Verifying images

Learn how to verify the signatures on the IBM® Netcool® Operations Insight® images.

Digital signatures provide a way for consumers of content to ensure that what they download is both authentic and has integrity. In other words, it originated from the expected source and is what it is expected to be. All images for IBM Netcool Operations Insight are signed.

Prerequisites

The following items are the prerequisites to run a signature verification:

  1. Install the following tools on your workstation (these tools are usually installed on Linux® by using the package manager):
    • GNU Privacy Guard v2
    • OpenSSL
    • Skopeo
  2. The IBM Netcool Operations Insight public key must exist on the same workstation where you installed the tools. Copy the following text exactly as shown into a text editor and save it in a file named eventmanager-public.pub.asc:
    -----BEGIN PGP PUBLIC KEY BLOCK-----
    
    mQINBGPdLz0BEAC5kThOAzdrGCIsvN4wJ1LFW1H1fOOhqZSSxYFyMWkbYpw7cv0Y
    LNrWZ/DGA7/DFW7gLiNgQuEkCvWD5uuVZFoQjdh7VGlDqwZqkLcfacLJwha4lM9V
    bsuhdB8JoNTqbifzPdMtj4rey9slJb1hp88JnVeyXfCJkXZTyzZUDcpNpSMWw4jh
    TU44Zw/bluudM5HzNIbRkJBj2wT7NLrvGVOkVSCFcgs9LFqRNASy/yGOQ0rIukUp
    YTpO7mR/Iy1HymbARt4OPlH8BzcvLIUhViQPJQP6fly1sv4XAPLXsskDVV5D5s94
    RAJeLow5Un/4AKkb9xQM3IzwQ/0Pu4TVkzqMfpibmsr0HNT25lI17mSzZnDjUQMY
    E47an9B/DzqltT8R7LOfkN8/phXb65tE+F9dxIze+0butck9w+H/qHNnojq/S2QJ
    jxogLPT9Em1KtjBzD4qPUw5ANsSvEOAribkCSpMJkvlbl31v+v2768B00q7LWTzy
    JtlKkpexOlxOoEJgWpRx2Qu+Gz3IPQjFjIUBRuqcLk0D50gAOpDmRk7L690jLVra
    eRPF/wL0jtUC8QPCs2tzOvOKGXKWslAT7PqZfQ9prFsFyspz5DtHiBuVXacakEF7
    77PXnVAYxeDeK2o8QYWAR1riQABloYKQeHzq6Ljl06AbV3Oo5bhotHvApQARAQAB
    tD5JbnRlcm5hdGlvbmFsIEJ1c2luZXNzIE1hY2hpbmVzIENvcnBvcmF0aW9uIDxw
    c2lydEB1cy5pYm0uY29tPokCOgQTAQgAJAUCY90vPQIbDwULCQgHAgYVCgkICwIE
    FgIDAQIeAQUJB4TOAAAKCRBYVkydKlBIwnnnD/9JfyTAMPW6/A6DyQDct2gpzxfn
    dawABG3WX9VgYhFssAOYtchQPx8PPSuC2D3W/2jcSJY/ZxYo8SCm0soFESGOZsVU
    yUfOu4mFohf3/pRsw4nWza9tCQXtXylG36LHe0SpNVZvtil9wN73hXvrGHpTbTVP
    L66lhCdO7HawGSV6RtHj0ox5NSa9Xf21bBBE3tAxYxCjnIcfmwttpByEcYAseud8
    mMqsjsQCMBTcVsbh56ucz8ntKq6hvpilmRC8sGEoN2gYN55lGqAxMjtL2PHOmArY
    lc3tuvoSkHADYwB5LMJcdlzAWMFPYFqwgKbb+PtvnUWzNgPmKuVyhkRw1y/R0F9G
    BMNgk36oJ+QHUubXm7h/yAuJvLoAl8sLj2I0Ei+nTXWhBu2hCbhwkgx/7JVCO5jJ
    klG0h4I9Q9jxUlAoP6E/8r+8w9m+MsYEKS9FcUyR9HSSraiJXWtTGg68d9RZfBRj
    3o//pXxJs7m0nNDiB32fE5EY6XXl2FBEejwOkpR1WBRtUSFn9gNeOg6YHciP6EdX
    yAxm1gE08qK0yIk/zdPMiXiMvk71pDrlpezUn5x7qHEDKGhK81aEcGZ0CHuylWwC
    CpA9r7ZTOgqIOqc2ij2UY6MWWliFD92D2FiVdDPg4Qi1vvos+4Z8C72pD7BIcq+s
    31LHGuOWfELQqtEOOw==
    =dYYD
    -----END PGP PUBLIC KEY BLOCK-----
    
