openshift-docs/modules/containers-signature-verify-unsigned.adoc

// Module included in the following assemblies:
//
// * security/container_security/security-container-signature.adoc

:_mod-docs-content-type: CONCEPT
[id="containers-signature-verify-artifacts_{context}"]
= Understanding the verification of container images lacking verifiable signatures

Each {product-title} release image is immutable and signed with a Red Hat production key. During an {product-title} update or installation, a release image might deploy container images that do not have verifiable signatures. Each signed release image digest is immutable. Each reference in the release image is to the immutable digest of another image, so the contents can be trusted transitively. In other words, the signature on the release image validates all release contents.

For example, the image references lacking a verifiable signature are contained in the signed {product-title} release image:

.Example release info output
[source,terminal]
----
$ oc adm release info quay.io/openshift-release-dev/ocp-release@sha256:2309578b68c5666dad62aed696f1f9d778ae1a089ee461060ba7b9514b7ca417 -o pullspec <1>
quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:9aafb914d5d7d0dec4edd800d02f811d7383a7d49e500af548eab5d00c1bffdb <2>
----

<1> Signed release image SHA.
<2> Container image lacking a verifiable signature included in the release.

[id="containers-signature-verification-automatic_{context}"]
== Automated verification during updates
Verification of signatures is automatic. The OpenShift Cluster Version Operator (CVO) verifies signatures on the release images during an {product-title} update. This is an internal process. An {product-title} installation or update fails if the automated verification fails.

Verification of signatures can also be done manually using the `skopeo` command-line utility.