Fix Readme
Abstract
Container images for IBM Cloud Pak for Business Automation are signed by using GPG keys. You can verify the integrity of these images by using signature validation when you pull images by using Linux command-line tools. In Red Hat OpenShift, you can create a policy to enforce signature validation when your worker nodes pull images.
Content
Signature validation policy in Red Hat OpenShift
Red Hat OpenShift can be configured to verify container image signatures upon pulling images from a specific location. See Container image signatures for details about Red Hat's signatures of Red Hat OpenShift images. Images for IBM Cloud Pak for Business Automation are signed by using GPG keys, which in turn are signed by a certificate chain with Digicert as its root. See Verification of key material for details about key validation. The signing key changed multiple times - most recently in March 2023. Therefore, multiple keys are configured in the signature policy. The following sections can be used to verify the Cloud Pak for Business Automation signature on the container images.- Creating files containing GPG public keys
- Creating a policy to require signed images for IBM Cloud Pak for Business Automation
- Cleaning up local images and caches
Creating files containing GPG public keys
Create files containing the public GPG keys in the GNU Privacy Guard (GPG) format, which were used to sign container images for IBM Cloud Pak for Business Automation:- For images signed before 21.0.1-IF004:
icp4a-pubkey1.gpg
-----BEGIN PGP PUBLIC KEY BLOCK----- mQENBF0UBwABCADAk2QMLvahhx2owpDyasQo0E36I7VM/YdK1J9lAAgsHBJFvn/P 0PznCfnnFAw2cCj49ftYBN8orxJOSkuQE3p3hz/g21C9jrsrqwoNfNbo5WRUsIxA 0hL9ywV8EvuOLAKdNY0ACOBHv2g82KSa/bZMg3bPA3Ir1jZZ3jjQrAzwAzvhp2Bo v5FwU0xYqm9DwCb/d4yYaEJ28jFWrwGdRnVHuoohu5PyUoQMpt4rwiU1yb3CabaN EpGo4ZF2/07sVdhSv1ieqfQMa/rC6XcFALygt/vxzQDeSkPlxWb8wBqzq/sgI5Jb wG6I55f3EMP67d/vWzA62FNbXk8DWMRLzWDHABEBAAG0BWljcDRhiQE5BBMBCAAj BQJdFAcAAhsvBwsJCAcDAgEGFQgCCQoLBBYCAwECHgECF4AACgkQcjTsJWhPPpnT hgf/ZYjAuPqiiHtJkmm1Nrw5HSCKHMsiHwUc1y5lb+J+xxfz7B3Jm07r/R82h6zI ZNnUTpgWzbEM7NazSAPcfL/KQXd3jw713hIXr2D4wzyMnvVAPJz0U/FUXDkZeTil U04PT4T9BF5b+kIh560TuouY4bot2QFhuBMnKasLMMrXx1PXbySH9OHWc5bnx3J6 j+/d7TMj7MsdVgraoqmPtM68fOQUXyn0FCsx2M4kQRllGp7Wv0rIXVVh5lbT7VFs OP+8LBBj1DEfCuffQc/21jO4DkC3nalWhXW5jAcAnTLlzKWsAxm/YJLfRYzeAOHa mgv9nt/uDfwf0GasJw0cEeNq0A== =9hbX -----END PGP PUBLIC KEY BLOCK-----
- For images signed before March 2023 (up to including 21.0.3-IF018 and 22.0.2-IF002):
icp4a-pubkey2.gpg
-----BEGIN PGP PUBLIC KEY BLOCK----- mQENBGChsgABCADZ1OhWUebPgUYn8V2GDYpWeTKu8Yq2ghAIgooas8mAqdK8Bxid oA6X4KcPY+RwXvVGjIfaVfR2pAqw6ZwwwVZ5CEo1eTtf9gGfdchYE7+beTOGTuzk 5uhz86fpYvmq7TVki2SnpsF40LnqcHGkOyQ1Lqcys4J+6qAYSv43sgOWvlTr/GJS nDbqpES0N/4Lk2s4nb2iPJqB4zpwj1dtWJXvxLReclV5KFgrdpikHTfUgrxt1HbU NgRpXd8XLT8ovoP0I32Qc/ayyUGHon/vdNOMwHDLyXstwkqB70SEU/772bsUA7e0 l+w7T4HubOEEvwoRWtsoNBXWFB++0PxLDurPABEBAAG0BWljcDRhiQE5BBMBCAAj BQJgobIAAhsvBwsJCAcDAgEGFQgCCQoLBBYCAwECHgECF4AACgkQfFz5ejnxNlAc PwgAxA7Jh6a4IKzlkLtI5FXabjZMVu81HjtrgRd4ZxnjciOHwdtjPaNZLd8HoSko MniMWlUdHsyzFiBAQG1ohSg2CzotzwJe5m0zH09bji7P6DLd39tWraolOaqbHdZS gLhNf50xfqVcq8uw/v/mFsc8eSczdrcxVH3wlWzczdmPGHFLnHsbhAlIJ/PLzN1l H/Nlm259peZ7V5uAIcq1wLLKvpRWYU0/weGXfcnQYKHkEPHWDNv+kRjD8Q89Vby+ iDbn11I2GoJQeWYzCA7CXGrdeXO57MHSDOULQh22Aioq3CxmV3CRUCmATMYHw9oT RWIGtCYOx2BHh1HRAeB1vlOzIw== =SIpv -----END PGP PUBLIC KEY BLOCK-----
- For images signed starting March 2023 (starting with 21.0.3-IF019 and 22.0.2-IF003 and later releases):
icp4a-pubkey3.gpg
-----BEGIN PGP PUBLIC KEY BLOCK----- mQINBGPJZX8BEADAO/bfaez4vdjXIuZfNFqpOpAOHzs89EhBguxGVHUdx2mtGUZo NEZB3/FWVO+IlmW5clZrNSvoBDCF1oV63UDBiZUcoE1lS0HsKQJuhEKxZqBURZOB 5E12EjfVbS6xn+R3EubdepBwlNwv1rCq2un4KDhxY7phl0iwA1uWuxn4yU0LKQ/B /J/6jZL/ecSjlzITYNsbfOwmCFeRhjmeSxuMobzWd9A/cLA6sPh7sDTzSmyJp/27 6ch3MijuxHLAdEFdR/oWvyh4XK04dRRQh2ecsJ2m5+EsS1DeYbFhwdgvMGtBVz6f fDKK7BBMt/csgT9wZX4BD97KDPFdAsANNC55ipYIxMKiDDrsuHJ1eD1UqaUGdTOn MuT+AC1Rfsjcbxwl0FItfdQ0rBUFmHEw1qTScDNa+WSKflj386lPV5hWneOG58UG u1vQuGHJchwcGYRIDvgeYC+lw/q/jECqgeLrnJx9JVcMUmkTbDxfTDGe82mIqbiw B38/boAujKCpCkvZFhP5OIylEmyCfRCZ/0ul8hvzS3kCjG5QSjBVcHolK75++CXb 6yYNawmQYVjPk1KuNe6Y+TVl0nsYqtSEjnknO4LRsKX2ZHxkASimFqJCjbAEQiEx 0B0mZ3RTUXR92Y/Uy7XXtusymGleCkW+bHs2F0+9i32l9Nuxgl/D7g1WywARAQAB tC9JQk0gQ2xvdWQgUGFrIGZvciBBdXRvbWF0aW9uIDxwc2lydEB1cy5pYm0uY29t PokCOgQTAQgAJAUCY8llfwIbDwULCQgHAgYVCgkICwIEFgIDAQIeAQUJA8Jm/wAK CRBxj1JAiOfS1LE1EAC+EnV5Mx3etxyOQT6rgaWlyfoiSmXaxUOZwY5EWt0Zu5P4 mJ30KOdlqBjlLs43uFwxrXY7tjUpcSOpvK18SE4Z5UO3MB0WqKynN4bX2CDuDPuY ltDFsr2+hPpaicKkVw3uSHjxlaX67o/c3Hw9xBpgl1TfBXqjreYzmlCvzER6MZQx R7I+ZmiFqTWAdwfZnvUMmEsfXPpkOFBaVLgDaOjKYBTk0ddz8vf/7rdvTaKizg1j iBrai2JsILI//Ph+xHlh9GejAkbkP/59YVmu/1rVr86WkuWplYjMkiU8eJz2ob52 omzGqRWY6Z2HwT7vV8ffQ1Uo4dKAUqzqoIBVcX58UkC27uMON3/DcTzpk+xjlcvu IxJ4j3vKcaZlgXI55Hd1BLhhj668gYoH8eGTFRBfM8V41sadB5ZL8NnNMPPntcHx ZlljbKkxay44OPGa6Fs/dMkfp4rIFkzriaVkW8s9tCNwZGIS8sI9mQYUzV5Dmurn NVAa0JnoZYgJmk9HjEJVBOOdHcJA/GQkF2tvKSmkFMUsUOTeLaytiG9btOnvf6fz AEFoJLzQldqvba10uT9XxVxEENn7qDO4Nihtk/aDuPQcUeHqvDGvNSqaXq9Dq4T4 ESeuzJRr1X2AKu1WFZdhFSCKr5nF4iChCIj05iAiUar3LqlT3OJxvcAOdWKJzg== =CUKh -----END PGP PUBLIC KEY BLOCK-----
Creating a policy to require signed images for IBM Cloud Pak for Business Automation
A security policy can- Deny images
- Allow images
- Require a trust relationship for pulling images
The following policy is least intrusive: It requires images pulled from cp.icr.io/cp/cp4a
to be signed by using any of the GPG keys listed in the keyPaths
array. Images from any other container registry and even all other parts inside of cp.icr.io
are accepted without signatures.
If you can provide public keys for signature validation of all applications and their dependencies in your Red Hat OpenShiftcluster, you can set the default type to reject
.
policy.json
{
"default": [
{
"type": "insecureAcceptAnything"
}
],
"transports": {
"docker": {
"cp.icr.io/cp/cp4a": [
{
"type": "signedBy",
"keyType": "GPGKeys",
"keyPaths": ["/etc/pki/icp4a-pubkey1.gpg", "/etc/pki/icp4a-pubkey2.gpg", "/etc/pki/icp4a-pubkey3.gpg"]
}
]
}
}
}
You can use a MachineConfig
object to inject the needed configuration files into the nodes: the GPG public key files and the policy.json
file. The following example includes all GPG public key files like /etc/pki/icp4a-pubkey1.gpg
and /etc/containers/policy.json
file inline in the URL encoded format: machine-config.yaml
machine-config.yaml
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
labels:
machineconfiguration.openshift.io/role: worker
name: image-signature
spec:
config:
ignition:
version: 3.2.0
storage:
files:
- contents:
source: >-
data:,-----BEGIN%20PGP%20PUBLIC%20KEY%20BLOCK-----%0AmQENBF0UBwABCADAk2QMLvahhx2owpDyasQo0E36I7VM%2FYdK1J9lAAgsHBJFvn%2FP%0A0PznCfnnFAw2cCj49ftYBN8orxJOSkuQE3p3hz%2Fg21C9jrsrqwoNfNbo5WRUsIxA%0A0hL9ywV8EvuOLAKdNY0ACOBHv2g82KSa%2FbZMg3bPA3Ir1jZZ3jjQrAzwAzvhp2Bo%0Av5FwU0xYqm9DwCb%2Fd4yYaEJ28jFWrwGdRnVHuoohu5PyUoQMpt4rwiU1yb3CabaN%0AEpGo4ZF2%2F07sVdhSv1ieqfQMa%2FrC6XcFALygt%2FvxzQDeSkPlxWb8wBqzq%2FsgI5Jb%0AwG6I55f3EMP67d%2FvWzA62FNbXk8DWMRLzWDHABEBAAG0BWljcDRhiQE5BBMBCAAj%0ABQJdFAcAAhsvBwsJCAcDAgEGFQgCCQoLBBYCAwECHgECF4AACgkQcjTsJWhPPpnT%0Ahgf%2FZYjAuPqiiHtJkmm1Nrw5HSCKHMsiHwUc1y5lb+J+xxfz7B3Jm07r%2FR82h6zI%0AZNnUTpgWzbEM7NazSAPcfL%2FKQXd3jw713hIXr2D4wzyMnvVAPJz0U%2FFUXDkZeTil%0AU04PT4T9BF5b+kIh560TuouY4bot2QFhuBMnKasLMMrXx1PXbySH9OHWc5bnx3J6%0Aj+%2Fd7TMj7MsdVgraoqmPtM68fOQUXyn0FCsx2M4kQRllGp7Wv0rIXVVh5lbT7VFs%0AOP+8LBBj1DEfCuffQc%2F21jO4DkC3nalWhXW5jAcAnTLlzKWsAxm%2FYJLfRYzeAOHa%0Amgv9nt%2FuDfwf0GasJw0cEeNq0A%3D%3D%0A%3D9hbX%0A-----END%20PGP%20PUBLIC%20KEY%20BLOCK-----