  3. Copy the following text exactly as shown into a text editor and save it in a file named eventmanager-public.pem.cer.
    -----BEGIN CERTIFICATE-----
    MIIHrDCCBZSgAwIBAgIQAgp0f2/kpdy4Quhrn1JKTzANBgkqhkiG9w0BAQsFADBp
    MQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMT
    OERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0
    IDIwMjEgQ0ExMB4XDTIzMDEyMDAwMDAwMFoXDTI0MDIxNDIzNTk1OVowgbAxCzAJ
    BgNVBAYTAlVTMREwDwYDVQQIEwhOZXcgWW9yazEPMA0GA1UEBxMGQXJtb25rMTQw
    MgYDVQQKEytJbnRlcm5hdGlvbmFsIEJ1c2luZXNzIE1hY2hpbmVzIENvcnBvcmF0
    aW9uMREwDwYDVQQLEwhJQk0gQ0NTUzE0MDIGA1UEAxMrSW50ZXJuYXRpb25hbCBC
    dXNpbmVzcyBNYWNoaW5lcyBDb3Jwb3JhdGlvbjCCAiIwDQYJKoZIhvcNAQEBBQAD
    ggIPADCCAgoCggIBALmROE4DN2sYIiy83jAnUsVbUfV846GplJLFgXIxaRtinDty
    /Rgs2tZn8MYDv8MVbuAuI2BC4SQK9YPm65VkWhCN2HtUaUOrBmqQtx9pwsnCFriU
    z1Vuy6F0Hwmg1OpuJ/M90y2Pit7L2yUlvWGnzwmdV7Jd8ImRdlPLNlQNyk2lIxbD
    iOFNTjhnD9uW650zkfM0htGQkGPbBPs0uu8ZU6RVIIVyCz0sWpE0BLL/IY5DSsi6
    RSlhOk7uZH8jLUfKZsBG3g4+UfwHNy8shSFWJA8lA/p+XLWy/hcA8teyyQNVXkPm
    z3hEAl4ujDlSf/gAqRv3FAzcjPBD/Q+7hNWTOox+mJuayvQc1PbmUjXuZLNmcONR
    AxgTjtqf0H8POqW1PxHss5+Q3z+mFdvrm0T4X13EjN77Ru61yT3D4f+oc2eiOr9L
    ZAmPGiAs9P0SbUq2MHMPio9TDkA2xK8Q4CuJuQJKkwmS+VuXfW/6/bvrwHTSrstZ
    PPIm2UqSl7E6XE6gQmBalHHZC74bPcg9CMWMhQFG6pwuTQPnSAA6kOZGTsvr3SMt
    Wtp5E8X/AvSO1QLxA8Kza3M684oZcpayUBPs+pl9D2msWwXKynPkO0eIG5VdpxqQ
    QXvvs9edUBjF4N4rajxBhYBHWuJAAGWhgpB4fOrouOXToBtXc6jluGi0e8ClAgMB
    AAGjggIGMIICAjAfBgNVHSMEGDAWgBRoN+Drtjv4XxGG+/5hewiIZfROQjAdBgNV
