How to test verifying image signatures?
Environment
- OpenShift Container Platform
- 3.6 or later
Issue
- How to test Verifying Image Signatures Using OpenShift CLI described in the docs?
- Do you have a step by step guide for this?
Resolution
Here is a steps for the usage.
1. Generate gpg key
1-1. Run rngd to make random digits faster
# yum install rng-tools
# rngd -r /dev/urandom # We run rngd because to makes random digits faster.
1-2. Generate gpg key
# gpg --gen-key
// if it is just for a test, you don't need to care the input //
# gpg --list-key foo@example.com
pub 1024D/A6E57A17 2017-12-18 [expires: 2020-12-17]
uid Kenjiro <foo@example.com>
2. Push the signed image
NOTE: There are several ways to sign your image. We introduce a way by using skopeo's copy.
2-1. Add cluster image-singer role to the user
// Run as cluster-admin //
# oc adm policy add-cluster-role-to-user system:image-signer <USER_NAME>
2-2. Sign image by skopeo
IMPORTANT: Replace foo@example.com with e-mail address you input by step-1.
IMPORTANT: Replace demo1 with a name of your project.
# skopeo --debug --tls-verify=false copy --sign-by foo@example.com --dest-creds "`oc whoami`":"`oc whoami -t`" --dest-tls-verify=false docker://docker.io/openshift/origin-pod:latest atomic:docker-registry.default.svc:5000/demo1/signed:latest
// Please make sure you don't get any error //
..
DEBU[0003] Got body: {"kind":"ImageSignature","apiVersion":"v1","metadata":{"name":"sha256:7681e742c15d20c28d3f6a165e548ba351d041ea9c7f564e5b056ebe19db7380@f93f76ca5ec1d19cf54b8eb2bc5da925","selfLink":"/oapi/v1/imagesignatures/sha256%3A7681e742c15d20c28d3f6a165e548ba351d041ea9c7f564e5b056ebe19db7380%40f93f76ca5ec1d19cf54b8eb2bc5da925","uid":"7711432d-e393-11e7-8f2a-001a4a40dca2","creationTimestamp":"2017-12-18T01:33:35Z"},"type":"atomic","content":"owFNkD9LA0EQxS/xbySCKURIY9hCC02ym8veXa4TRPwAWmi3tzsXF3N3YW8TjCG9ZQrBNoUERGzsRAtr0/gFLLXURhCszCESu2HmzZvfvP7ilJHOZb6Hg+Hr6Upq9NjzjEM7/9FFXEktOWsgt4ukgFBL3UlqEfFjUEUFPigIOSB30qrLWKtOSYDPWg1ditvcpRjjsoAgIuVY1kMQboNpiDXqbSIZsDr88wxYKP3xrChkPZG4KD5iFWq5tuUQsKsVTqioYF5xhOlbjFgUaNXxmEmJwFUCrMZtn1pVoB6mFnhAasKzTQcnx3SnmbAyHQWSF3gUaiZDUIWEiumWgkQUNbWMwt+nuYKxWE12cImUcFFAG43dZDAmZEETuYQSk1rYIbTXO9uZNnJpY3YmnYRoLGSW/qL9XDYGd9cHJ5n0+tVlqj+/cf7U2N26fTAGN/fZudXsW35v+53vfz1frOVHLz8="}
DEBU[0003] Got content-type: application/json
- Once the image copy was succeeded, you can see the image by
oc get istag
# oc get istag
NAME DOCKER REF UPDATED IMAGENAME
signed:latest docker-registry.default.svc:5000/demo1/signed@sha256:7681e742c15d20c28d3f6a165e548ba351d041ea9c7f564e5b056ebe19db7380 19 minutes ago sha256:7681e742c15d20c28d3f6a165e548ba351d041ea9c7f564e5b056ebe19db7380
3. Execute oc adm verify-image-signature
3-1. Add system:image-auditor to cluster role
// Run as cluster-admin //
# oc adm policy add-cluster-role-to-user system:image-auditor <USER>
3-2. Run oc adm verify-image-signature (finally!)
NOTE: Please check sha256:xxxx by oc get istag
NOTE: Replace demo1 with your project.
# oc adm verify-image-signature sha256:7681e742c15d20c28d3f6a165e548ba351d041ea9c7f564e5b056ebe19db7380 --expected-identity=docker-registry.default.svc:5000/demo1/signed:latest --public-key ~/.gnupg/pubring.gpg
image "sha256:7681e742c15d20c28d3f6a165e548ba351d041ea9c7f564e5b056ebe19db7380" identity is now confirmed (signed by GPG key "09FAA6A0A6E57A17")
Root Cause
- You can also refer to Container Image Signing Integration Guide
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments