mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-05 12:46:18 +01:00
75 lines
3.1 KiB
Plaintext
75 lines
3.1 KiB
Plaintext
// Module included in the following assemblies:
|
|
//
|
|
// * security/container_security/security-container-signature.adoc
|
|
|
|
:_mod-docs-content-type: PROCEDURE
|
|
[id="containers-signature-verify-skopeo_{context}"]
|
|
= Using skopeo to verify signatures of Red Hat container images
|
|
|
|
You can verify the signatures for container images included in an {product-title} release image by pulling those signatures from link:https://mirror.openshift.com/pub/openshift-v4/signatures/openshift-release-dev/ocp-release/[OCP release mirror site]. Because the signatures on the mirror site are not in a format readily understood by Podman or CRI-O, you can use the `skopeo standalone-verify` command to verify that the your release images are signed by Red Hat.
|
|
|
|
.Prerequisites
|
|
|
|
* You have installed the `skopeo` command-line utility.
|
|
|
|
.Procedure
|
|
|
|
. Get the full SHA for your release by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc adm release info <release_version> \ <1>
|
|
----
|
|
<1> Substitute <release_version> with your release number, for example, `4.14.3`.
|
|
+
|
|
.Example output snippet
|
|
+
|
|
[source,terminal]
|
|
----
|
|
---
|
|
Pull From: quay.io/openshift-release-dev/ocp-release@sha256:e73ab4b33a9c3ff00c9f800a38d69853ca0c4dfa5a88e3df331f66df8f18ec55
|
|
---
|
|
----
|
|
|
|
. Pull down the Red Hat release key by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ curl -o pub.key https://access.redhat.com/security/data/fd431d51.txt
|
|
----
|
|
|
|
. Get the signature file for the specific release that you want to verify by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ curl -o signature-1 https://mirror.openshift.com/pub/openshift-v4/signatures/openshift-release-dev/ocp-release/sha256=<sha_from_version>/signature-1 \ <1>
|
|
----
|
|
<1> Replace `<sha_from_version>` with SHA value from the full link to the mirror site that matches the SHA of your release. For example, the link to the signature for the 4.12.23 release is `https://mirror.openshift.com/pub/openshift-v4/signatures/openshift-release-dev/ocp-release/sha256=e73ab4b33a9c3ff00c9f800a38d69853ca0c4dfa5a88e3df331f66df8f18ec55/signature-1`, and the SHA value is `e73ab4b33a9c3ff00c9f800a38d69853ca0c4dfa5a88e3df331f66df8f18ec55`.
|
|
|
|
. Get the manifest for the release image by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ skopeo inspect --raw docker://<quay_link_to_release> > manifest.json \ <1>
|
|
----
|
|
<1> Replace `<quay_link_to_release>` with the output of the `oc adm release info` command. For example, `quay.io/openshift-release-dev/ocp-release@sha256:e73ab4b33a9c3ff00c9f800a38d69853ca0c4dfa5a88e3df331f66df8f18ec55`.
|
|
|
|
. Use skopeo to verify the signature:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ skopeo standalone-verify manifest.json quay.io/openshift-release-dev/ocp-release:<release_number>-<arch> any signature-1 --public-key-file pub.key
|
|
----
|
|
+
|
|
where:
|
|
+
|
|
`<release_number>`:: Specifies the release number, for example `4.14.3`.
|
|
`<arch>`:: Specifies the architecture, for example `x86_64`.
|
|
+
|
|
.Example output
|
|
[source,terminal]
|
|
----
|
|
Signature verified using fingerprint 567E347AD0044ADE55BA8A5F199E2F91FD431D51, digest sha256:e73ab4b33a9c3ff00c9f800a38d69853ca0c4dfa5a88e3df331f66df8f18ec55
|
|
----
|
|
|