    HQ4EFgQUB6zmxS0ZU2V6GxmoJ98fphxte48wDgYDVR0PAQH/BAQDAgeAMBMGA1Ud
    JQQMMAoGCCsGAQUFBwMDMIG1BgNVHR8Ega0wgaowU6BRoE+GTWh0dHA6Ly9jcmwz
    LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5
    NlNIQTM4NDIwMjFDQTEuY3JsMFOgUaBPhk1odHRwOi8vY3JsNC5kaWdpY2VydC5j
    b20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIx
    Q0ExLmNybDA+BgNVHSAENzA1MDMGBmeBDAEEATApMCcGCCsGAQUFBwIBFhtodHRw
    Oi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwgZQGCCsGAQUFBwEBBIGHMIGEMCQGCCsG
    AQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wXAYIKwYBBQUHMAKGUGh0
    dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVT
    aWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3J0MAwGA1UdEwEB/wQCMAAwDQYJ
    KoZIhvcNAQELBQADggIBANHcOGUu2pu4rMAhb9GT/TbIAxf4B4lD0OjiEI9FHqTE
    zh+ylfXhHLIIhI96ga472b02oj+xaWYLLCYTD9piWtcHe87v8gCkF9yR5Am7Apu9
    jbIFs6/S4K9SkSgoOMR93QTA6IbMzgvDMrPF9SVPH/3uNB0aWqrjJ+Hxks5njyzE
    aCVo5i0D3VIa/2W7DIaQm1I9A9p+pJCXOFhtQQgQaxhvTBs2vt79Ey9Yd0EJiRUe
    MJ6vFmYxgDWrpnq2Ma/uCeHHrZijodQmK6myB6KLtP/qb2n6rVi6RZ3GzEZ2zaIi
    M2BKbnczTaa3h3SufkaWPAiWvvdKHVCzvajjxEJmtIAPGJO5rQGFu7sODgMl5eWQ
    vE76KOIBNe1mrpWGuWtDasrTPVOScROLvwknsrEht3KEzOHFyBHW4bgXjQyhtP43
    UcMxWl2hBFFAz7jIyssPW/01kCXS3OAhOWYLyJboGzrfM11eLsQxMqm/WYIo979i
    RjHE0wgw0u5+9/PLYYspY1quVLVDPaYtGNUUIMM7+ZZ4BP5Hw8TP+0XFIIw1F2U9
    msFjOE30K+7kjMb+/+f7iK55oYbJs4soOXoY5fcFzlzD/9wexHqh+hiufNtTs+fd
    tRTLwJG46381tc8hXc+ra7pEsRkNMKBtWWEr5sURRHtlJHgkyWyc05oLdlwckY7I
    -----END CERTIFICATE-----
    
