Verify signatures for container images in Open Liberty
All the Open Liberty container images are digitally signed. You can use the Open Liberty public key to check the signature, verify that the image was created by Open Liberty, and that it was not modified since its release.
Before you begin
Before you can verify image signatures, you must install the following tools:
The following Open Liberty public key must exist on the same machine as the command-line tools. Copy the following text box exactly as shown into a text editor and save it as a file named ol.gpg
.
-----BEGIN PGP PUBLIC KEY BLOCK----- mQINBGPmbEgBEADngOaoWkCGOA6wEXSEiy0p/ccG0vmRdMQzm4o0sIPsZ+spdj1b VQAZx23yGctE30JTu2YAaZEyH2cqgO+iEGMSz9yY6PDwcIn5y7N+tNXoUKdinPJ2 6T4bTypJ1SileGncUVU3U1xAZIH2Cmcn5wmXS/9GKIbtkUQ708RQLKVEFESpjgjr VKjpxn8pd+0niQniq5h7iNf6cYAQnCsdH/z8oifWnacipEuBDJ9lF30YRiLhK7m6 FTOdBGeF7XohUOI/AGw0erEuTc80YvX/i+IUmf/hqHxY+A/hEjgFkvXxh8zAmCDU It1v/LV+c9vdjz/hNb+jGI1te3z3xMDQz1WCMIYflyw6ex9nmP7EcFFPG/kRVAMx cu+glm71QC7Q9ftx1ZvAfYXhNMCr6b91z1e3XYM/Whx9qNkyc8MnoZtq5lxJGRkL rgB8RrWGP55R7oWbEn80ppT6MtINy6Ft7TZhnjsI6VEsEcB2qi6TC/0/29z9c2z6 DuFFDQ/y/Naqb+mbDhdahhX1t5ABWTgcv+h+EZzs1QRV/ScBFqJMgV6O+BNbsXpZ /1z0crs6yAHQujK4mgoHEyEiP7/3OVF1Wazlyap9PwU7Y4LKEfdrO2+CIR5AuivR 3PRNhU5NWYvEn9bnIXMsacAfLBTv5lFZqT15PFggtoonDZJHCIncnoQyQwARAQAB tD5JbnRlcm5hdGlvbmFsIEJ1c2luZXNzIE1hY2hpbmVzIENvcnBvcmF0aW9uIDxw c2lydEB1cy5pYm0uY29tPokCOgQTAQgAJAUCY+ZsSAIbDwULCQgHAgYVCgkICwIE FgIDAQIeAQUJB4TN/wAKCRC9n9W+nmjKAGHmD/9QDewA9bYLE6SAePCyFg2/tWAe U2Ot+nO2QtUn0amF0hPNIv2q4sgVoJ/4tfMyK2JytuvfHCbWlM6rGaUhAdOlR83Q ATl8d1KhWEOnYDwiBrOlOkyn/Qw3Wv209bNDpd3Y6l1Kootv8F1xbCszkYc1FsJB Y3i4Cu2asQR3eMCNqAQTIsfKQRWc6dtn9/L0allKR+OOAJRlHZ3woRUbb0NeOYjM 44awORcHvuO7nivIWNntKrqCg/twVVtQrVcLbr9p60adTLQ2kC/E6t5J2G0gy4sX jy+GAHdZlXr8Yl0wUE36n5bmo016gfV1mlxj1StpHi4kVTB/8xEQBBxaPnaRB7TF SCTIhAdTt6+Ko+QVLGMEChDJ5HSzDKzSVK/p6BhesFz5xADH2aNdMw4xzwf56Ooa prAaTQtSE9/LlQQZ+GvAJaeUj8e1Dtu0yQrXanyrMkRl1iNywYNXTB/cbALp06SI BcRRdyVghNF2kcm6sEhWKS2IyTqLNM7t3UV9SLZanBT1/PlBHifoC/GWR8mAVcUl wWWLiisj04+mDuy/J9Gu6R8PNS+WQo6aHZPOjN3k1boHjrLzpc6/0DX5p+1AwsYo Omz0ERJdt888LZ4HY+iEC/G2VMqCMn8iS1Q0KbZ+H8gS3Q194UqFUa6M3JOmfZdQ rRtygUT5grK8h6/pFg== =rXKG -----END PGP PUBLIC KEY BLOCK-----
Procedure
Import the Open Liberty public key file to GPG.
gpg2 --import ol.gpg
Run the following command to export the fingerprint to make it available for the verification command.
export fingerprint=E70E5D6C3F1E452CB0F67DF1BD9FD5BE9E68CA00
To create a directory for an each image and pull the image into local storage using Skopeo, follow these steps:
Create a directory for the image with a name of your choice, as shown in the following example:
mkdir OpenLiberty-image
Use Skopeo to copy the container image to the newly created directory, as shown in the following example:
skopeo copy docker://icr.io/appcafe/open-liberty:kernel-slim-java17-openj9-ubi-amd64 dir:./OpenLiberty-image
This command pulls the
icr.io/appcafe/open-liberty:kernel-slim-java17-openj9-ubi-amd64
image and stores it in theOpenLiberty-image
directory. Replace these values with the image that you want to verify. This command also copies the signature file that you use to verify the image.
Run the
standalone-verify
command to verify the image by using the downloaded signature and repository, as shown in the following example:skopeo standalone-verify ./OpenLiberty-image/manifest.json icr.io/appcafe/open-liberty:kernel-slim-java17-openj9-ubi-amd64 ${fingerprint} ./OpenLiberty-image/signature-1
The
OpenLiberty-image
refers to the location of the copied image. The./OpenLiberty-image/signature-1
specifies the path to the signature file that is associated with the container image.