IBM z/OS Product OCI Artifacts

The IBM Z® and Cloud Modernization Stack offering uses OCI artifacts to package software that can be installed onto z/OS systems using the IBM z/OS Package Manager.

What OCI artifacts are provided?

The following OCI artifacts are provided and supported by IBM z/OS Package Manager:

IBM 64-bit SDK for z/OS, Java™ Technology Edition
IBM C/C++ for Open Enterprise languages on z/OS
IBM Open Enterprise SDK for Go
IBM Open Enterprise SDK for Node.js
IBM Open Enterprise SDK for Python
IBM Z Open Automation Utilities

OCI artifacts are signed, and the signature that is created can be verified. A digital signature provides a way for consumers of content to ensure that what they download is both authentic (it originated from the expected source) and has integrity (it is what we expect it to be).

Verifying OCI artifact signatures by using Skopeo

This section describes how to verify the signatures of the OCI artifacts by uisng Skopeo.

Prerequisites

To perform signature verification: The host machine must have these command line tools installed (they can usually be installed on Linux using the package manager):

The IBM Z and Cloud Modernization Stack public key must exist on the same host machine as above. Copy the text block below exactly as shown into a text editor, and save it in a file named public.gpg.

Procedure

Import the IBM Z and Cloud Modernization Stack public key on the machine you prepared according to the Prerequisites section above:

sudo gpg2 --import public.gpg

Calculate the fingerprint:

fingerprint=$(sudo gpg2 --fingerprint --with-colons zpm | grep fpr | tr -d 'fpr:')

Note: This command stores the key's fingerprint in an environment variable called fingerprint, which is need for the command to verify the signature. When you exit your shell session, the variable will be deleted. The next time you log in to your machine, you can set it again by rerunning the command.

Create a directory for the artifact and use skopeo to pull it into local storage:

mkdir artifact
skopeo --override-os linux copy docker://icr.io/zpm/<oci_artifact_name>:<version> dir:./artifact

This command downloads the image as a set of files and places them in the artifact directory (or another directory that you choose). The oci_artifact_name and version should be replaced with the OCI artifact and version that you want to verify. For example, oci_artifact_name could be node and the version could be 16.0.0.2 which would look like node:16.0.0.2.

Verify the signature:

skopeo standalone-verify ./artifact/manifest.json icr.io/zpm/<oci_artifact_name>:<version> ${fingerprint} ./artifact/signature-1

Verification confirmation output will be similar to:

Signature verified, digest sha256:0000000000000000000000000000000000000000000000000000000000000000

Verifying OCI artifact signatures by using Cosign

This section describes how to verify the signatures of the OCI artifacts by using Cosign.

Prerequisites

To perform signature verification: The host machine must have Cosign command line tool installed (they can usually be installed on Linux using the package manager).

Verify the signature

cosign verify --key public.key icr.io/zpm/<OCI artifact name>:<version> --insecure-ignore-tlog=true

Note: When using Cosign 1.x or earlier, do not use --insecure-ignore-tlog=true flag.

Verification confirmation output will be similar to:

WARNING: Skipping tlog verification is an insecure practice that lacks of transparency and auditability verification for the signature.
Verification for icr.io/zpm/<OCI artifact name>:<version> --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - The signatures were verified against the specified public key
[{"critical":{"identity":{"docker-reference":"icr.io/zpm/<OCI artifact name>"},"image":{"docker-manifest-digest":"00000000000000000000000000000000000000000001"},"type":"cosign container image signature"},"optional":{"Subject":""}}]