  4. Copy the following text exactly as shown into a text editor and save it in a file named eventmanager-public.pem.chain.
    -----BEGIN CERTIFICATE-----
    MIIGsDCCBJigAwIBAgIQCK1AsmDSnEyfXs2pvZOu2TANBgkqhkiG9w0BAQwFADBi
    MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
    d3cuZGlnaWNlcnQuY29tMSEwHwYDVQQDExhEaWdpQ2VydCBUcnVzdGVkIFJvb3Qg
    RzQwHhcNMjEwNDI5MDAwMDAwWhcNMzYwNDI4MjM1OTU5WjBpMQswCQYDVQQGEwJV
    UzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRy
    dXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMIIC
    IjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA1bQvQtAorXi3XdU5WRuxiEL1
    M4zrPYGXcMW7xIUmMJ+kjmjYXPXrNCQH4UtP03hD9BfXHtr50tVnGlJPDqFX/IiZ
    wZHMgQM+TXAkZLON4gh9NH1MgFcSa0OamfLFOx/y78tHWhOmTLMBICXzENOLsvsI
    8IrgnQnAZaf6mIBJNYc9URnokCF4RS6hnyzhGMIazMXuk0lwQjKP+8bqHPNlaJGi
    TUyCEUhSaN4QvRRXXegYE2XFf7JPhSxIpFaENdb5LpyqABXRN/4aBpTCfMjqGzLm
    ysL0p6MDDnSlrzm2q2AS4+jWufcx4dyt5Big2MEjR0ezoQ9uo6ttmAaDG7dqZy3S
    vUQakhCBj7A7CdfHmzJawv9qYFSLScGT7eG0XOBv6yb5jNWy+TgQ5urOkfW+0/tv
    k2E0XLyTRSiDNipmKF+wc86LJiUGsoPUXPYVGUztYuBeM/Lo6OwKp7ADK5GyNnm+
    960IHnWmZcy740hQ83eRGv7bUKJGyGFYmPV8AhY8gyitOYbs1LcNU9D4R+Z1MI3s
    MJN2FKZbS110YU0/EpF23r9Yy3IQKUHw1cVtJnZoEUETWJrcJisB9IlNWdt4z4FK
    PkBHX8mBUHOFECMhWWCKZFTBzCEa6DgZfGYczXg4RTCZT/9jT0y7qg0IU0F8WD1H
    s/q27IwyCQLMbDwMVhECAwEAAaOCAVkwggFVMBIGA1UdEwEB/wQIMAYBAf8CAQAw
    HQYDVR0OBBYEFGg34Ou2O/hfEYb7/mF7CIhl9E5CMB8GA1UdIwQYMBaAFOzX44LS
    cV1kTN8uZz/nupiuHA9PMA4GA1UdDwEB/wQEAwIBhjATBgNVHSUEDDAKBggrBgEF
    BQcDAzB3BggrBgEFBQcBAQRrMGkwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRp
    Z2ljZXJ0LmNvbTBBBggrBgEFBQcwAoY1aHR0cDovL2NhY2VydHMuZGlnaWNlcnQu
    Y29tL0RpZ2lDZXJ0VHJ1c3RlZFJvb3RHNC5jcnQwQwYDVR0fBDwwOjA4oDagNIYy
    aHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZFJvb3RHNC5j
    cmwwHAYDVR0gBBUwEzAHBgVngQwBAzAIBgZngQwBBAEwDQYJKoZIhvcNAQEMBQAD
    ggIBADojRD2NCHbuj7w6mdNW4AIapfhINPMstuZ0ZveUcrEAyq9sMCcTEp6QRJ9L
    /Z6jfCbVN7w6XUhtldU/SfQnuxaBRVD9nL22heB2fjdxyyL3WqqQz/WTauPrINHV
    UHmImoqKwba9oUgYftzYgBoRGRjNYZmBVvbJ43bnxOQbX0P4PpT/djk9ntSZz0rd
    KOtfJqGVWEjVGv7XJz/9kNF2ht0csGBc8w2o7uCJob054ThO2m67Np375SFTWsPK
    6Wrxoj7bQ7gzyE84FJKZ9d3OVG3ZXQIUH0AzfAPilbLCIXVzUstG2MQ0HKKlS43N
    b3Y3LIU/Gs4m6Ri+kAewQ3+ViCCCcPDMyu/9KTVcH4k4Vfc3iosJocsL6TEa/y4Z
    XDlx4b6cpwoG1iZnt5LmTl/eeqxJzy6kdJKt2zyknIYf48FWGysj/4+16oh7cGvm
    oLr9Oj9FpsToFpFSi0HASIRLlk2rREDjjfAVKM7t8RhWByovEMQMCGQ8M4+uKIw8
    y4+ICw2/O/TOHnuO77Xry7fwdxPm5yg/rBKupS8ibEH5glwVZsxsDsrFhsP2JjMM
    B0ug0wcCampAMEhLNKhRILutG4UI4lkNbcoFUCvqShyepf2gpx8GdOfy1lKQ/a+F
    SCH5Vzu0nAPthkX0tGFuv2jiJmCG6sivqf6UHedjGzqGVnhO
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    MIIFkDCCA3igAwIBAgIQBZsbV56OITLiOQe9p3d1XDANBgkqhkiG9w0BAQwFADBi
    MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
    d3cuZGlnaWNlcnQuY29tMSEwHwYDVQQDExhEaWdpQ2VydCBUcnVzdGVkIFJvb3Qg
    RzQwHhcNMTMwODAxMTIwMDAwWhcNMzgwMTE1MTIwMDAwWjBiMQswCQYDVQQGEwJV
    UzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQu
    Y29tMSEwHwYDVQQDExhEaWdpQ2VydCBUcnVzdGVkIFJvb3QgRzQwggIiMA0GCSqG
    SIb3DQEBAQUAA4ICDwAwggIKAoICAQC/5pBzaN675F1KPDAiMGkz7MKnJS7JIT3y
    ithZwuEppz1Yq3aaza57G4QNxDAf8xukOBbrVsaXbR2rsnnyyhHS5F/WBTxSD1If
    xp4VpX6+n6lXFllVcq9ok3DCsrp1mWpzMpTREEQQLt+C8weE5nQ7bXHiLQwb7iDV
    ySAdYyktzuxeTsiT+CFhmzTrBcZe7FsavOvJz82sNEBfsXpm7nfISKhmV1efVFiO
    DCu3T6cw2Vbuyntd463JT17lNecxy9qTXtyOj4DatpGYQJB5w3jHtrHEtWoYOAMQ
    jdjUN6QuBX2I9YI+EJFwq1WCQTLX2wRzKm6RAXwhTNS8rhsDdV14Ztk6MUSaM0C/
    CNdaSaTC5qmgZ92kJ7yhTzm1EVgX9yRcRo9k98FpiHaYdj1ZXUJ2h4mXaXpI8OCi
    EhtmmnTK3kse5w5jrubU75KSOp493ADkRSWJtppEGSt+wJS00mFt6zPZxd9LBADM
    fRyVw4/3IbKyEbe7f/LVjHAsQWCqsWMYRJUadmJ+9oCw++hkpjPRiQfhvbfmQ6QY
    uKZ3AeEPlAwhHbJUKSWJbOUOUlFHdL4mrLZBdd56rF+NP8m800ERElvlEFDrMcXK
    chYiCd98THU/Y+whX8QgUWtvsauGi0/C1kVfnSD8oR7FwI+isX4KJpn15GkvmB0t
    9dmpsh3lGwIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIB
    hjAdBgNVHQ4EFgQU7NfjgtJxXWRM3y5nP+e6mK4cD08wDQYJKoZIhvcNAQEMBQAD
    ggIBALth2X2pbL4XxJEbw6GiAI3jZGgPVs93rnD5/ZpKmbnJeFwMDF/k5hQpVgs2
    SV1EY+CtnJYYZhsjDT156W1r1lT40jzBQ0CuHVD1UvyQO7uYmWlrx8GnqGikJ9yd
    +SeuMIW59mdNOj6PWTkiU0TryF0Dyu1Qen1iIQqAyHNm0aAFYF/opbSnr6j3bTWc
    fFqK1qI4mfN4i/RN0iAL3gTujJtHgXINwBQy7zBZLq7gcfJW5GqXb5JQbZaNaHqa
    sjYUegbyJLkJEVDXCLG4iXqEI2FCKeWjzaIgQdfRnGTZ6iahixTXTBmyUEFxPT9N
    cCOGDErcgdLMMpSEDQgJlxxPwO5rIHQw0uA5NBCFIRUBCOhVMt5xSdkoF1BN5r5N
    0XWs0Mr7QbhDparTwwVETyw2m+L64kW4I1NsBm9nVX9GtUw/bihaeSbSpKhil9Ie
    4u1Ki7wb/UdKDd9nZn6yW0HQO+T0O/QEY+nvwlQAUaCKKsnOeMzV6ocEGLPOr0mI
    r/OSmbaz5mEP0oUA51Aa5BuVnRmhuZyxm7EAHu/QD09CbMkKvO5D+jpxpchNJqU1
    /YldvIViHTLSoCtU7ZpXwdv6EM8Zt4tKG48BtieVU+i2iW1bvGjUI+iLUaJW+fCm
    gKDWHrO8Dw9TdSmq6hN35N6MgSGtBxBHEa2HPQfRdbzP82Z+
    -----END CERTIFICATE-----
    

Procedure

  1. Install the certificate in the public key ring.
    gpg2 --import eventmanager-public.pub.asc

    Output resembles the following example:

    gpg: key 58564C9D2A5048C2: "International Business Machines Corporation <psirt@us.ibm.com>" imported
    gpg: Total number processed: 1
    gpg:              imported: 1
  2. Use Online Certificate Status Protocol to check the certificate validity.
    openssl ocsp -no_nonce -issuer eventmanager-public.pem.chain -cert eventmanager-public.pem.cer -VAfile eventmanager-public.pem.chain -text -url http://ocsp.digicert.com -respout ocsptest

    Output resembles the following example:

    OCSP Request Data:
        Version: 1 (0x0)
        Requestor List:
            Certificate ID:
              Hash Algorithm: sha1
              Issuer Name Hash: 915DEAC5D1E15E49646B8A94E04E470958C9BB89
              Issuer Key Hash: 6837E0EBB63BF85F1186FBFE617B088865F44E42
              Serial Number: 020A747F6FE4A5DCB842E86B9F524A4F
    OCSP Response Data:
        OCSP Response Status: successful (0x0)
        Response Type: Basic OCSP Response
        Version: 1 (0x0)
        Responder Id: 6837E0EBB63BF85F1186FBFE617B088865F44E42
        Produced At: Mar  9 08:37:03 2023 GMT
        Responses:
        Certificate ID:
          Hash Algorithm: sha1
          Issuer Name Hash: 915DEAC5D1E15E49646B8A94E04E470958C9BB89
          Issuer Key Hash: 6837E0EBB63BF85F1186FBFE617B088865F44E42
          Serial Number: 020A747F6FE4A5DCB842E86B9F524A4F
        Cert Status: good
        This Update: Mar  9 08:21:02 2023 GMT
        Next Update: Mar 16 07:36:02 2023 GMT
    
        Signature Algorithm: sha384WithRSAEncryption
             66:a5:83:30:48:52:e7:1a:93:19:5e:71:07:f5:74:d4:61:72:
             7e:a9:95:5a:05:38:c2:fb:e7:3d:14:2e:1c:d1:f4:cd:2c:a9:
             36:50:69:13:c0:80:6e:37:74:7f:de:8e:3d:6e:d1:34:b0:42:
             5e:8b:d2:b1:cd:a8:da:75:d9:3b:51:08:d0:ad:d3:d1:c2:9d:
             95:b5:a2:19:26:a2:df:86:68:85:af:02:8d:40:45:af:1d:77:
             85:a3:86:ce:e5:1a:f8:cd:cc:46:bc:0c:dd:04:49:63:6e:ec:
             cf:20:2d:da:de:7b:a2:4a:f9:01:68:60:cd:49:9b:7e:6a:32:
             6f:a3:6e:14:44:68:3b:15:cd:15:37:a0:01:86:06:82:25:e9:
             8f:ca:3d:9d:31:57:25:5f:d5:09:69:de:24:42:3e:c6:6c:6e:
             87:d5:19:cf:ed:0c:f7:3a:d7:8f:a0:aa:27:07:3a:d7:54:3e:
             8b:28:a3:d2:bc:9b:d0:be:00:c4:36:26:08:01:31:4c:4f:f4:
             b8:6d:48:dd:09:21:84:a7:41:5c:d5:f9:f1:0f:4c:d2:75:36:
             f1:2c:92:9c:d7:39:29:4f:9b:44:63:2f:71:eb:3c:85:76:a4:
             41:ca:1a:28:79:52:b5:c0:81:e5:f9:76:f4:62:9e:1f:13:57:
             1b:a3:c4:21:49:3d:12:f4:2c:35:0b:b0:4e:c0:a9:56:26:76:
             14:34:1b:b2:44:ca:2e:53:b9:70:d0:ca:e0:fe:b4:ab:0d:15:
             4f:e9:be:07:b5:41:94:49:3f:4d:f1:5a:ec:00:a5:6e:9d:54:
             60:0d:2d:ed:43:51:bb:01:83:19:84:03:ea:bc:13:27:4c:93:
             cb:29:d0:f4:7c:07:99:a1:94:9e:8e:9c:2a:0b:5d:eb:8a:38:
             c9:79:f6:b0:fe:c0:3e:8b:85:23:18:79:bc:af:48:2e:03:c9:
             a0:5a:c2:74:fd:84:65:ae:ad:d8:de:49:95:29:08:c3:c1:64:
             a7:97:06:b3:cf:a2:24:75:40:2e:f5:0d:8d:35:4f:0e:c2:62:
             40:c3:06:7f:27:6e:dd:e2:7f:16:08:02:f2:b1:48:f6:b9:e5:
             16:9a:b5:fd:95:4a:7f:89:e7:5a:14:03:63:e6:8a:86:f1:ba:
             d2:cb:b5:32:80:18:6a:aa:c9:14:23:57:38:ae:13:34:45:d2:
             9e:1b:6c:4d:4a:f4:19:12:26:8f:d4:38:9f:fd:4d:a0:48:ea:
             90:ad:ec:92:f1:91:9e:55:06:8c:e6:08:24:b2:a6:27:3a:ca:
             2f:f7:6d:4d:10:62:a7:af:14:3f:bf:72:7c:82:40:e5:d3:c3:
             2a:8c:10:4e:e5:bc:28:01
    Response verify OK
    PRD0010480key.pem.cer: good
    	This Update: Mar  9 08:21:02 2023 GMT
    	Next Update: Mar 16 07:36:02 2023 GMT
    

