Verifying the signature of the manifest file

You can verify if the manifest file has been signed by using the public key.

This procedure is intended for users with the role cloud administrator.

Procedure

Complete the following steps to verify if the manifest file has been signed by using the public key.

To get the manifest file, complete the following steps.

  1. You can get the <BUILD_NAME> by using the hpvs sb status command after the build completes.

    hpvs sb status --config $HOME/hpvs/config/securebuild/secure_build.yml.example

    Now you can use the hpvs sb manifest command to download the manifest file of the secure build.

    hpvs sb manifest --config $HOME/hpvs/config/securebuild/secure_build.yml.example --name "${BUILD_NAME}"

  2. When the command execution completes, the manifest file is downloaded to the current directory from which the hpvs sb manifest command was run from as ${MANIFEST}.sig.tbz. Extract the compressed tar file by using the following command.

    tar -xjf $HOME/hpvs/config/securebuild/secure_build.yml.example/manifest/manifest.${BUILD_NAME}.sig.tbz

To verify the signature, complete the following steps.

  1. You can retrieve the pubkey using the hpvs sb pubkey command.

    hpvs sb pubkey --config $HOME/hpvs/config/securebuild/secure_build.yml.example --name <build_name>

    When the command execution completes, the pubkey is downloaded to the current directory from which the hpvs sb pubkey command was run from as ${PUBKEY}.pem.

  2. Convert the hex signature to binary by running the following command.

    cat "${MANIFEST}.sig" | xxd -r -p > "${MANIFEST}.sig.bin"

    For example:

    cat manifest.docker.io.dockeruser.securebuildcontainer32.latest-a5714c9.2020-07-01_09-21-04.706478.sig | wc --bytes 512  

    cat manifest.docker.io.dockeruser.securebuildcontainer32.latest-a5714c9.2020-07-01_09-21-04.706478.sig | xxd -r -p > manifest.docker.io.dockeruser.securebuildcontainer32.latest-a5714c9.2020-07-01_09-21-04.706478.sig.bin  

    cat manifest.docker.io.dockeruser.securebuildcontainer32.latest-a5714c9.2020-07-01_09-21-04.706478.sig.bin | wc --bytes 256

  3. SHA256 hash the .tbz file before you provide it as an input for verifying by running the following command.

    openssl dgst -sha256 -binary -out "${MANIFEST}.tbz.sha256" "${MANIFEST}.tbz"

    For example

    openssl dgst -sha256 -binary -out manifest.docker.io.dockeruser.securebuildcontainer32.latest-a5714c9.2020-07-01_09-21-04.706478.tbz.sha256 manifest.docker.io.dockeruser.securebuildcontainer32.latest-a5714c9.2020-07-01_09-21-04.706478.tbz

  4. Use the openssl verify command.

    openssl dgst -sha256 -verify "${MAN_PUBKEY}" -signature "${MANIFEST}.sig.bin" "${MANIFEST}.tbz.sha256"

    For example

    openssl dgst -sha256 -verify docker.io.dockeruser.securebuildcontainer32.latest-a5714c9.2020-07-01_09-21-04.706478-public.pem -signature manifest.docker.io.dockeruser.securebuildcontainer32.latest-a5714c9.2020-07-01_09-21-04.706478.sig.bin manifest.docker.io.dockeruser.securebuildcontainer32.latest-a5714c9.2020-07-01_09-21-04.706478.tbz.sha256