4f:f4: b8:6d:48:dd:09:21:84:a7:41:5c:d5:f9:f1:0f:4c:d2:75:36: f1:2c:92:9c:d7:39:29:4f:9b:44:63:2f:71:eb:3c:85:76:a4: 41:ca:1a:28:79:52:b5:c0:81:e5:f9:76:f4:62:9e:1f:13:57: 1b:a3:c4:21:49:3d:12:f4:2c:35:0b:b0:4e:c0:a9:56:26:76: 14:34:1b:b2:44:ca:2e:53:b9:70:d0:ca:e0:fe:b4:ab:0d:15: 4f:e9:be:07:b5:41:94:49:3f:4d:f1:5a:ec:00:a5:6e:9d:54: 60:0d:2d:ed:43:51:bb:01:83:19:84:03:ea:bc:13:27:4c:93: cb:29:d0:f4:7c:07:99:a1:94:9e:8e:9c:2a:0b:5d:eb:8a:38: c9:79:f6:b0:fe:c0:3e:8b:85:23:18:79:bc:af:48:2e:03:c9: a0:5a:c2:74:fd:84:65:ae:ad:d8:de:49:95:29:08:c3:c1:64: a7:97:06:b3:cf:a2:24:75:40:2e:f5:0d:8d:35:4f:0e:c2:62: 40:c3:06:7f:27:6e:dd:e2:7f:16:08:02:f2:b1:48:f6:b9:e5: 16:9a:b5:fd:95:4a:7f:89:e7:5a:14:03:63:e6:8a:86:f1:ba: d2:cb:b5:32:80:18:6a:aa:c9:14:23:57:38:ae:13:34:45:d2: 9e:1b:6c:4d:4a:f4:19:12:26:8f:d4:38:9f:fd:4d:a0:48:ea: 90:ad:ec:92:f1:91:9e:55:06:8c:e6:08:24:b2:a6:27:3a:ca: 2f:f7:6d:4d:10:62:a7:af:14:3f:bf:72:7c:82:40:e5:d3:c3: 2a:8c:10:4e:e5:bc:28:01 Response verify OK PRD0010480key.pem.cer: good This Update: Mar 9 08:21:02 2023 GMT Next Update: Mar 16 07:36:02 2023 GMT
Verifying pull
- Log in to your environment.
- Create or update an
/etc/containers/policy.json
file or~/policy.json
file. If you have more than one public key from another platform or if you have more than one after the certificate renewal, you can concatenate both GPG public keys into one file. Then, use the concatenated file in place of the <public key> variable that is shown in the following example.A policy might be specified so that tools such as Skopeo and Podman are prevented from downloading the images that are not signed and verified. This policy is the approved method for verifying images on bastion hosts during air-gapped deployments.
cat /etc/containers/policy.json { "default": [ { "type": "reject" } ], "transports": { "docker": { "": [{ "type": "signedBy", "keyType": "GPGKeys", "keyPath": "<public key>"}] } } }
Where <keyPath> is the path to the Netcool Operations Insight public certificate. An attempt to download an unsigned or unauthenticated image results in failure.
- Validate by using the skopeo copy command to a local temp
directory.
skopeo copy docker://icr.io/<repo/image:tag> dir:<imagedir> --src-creds cp:<IBM entitlement key>
- Validate by using the skopeo copy command to a local temp directory with the
--policy
option.
skopeo copy --policy ~/policy.json docker://icr.io/<repo/image:tag> dir:<imagedir>
- Validate during pull with the podman pull
command.
podman pull --signature-policy ~/policy.json icr.io/<repo/image:tag>
Verifying a local image
- Copy the public key to the file system, such as
eventmanager-public.pub.asc
. - Import the public key into the GPG
keystore:
gpg --import ./eventmanager-public.pub.asc
- Find the fingerprint for the imported key:
gpg -k or export FINGERPRINT=$(gpg --fingerprint --with-colons | grep fpr | tr -d 'fpr:')
- Copy the image
locally:
skopeo copy docker://icr.io/<repo/image:tag> dir:<imagedir> --src-creds cp:<IBM entitlement key>
- Use the skopeo standalone-verify command to verify the image
signature.
skopeo standalone-verify <imagedir>/manifest.json icr.io/<repo:tag> <gpgkeyfingerprint> <imagedir>/signature
Verifying the image results in an output that is similar to the following example:Signature verified, digest sha256:62f787b94e5faddb79f96c84ac0877aaf28fb325bfc3601b9c0934d4c107ba94