Verifying code-signed images for WebSphere Liberty operator

All images for WebSphere® Liberty operator are signed. Use the image signatures to verify the authenticity and integrity of the images that you downloaded.

Before you begin

To verify image signatures, you must install the following command-line tools: The following WebSphere Liberty public key must exist on the same machine as the command-line tools. Copy the following text box exactly as shown into a text editor and save it as a file named wlo.gpg:
-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBGPmbEgBEADngOaoWkCGOA6wEXSEiy0p/ccG0vmRdMQzm4o0sIPsZ+spdj1b
VQAZx23yGctE30JTu2YAaZEyH2cqgO+iEGMSz9yY6PDwcIn5y7N+tNXoUKdinPJ2
6T4bTypJ1SileGncUVU3U1xAZIH2Cmcn5wmXS/9GKIbtkUQ708RQLKVEFESpjgjr
VKjpxn8pd+0niQniq5h7iNf6cYAQnCsdH/z8oifWnacipEuBDJ9lF30YRiLhK7m6
FTOdBGeF7XohUOI/AGw0erEuTc80YvX/i+IUmf/hqHxY+A/hEjgFkvXxh8zAmCDU
It1v/LV+c9vdjz/hNb+jGI1te3z3xMDQz1WCMIYflyw6ex9nmP7EcFFPG/kRVAMx
cu+glm71QC7Q9ftx1ZvAfYXhNMCr6b91z1e3XYM/Whx9qNkyc8MnoZtq5lxJGRkL
rgB8RrWGP55R7oWbEn80ppT6MtINy6Ft7TZhnjsI6VEsEcB2qi6TC/0/29z9c2z6
DuFFDQ/y/Naqb+mbDhdahhX1t5ABWTgcv+h+EZzs1QRV/ScBFqJMgV6O+BNbsXpZ
/1z0crs6yAHQujK4mgoHEyEiP7/3OVF1Wazlyap9PwU7Y4LKEfdrO2+CIR5AuivR
3PRNhU5NWYvEn9bnIXMsacAfLBTv5lFZqT15PFggtoonDZJHCIncnoQyQwARAQAB
tD5JbnRlcm5hdGlvbmFsIEJ1c2luZXNzIE1hY2hpbmVzIENvcnBvcmF0aW9uIDxw
c2lydEB1cy5pYm0uY29tPokCOgQTAQgAJAUCY+ZsSAIbDwULCQgHAgYVCgkICwIE
FgIDAQIeAQUJB4TN/wAKCRC9n9W+nmjKAGHmD/9QDewA9bYLE6SAePCyFg2/tWAe
U2Ot+nO2QtUn0amF0hPNIv2q4sgVoJ/4tfMyK2JytuvfHCbWlM6rGaUhAdOlR83Q
ATl8d1KhWEOnYDwiBrOlOkyn/Qw3Wv209bNDpd3Y6l1Kootv8F1xbCszkYc1FsJB
Y3i4Cu2asQR3eMCNqAQTIsfKQRWc6dtn9/L0allKR+OOAJRlHZ3woRUbb0NeOYjM
44awORcHvuO7nivIWNntKrqCg/twVVtQrVcLbr9p60adTLQ2kC/E6t5J2G0gy4sX
jy+GAHdZlXr8Yl0wUE36n5bmo016gfV1mlxj1StpHi4kVTB/8xEQBBxaPnaRB7TF
SCTIhAdTt6+Ko+QVLGMEChDJ5HSzDKzSVK/p6BhesFz5xADH2aNdMw4xzwf56Ooa
prAaTQtSE9/LlQQZ+GvAJaeUj8e1Dtu0yQrXanyrMkRl1iNywYNXTB/cbALp06SI
BcRRdyVghNF2kcm6sEhWKS2IyTqLNM7t3UV9SLZanBT1/PlBHifoC/GWR8mAVcUl
wWWLiisj04+mDuy/J9Gu6R8PNS+WQo6aHZPOjN3k1boHjrLzpc6/0DX5p+1AwsYo
Omz0ERJdt888LZ4HY+iEC/G2VMqCMn8iS1Q0KbZ+H8gS3Q194UqFUa6M3JOmfZdQ
rRtygUT5grK8h6/pFg==
=rXKG
-----END PGP PUBLIC KEY BLOCK-----

Procedure

  1. Import the WebSphere Liberty public key file on the machine that you prepared in the prerequisites section.
    sudo gpg2 --import wlo.gpg
  2. Export the fingerprint to make it available for the verification command.
    export fingerprint=E70E5D6C3F1E452CB0F67DF1BD9FD5BE9E68CA00
  3. Create a directory for each image that you want to verify and use the skopeo copy command to pull the image into local storage.

    This command also copies the signature file that you use to verify the image.

    The following example creates a directory that is named operator-image and copies the websphere-liberty-operator:1.3.2-amd64 image to that directory.

    mkdir operator-image
    skopeo copy docker://icr.io/cpopen/websphere-liberty-operator:1.3.2-amd64 dir:./operator-image
    This example shows the operator image for the Linux® x86_64 (amd64) platform but the operator is also available for the Linux on Power® (ppc64le) or Linux on IBM Z (s390x) platform. Specify the corresponding image name for your platform.
    Repeat this step for any additional images that you want to verify, such as the bundle or catalog:
    • icr.io/cpopen/websphere-liberty-operator-bundle:1.3.2
    • icr.io/cpopen/websphere-liberty-operator-catalog:1.3.2-<amd64 | ppc64le | s390x>
  4. Run the skopeo standalone-verify command to verify each image by using the corresponding fingerprint and signature file.
    The following example verifies the image from the example in the previous step:
    skopeo standalone-verify ./operator-image/manifest.json icr.io/cpopen/websphere-liberty-operator:1.3.2-amd64  ${fingerprint} ./operator-image/signature-1

Results

If the verification is successful, the following message displays:
Signature verified