filesystem: root
mode: 420
path: /etc/pki/icp4a-pubkey1.gpg
- contents:
source: >-
data:,-----BEGIN%20PGP%20PUBLIC%20KEY%20BLOCK-----%0AmQENBGChsgABCADZ1OhWUebPgUYn8V2GDYpWeTKu8Yq2ghAIgooas8mAqdK8Bxid%0AoA6X4KcPY+RwXvVGjIfaVfR2pAqw6ZwwwVZ5CEo1eTtf9gGfdchYE7+beTOGTuzk%0A5uhz86fpYvmq7TVki2SnpsF40LnqcHGkOyQ1Lqcys4J+6qAYSv43sgOWvlTr%2FGJS%0AnDbqpES0N%2F4Lk2s4nb2iPJqB4zpwj1dtWJXvxLReclV5KFgrdpikHTfUgrxt1HbU%0ANgRpXd8XLT8ovoP0I32Qc%2FayyUGHon%2FvdNOMwHDLyXstwkqB70SEU%2F772bsUA7e0%0Al+w7T4HubOEEvwoRWtsoNBXWFB++0PxLDurPABEBAAG0BWljcDRhiQE5BBMBCAAj%0ABQJgobIAAhsvBwsJCAcDAgEGFQgCCQoLBBYCAwECHgECF4AACgkQfFz5ejnxNlAc%0APwgAxA7Jh6a4IKzlkLtI5FXabjZMVu81HjtrgRd4ZxnjciOHwdtjPaNZLd8HoSko%0AMniMWlUdHsyzFiBAQG1ohSg2CzotzwJe5m0zH09bji7P6DLd39tWraolOaqbHdZS%0AgLhNf50xfqVcq8uw%2Fv%2FmFsc8eSczdrcxVH3wlWzczdmPGHFLnHsbhAlIJ%2FPLzN1l%0AH%2FNlm259peZ7V5uAIcq1wLLKvpRWYU0%2FweGXfcnQYKHkEPHWDNv+kRjD8Q89Vby+%0AiDbn11I2GoJQeWYzCA7CXGrdeXO57MHSDOULQh22Aioq3CxmV3CRUCmATMYHw9oT%0ARWIGtCYOx2BHh1HRAeB1vlOzIw%3D%3D%0A%3DSIpv%0A-----END%20PGP%20PUBLIC%20KEY%20BLOCK-----
filesystem: root
mode: 420
path: /etc/pki/icp4a-pubkey2.gpg
- contents:
source: >-
data:,-----BEGIN%20PGP%20PUBLIC%20KEY%20BLOCK-----%0AmQINBGPJZX8BEADAO%2Fbfaez4vdjXIuZfNFqpOpAOHzs89EhBguxGVHUdx2mtGUZo%0ANEZB3%2FFWVO+IlmW5clZrNSvoBDCF1oV63UDBiZUcoE1lS0HsKQJuhEKxZqBURZOB%0A5E12EjfVbS6xn+R3EubdepBwlNwv1rCq2un4KDhxY7phl0iwA1uWuxn4yU0LKQ%2FB%0A%2FJ%2F6jZL%2FecSjlzITYNsbfOwmCFeRhjmeSxuMobzWd9A%2FcLA6sPh7sDTzSmyJp%2F27%0A6ch3MijuxHLAdEFdR%2FoWvyh4XK04dRRQh2ecsJ2m5+EsS1DeYbFhwdgvMGtBVz6f%0AfDKK7BBMt%2FcsgT9wZX4BD97KDPFdAsANNC55ipYIxMKiDDrsuHJ1eD1UqaUGdTOn%0AMuT+AC1Rfsjcbxwl0FItfdQ0rBUFmHEw1qTScDNa+WSKflj386lPV5hWneOG58UG%0Au1vQuGHJchwcGYRIDvgeYC+lw%2Fq%2FjECqgeLrnJx9JVcMUmkTbDxfTDGe82mIqbiw%0AB38%2FboAujKCpCkvZFhP5OIylEmyCfRCZ%2F0ul8hvzS3kCjG5QSjBVcHolK75++CXb%0A6yYNawmQYVjPk1KuNe6Y+TVl0nsYqtSEjnknO4LRsKX2ZHxkASimFqJCjbAEQiEx%0A0B0mZ3RTUXR92Y%2FUy7XXtusymGleCkW+bHs2F0+9i32