Skip to content
This repository has been archived by the owner on Mar 24, 2023. It is now read-only.

TransformationAdvisor/public

Repository files navigation

IMPORTANT: This repo is deprecated. For up to date information on verifying Transormation Advisor signatures, please see the documentation: https://www.ibm.com/docs/en/cta?topic=planning-security-considerations

================

Verify Transformation Advisor Images

Pre-req

Install Skopeo tool. Please use version 0.1.40+ and non-dev version.

See here for more details: https://github.com/containers/skopeo/blob/main/install.md

Steps to verify

  1. Pull docker images from docker hub, e.g.

     # pull down the test image
     docker pull icr.io/appcafe/transformation-advisor-ui:sample-image-signing-eabde5e
    
  2. Copy from local docker repo to a location:

     # the location where you want to copy the image to
     mkdir -p /Users/ibm/Downloads/transformation-advisor/docker
    
     skopeo copy --dest-tls-verify=false \
     docker-daemon:icr.io/appcafe/icp-transformation-advisor-ui:sample-image-signing-eabde5e \
     dir:/Users/ibm/Downloads/transformation-advisor/docker
    
  3. Download the signature, keys and certs from this repo. If you plan to verify Transformation Advisor 3.0 or older, the signature, keys and certs are in the folder TA_3.0_and_older

     # signature of the image icr.io/appcafe/icp-transformation-advisor-ui:sample-image-signing-eabde5e is located below:
     https://github.com/TransformationAdvisor/public/tree/master/sample/signature-sample-eabde5e
    
     The signature is used to verify the image
    
     # keys and certs
     tasigningcert-public.gpg: public key is used to to verify signature
     tasigningcert.pem: certificate is used to to verify public key
     tasigningcert-chain0.pem: certificate chain 0 is used to verify certificate validity, hosted on www.digicert.com
    
  4. Import public key

     # import
     gpg2 --import tasigningcert-public.gpg
    
     # verify
     gpg2 -k --fingerprint
    
     -----------------------------
     pub   rsa4096 2022-03-14 [SCEA]
           A3F3 5961 C24A 1028 D13E  6EF8 E65C C90E B50C F6E5
     uid           [ unknown] tasigningcert
    
  5. Verify the cert

     openssl x509 -text -in tasigningcert.pem
    
     Signature Algorithm: sha256WithRSAEncryption
         Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Assured ID Code Signing CA
         Validity
             Not Before: Apr 22 00:00:00 2020 GMT
             Not After : Apr 27 12:00:00 2022 GMT
         Subject: C=US, ST=New York, L=Armonk, O=International Business Machines Corporation, OU=IBM CCSS, CN=International Business Machines Corporation
    
  6. Verify the image with signature

     # location of the manifest.json: /Users/ibm/Downloads/transformation-advisor/docker/manifest.json
     # docker reference: transformation-advisor 
     # The same docker reference is used for all the images
     # the imported public key fingerprint: A3F35961C24A1028D13E6EF8E65CC90EB50CF6E5
     # the downloaded singature: /Users/ibm/Downloads/signature-sample-eabde5e
    
     skopeo standalone-verify \
     /Users/ibm/Downloads/transformation-advisor/docker/manifest.json \
     transformation-advisor \
     A3F35961C24A1028D13E6EF8E65CC90EB50CF6E5 \
     /Users/ibm/Downloads/signature-sample-eabde5e
    
     Signature verified, digest sha256:c84367ae8593c428d8174ed33097e31518169ac94e5cc03742ef1ff78d94bd5f
    
  7. Verify the signature with keys and certs

     openssl ocsp -no_nonce \
     -issuer /Users/ibm/Downloads/tasigningcert-chain0.pem \
     -cert /Users/ibm/Downloads/tasigningcert.pem \
     -VAfile /Users/ibm/Downloads/tasigningcert-chain0.pem \
     -text -url http://ocsp.digicert.com \
     -respout ocsptest
     
     ...
     Response verify OK
     /Users/ibm/Downloads/tasigningcert.pem: good
         This Update: Jun 16 07:57:34 2020 GMT
         Next Update: Jun 23 07:12:34 2020 GMT
    

About

No description, website, or topics provided.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Contributors 4

  •  
  •  
  •  
  •