Verify signatures for container images in Open Liberty

All the Open Liberty container images are digitally signed. You can use the Open Liberty public key to check the signature, verify that the image was created by Open Liberty, and that it was not modified since its release.

Before you begin

Before you can verify image signatures, you must install the following tools:

The following Open Liberty public key must exist on the same machine as the command-line tools. Copy the following text box exactly as shown into a text editor and save it as a file named ol.gpg.

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBGPmbEgBEADngOaoWkCGOA6wEXSEiy0p/ccG0vmRdMQzm4o0sIPsZ+spdj1b
VQAZx23yGctE30JTu2YAaZEyH2cqgO+iEGMSz9yY6PDwcIn5y7N+tNXoUKdinPJ2
6T4bTypJ1SileGncUVU3U1xAZIH2Cmcn5wmXS/9GKIbtkUQ708RQLKVEFESpjgjr
VKjpxn8pd+0niQniq5h7iNf6cYAQnCsdH/z8oifWnacipEuBDJ9lF30YRiLhK7m6
FTOdBGeF7XohUOI/AGw0erEuTc80YvX/i+IUmf/hqHxY+A/hEjgFkvXxh8zAmCDU
It1v/LV+c9vdjz/hNb+jGI1te3z3xMDQz1WCMIYflyw6ex9nmP7EcFFPG/kRVAMx
cu+glm71QC7Q9ftx1ZvAfYXhNMCr6b91z1e3XYM/Whx9qNkyc8MnoZtq5lxJGRkL
rgB8RrWGP55R7oWbEn80ppT6MtINy6Ft7TZhnjsI6VEsEcB2qi6TC/0/29z9c2z6
DuFFDQ/y/Naqb+mbDhdahhX1t5ABWTgcv+h+EZzs1QRV/ScBFqJMgV6O+BNbsXpZ
/1z0crs6yAHQujK4mgoHEyEiP7/3OVF1Wazlyap9PwU7Y4LKEfdrO2+CIR5AuivR
3PRNhU5NWYvEn9bnIXMsacAfLBTv5lFZqT15PFggtoonDZJHCIncnoQyQwARAQAB
tD5JbnRlcm5hdGlvbmFsIEJ1c2luZXNzIE1hY2hpbmVzIENvcnBvcmF0aW9uIDxw
c2lydEB1cy5pYm0uY29tPokCOgQTAQgAJAUCY+ZsSAIbDwULCQgHAgYVCgkICwIE
FgIDAQIeAQUJB4TN/wAKCRC9n9W+nmjKAGHmD/9QDewA9bYLE6SAePCyFg2/tWAe
U2Ot+nO2QtUn0amF0hPNIv2q4sgVoJ/4tfMyK2JytuvfHCbWlM6rGaUhAdOlR83Q
ATl8d1KhWEOnYDwiBrOlOkyn/Qw3Wv209bNDpd3Y6l1Kootv8F1xbCszkYc1FsJB
Y3i4Cu2asQR3eMCNqAQTIsfKQRWc6dtn9/L0allKR+OOAJRlHZ3woRUbb0NeOYjM
44awORcHvuO7nivIWNntKrqCg/twVVtQrVcLbr9p60adTLQ2kC/E6t5J2G0gy4sX
jy+GAHdZlXr8Yl0wUE36n5bmo016gfV1mlxj1StpHi4kVTB/8xEQBBxaPnaRB7TF
SCTIhAdTt6+Ko+QVLGMEChDJ5HSzDKzSVK/p6BhesFz5xADH2aNdMw4xzwf56Ooa
prAaTQtSE9/LlQQZ+GvAJaeUj8e1Dtu0yQrXanyrMkRl1iNywYNXTB/cbALp06SI
BcRRdyVghNF2kcm6sEhWKS2IyTqLNM7t3UV9SLZanBT1/PlBHifoC/GWR8mAVcUl
wWWLiisj04+mDuy/J9Gu6R8PNS+WQo6aHZPOjN3k1boHjrLzpc6/0DX5p+1AwsYo
Omz0ERJdt888LZ4HY+iEC/G2VMqCMn8iS1Q0KbZ+H8gS3Q194UqFUa6M3JOmfZdQ
rRtygUT5grK8h6/pFg==
=rXKG
-----END PGP PUBLIC KEY BLOCK-----

Procedure

  1. Import the Open Liberty public key file to GPG.

    gpg2 --import ol.gpg
  2. Run the following command to export the fingerprint to make it available for the verification command.

    export fingerprint=E70E5D6C3F1E452CB0F67DF1BD9FD5BE9E68CA00
  3. To create a directory for an each image and pull the image into local storage using Skopeo, follow these steps:

    • Create a directory for the image with a name of your choice, as shown in the following example:

      mkdir OpenLiberty-image
    • Use Skopeo to copy the container image to the newly created directory, as shown in the following example:

      skopeo copy docker://icr.io/appcafe/open-liberty:kernel-slim-java17-openj9-ubi-amd64 dir:./OpenLiberty-image

      This command pulls the icr.io/appcafe/open-liberty:kernel-slim-java17-openj9-ubi-amd64 image and stores it in the OpenLiberty-image directory. Replace these values with the image that you want to verify. This command also copies the signature file that you use to verify the image.

  4. Run the standalone-verify command to verify the image by using the downloaded signature and repository, as shown in the following example:

    skopeo standalone-verify ./OpenLiberty-image/manifest.json icr.io/appcafe/open-liberty:kernel-slim-java17-openj9-ubi-amd64  ${fingerprint} ./OpenLiberty-image/signature-1

    The OpenLiberty-image refers to the location of the copied image. The ./OpenLiberty-image/signature-1 specifies the path to the signature file that is associated with the container image.

Result

If the verification is successful, the following message is displayed:

Signature verified