IMPORTANT: This repo is deprecated. For up to date information on verifying Transormation Advisor signatures, please see the documentation: https://www.ibm.com/docs/en/cta?topic=planning-security-considerations
================
Install Skopeo
tool. Please use version 0.1.40+ and non-dev version.
See here for more details: https://github.com/containers/skopeo/blob/main/install.md
-
Pull docker images from docker hub, e.g.
# pull down the test image docker pull icr.io/appcafe/transformation-advisor-ui:sample-image-signing-eabde5e
-
Copy from local docker repo to a location:
# the location where you want to copy the image to mkdir -p /Users/ibm/Downloads/transformation-advisor/docker skopeo copy --dest-tls-verify=false \ docker-daemon:icr.io/appcafe/icp-transformation-advisor-ui:sample-image-signing-eabde5e \ dir:/Users/ibm/Downloads/transformation-advisor/docker
-
Download the signature, keys and certs from this repo. If you plan to verify Transformation Advisor 3.0 or older, the signature, keys and certs are in the folder
TA_3.0_and_older
# signature of the image icr.io/appcafe/icp-transformation-advisor-ui:sample-image-signing-eabde5e is located below: https://github.com/TransformationAdvisor/public/tree/master/sample/signature-sample-eabde5e The signature is used to verify the image # keys and certs tasigningcert-public.gpg: public key is used to to verify signature tasigningcert.pem: certificate is used to to verify public key tasigningcert-chain0.pem: certificate chain 0 is used to verify certificate validity, hosted on www.digicert.com
-
Import public key
# import gpg2 --import tasigningcert-public.gpg # verify gpg2 -k --fingerprint ----------------------------- pub rsa4096 2022-03-14 [SCEA] A3F3 5961 C24A 1028 D13E 6EF8 E65C C90E B50C F6E5 uid [ unknown] tasigningcert
-
Verify the cert
openssl x509 -text -in tasigningcert.pem Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Assured ID Code Signing CA Validity Not Before: Apr 22 00:00:00 2020 GMT Not After : Apr 27 12:00:00 2022 GMT Subject: C=US, ST=New York, L=Armonk, O=International Business Machines Corporation, OU=IBM CCSS, CN=International Business Machines Corporation
-
Verify the image with signature
# location of the manifest.json: /Users/ibm/Downloads/transformation-advisor/docker/manifest.json # docker reference: transformation-advisor # The same docker reference is used for all the images # the imported public key fingerprint: A3F35961C24A1028D13E6EF8E65CC90EB50CF6E5 # the downloaded singature: /Users/ibm/Downloads/signature-sample-eabde5e skopeo standalone-verify \ /Users/ibm/Downloads/transformation-advisor/docker/manifest.json \ transformation-advisor \ A3F35961C24A1028D13E6EF8E65CC90EB50CF6E5 \ /Users/ibm/Downloads/signature-sample-eabde5e Signature verified, digest sha256:c84367ae8593c428d8174ed33097e31518169ac94e5cc03742ef1ff78d94bd5f
-
Verify the signature with keys and certs
openssl ocsp -no_nonce \ -issuer /Users/ibm/Downloads/tasigningcert-chain0.pem \ -cert /Users/ibm/Downloads/tasigningcert.pem \ -VAfile /Users/ibm/Downloads/tasigningcert-chain0.pem \ -text -url http://ocsp.digicert.com \ -respout ocsptest ... Response verify OK /Users/ibm/Downloads/tasigningcert.pem: good This Update: Jun 16 07:57:34 2020 GMT Next Update: Jun 23 07:12:34 2020 GMT