Verifying pull

  1. Log in to your environment.
  2. Create or update an /etc/containers/policy.json file or ~/policy.json file. If you have more than one public key from another platform or if you have more than one after the certificate renewal, you can concatenate both GPG public keys into one file. Then, use the concatenated file in place of the <public key> variable that is shown in the following example.

    A policy might be specified so that tools such as Skopeo and Podman are prevented from downloading the images that are not signed and verified. This policy is the approved method for verifying images on bastion hosts during air-gapped deployments.

    cat /etc/containers/policy.json
    {
        "default": [
            {
                "type": "reject"
            }
        ],
        "transports":
            {
                "docker":
                    {
                        "": [{ "type": "signedBy", "keyType": "GPGKeys", "keyPath": "<public key>"}]
                    }
            }
    }
    

    Where <keyPath> is the path to the Netcool Operations Insight public certificate. An attempt to download an unsigned or unauthenticated image results in failure.

  3. Validate by using the skopeo copy command to a local temp directory.
    skopeo copy docker://icr.io/<repo/image:tag> dir:<imagedir> --src-creds cp:<IBM entitlement key>
  4. Validate by using the skopeo copy command to a local temp directory with the --policy option.
    skopeo copy --policy ~/policy.json docker://icr.io/<repo/image:tag> dir:<imagedir>
  5. Validate during pull with the podman pull command.
    podman pull --signature-policy ~/policy.json icr.io/<repo/image:tag>

Verifying a local image

  1. Copy the public key to the file system, such as eventmanager-public.pub.asc.
  2. Import the public key into the GPG keystore:
    gpg --import ./eventmanager-public.pub.asc
  3. Find the fingerprint for the imported key:
    gpg -k
    or
    export FINGERPRINT=$(gpg --fingerprint --with-colons | grep fpr | tr -d 'fpr:')
  4. Copy the image locally:
    skopeo copy docker://icr.io/<repo/image:tag>  dir:<imagedir> --src-creds cp:<IBM entitlement key>
  5. Use the skopeo standalone-verify command to verify the image signature.
    skopeo standalone-verify <imagedir>/manifest.json icr.io/<repo:tag> <gpgkeyfingerprint> <imagedir>/signature
    Verifying the image results in an output that is similar to the following example:
    Signature verified, digest sha256:62f787b94e5faddb79f96c84ac0877aaf28fb325bfc3601b9c0934d4c107ba94