|
| 1 | +// Module included in the following assemblies: |
| 2 | +// |
| 3 | +// * security/container_security/security-container-signature.adoc |
| 4 | + |
| 5 | +:_mod-docs-content-type: PROCEDURE |
| 6 | +[id="containers-signature-verify-skopeo_{context}"] |
| 7 | += Using skopeo to verify signatures of Red Hat container images |
| 8 | + |
| 9 | +You can verify the signatures for container images included in an {product-title} release image by pulling those signatures from link:https://mirror.openshift.com/pub/openshift-v4/signatures/openshift-release-dev/ocp-release/[OCP release mirror site]. Because the signatures on the mirror site are not in a format readily understood by Podman or CRI-O, you can use the `skopeo standalone-verify` command to verify that the your release images are signed by Red Hat. |
| 10 | + |
| 11 | +.Prerequisites |
| 12 | + |
| 13 | +* You have installed the `skopeo` command-line utility. |
| 14 | +
|
| 15 | +.Procedure |
| 16 | + |
| 17 | +. Get the full SHA for your release by running the following command: |
| 18 | ++ |
| 19 | +[source,terminal] |
| 20 | +---- |
| 21 | +$ oc adm release info <release_version> \ <1> |
| 22 | +---- |
| 23 | +<1> Substitute <release_version> with your release number, for example, `4.14.3`. |
| 24 | ++ |
| 25 | +.Example output snippet |
| 26 | ++ |
| 27 | +[source,terminal] |
| 28 | +---- |
| 29 | +--- |
| 30 | +Pull From: quay.io/openshift-release-dev/ocp-release@sha256:e73ab4b33a9c3ff00c9f800a38d69853ca0c4dfa5a88e3df331f66df8f18ec55 |
| 31 | +--- |
| 32 | +---- |
| 33 | +
|
| 34 | +. Pull down the Red Hat release key by running the following command: |
| 35 | ++ |
| 36 | +[source,terminal] |
| 37 | +---- |
| 38 | +$ curl -o pub.key https://access.redhat.com/security/data/fd431d51.txt |
| 39 | +---- |
| 40 | +
|
| 41 | +. Get the signature file for the specific release that you want to verify by running the following command: |
| 42 | ++ |
| 43 | +[source,terminal] |
| 44 | +---- |
| 45 | +$ curl -o signature-1 https://mirror.openshift.com/pub/openshift-v4/signatures/openshift-release-dev/ocp-release/sha256%<sha_from_version>/signature-1 \ <1> |
| 46 | +---- |
| 47 | +<1> Replace `<sha_from_version>` with SHA value from the full link to the mirror site that matches the SHA of your release. For example, the link to the signature for the 4.12.23 release is `https://mirror.openshift.com/pub/openshift-v4/signatures/openshift-release-dev/ocp-release/sha256%e73ab4b33a9c3ff00c9f800a38d69853ca0c4dfa5a88e3df331f66df8f18ec55/signature-1`, and the SHA value is `e73ab4b33a9c3ff00c9f800a38d69853ca0c4dfa5a88e3df331f66df8f18ec55`. |
| 48 | +
|
| 49 | +. Get the manifest for the release image by running the following command: |
| 50 | ++ |
| 51 | +[source,terminal] |
| 52 | +---- |
| 53 | +$ skopeo inspect --raw docker://<quay_link_to_release> > manifest.json \ <1> |
| 54 | +---- |
| 55 | +<1> Replace `<quay_link_to_release>` with the output of the `oc adm release info` command. For example, `quay.io/openshift-release-dev/ocp-release@sha256:e73ab4b33a9c3ff00c9f800a38d69853ca0c4dfa5a88e3df331f66df8f18ec55`. |
| 56 | +
|
| 57 | +. Use skopeo to verify the signature: |
| 58 | ++ |
| 59 | +[source,terminal] |
| 60 | +---- |
| 61 | +$ skopeo standalone-verify manifest.json quay.io/openshift-release-dev/ocp-release:<release_number>-<arch> any signature-1 --public-key-file pub.key |
| 62 | +---- |
| 63 | ++ |
| 64 | +where: |
| 65 | ++ |
| 66 | +`<release_number>`:: Specifies the release number, for example `4.14.3`. |
| 67 | +`<arch>`:: Specifies the architecture, for example `x86_64`. |
| 68 | ++ |
| 69 | +.Example output |
| 70 | +[source,terminal] |
| 71 | +---- |
| 72 | +Signature verified using fingerprint 567E347AD0044ADE55BA8A5F199E2F91FD431D51, digest sha256:e73ab4b33a9c3ff00c9f800a38d69853ca0c4dfa5a88e3df331f66df8f18ec55 |
| 73 | +---- |
| 74 | +
|
0 commit comments