l9Nuxgl%2FD7g1WywARAQAB%0AtC9JQk0gQ2xvdWQgUGFrIGZvciBBdXRvbWF0aW9uIDxwc2lydEB1cy5pYm0uY29t%0APokCOgQTAQgAJAUCY8llfwIbDwULCQgHAgYVCgkICwIEFgIDAQIeAQUJA8Jm%2FwAK%0ACRBxj1JAiOfS1LE1EAC+EnV5Mx3etxyOQT6rgaWlyfoiSmXaxUOZwY5EWt0Zu5P4%0AmJ30KOdlqBjlLs43uFwxrXY7tjUpcSOpvK18SE4Z5UO3MB0WqKynN4bX2CDuDPuY%0AltDFsr2+hPpaicKkVw3uSHjxlaX67o%2Fc3Hw9xBpgl1TfBXqjreYzmlCvzER6MZQx%0AR7I+ZmiFqTWAdwfZnvUMmEsfXPpkOFBaVLgDaOjKYBTk0ddz8vf%2F7rdvTaKizg1j%0AiBrai2JsILI%2F%2FPh+xHlh9GejAkbkP%2F59YVmu%2F1rVr86WkuWplYjMkiU8eJz2ob52%0AomzGqRWY6Z2HwT7vV8ffQ1Uo4dKAUqzqoIBVcX58UkC27uMON3%2FDcTzpk+xjlcvu%0AIxJ4j3vKcaZlgXI55Hd1BLhhj668gYoH8eGTFRBfM8V41sadB5ZL8NnNMPPntcHx%0AZlljbKkxay44OPGa6Fs%2FdMkfp4rIFkzriaVkW8s9tCNwZGIS8sI9mQYUzV5Dmurn%0ANVAa0JnoZYgJmk9HjEJVBOOdHcJA%2FGQkF2tvKSmkFMUsUOTeLaytiG9btOnvf6fz%0AAEFoJLzQldqvba10uT9XxVxEENn7qDO4Nihtk%2FaDuPQcUeHqvDGvNSqaXq9Dq4T4%0AESeuzJRr1X2AKu1WFZdhFSCKr5nF4iChCIj05iAiUar3LqlT3OJxvcAOdWKJzg%3D%3D%0A%3DCUKh%0A-----END%20PGP%20PUBLIC%20KEY%20BLOCK-----
filesystem: root
mode: 420
path: /etc/pki/icp4a-pubkey3.gpg
- contents:
source: >-
data:,%7B%0A%20%20%22default%22%3A%20%5B%0A%20%20%20%20%7B%0A%20%20%20%20%20%22type%22%3A%20%22insecureAcceptAnything%22%0A%20%20%20%20%7D%0A%20%20%5D%2C%0A%20%20%22transports%22%3A%20%7B%0A%20%20%20%20%22docker%22%3A%20%7B%0A%20%20%20%20%20%20%22cp.icr.io%2Fcp%2Fcp4a%22%3A%20%5B%0A%20%20%20%20%20%20%20%20%7B%0A%20%20%20%20%20%20%20%20%20%20%22type%22%3A%20%22signedBy%22%2C%0A%20%20%20%20%20%20%20%20%20%20%22keyType%22%3A%20%22GPGKeys%22%2C%0A%20%20%20%20%20%20%20%20%20%20%22keyPaths%22%3A%20%5B%22%2Fetc%2Fpki%2Ficp4a-pubkey1.gpg%22%2C%20%22%2Fetc%2Fpki%2Ficp4a-pubkey2.gpg%22%2C%20%22%2Fetc%2Fpki%2Ficp4a-pubkey3.gpg%22%5D%0A%20%20%20%20%20%20%20%20%7D%0A%20%20%20%20%20%20%5D%0A%20%20%20%20%7D%0A%20%20%7D%0A%7D
filesystem: root
mode: 420
path: /etc/containers/policy.json
With a URL decoder, you can decode the files into clear text. Apply the MachineConfig
resource:
oc apply -f machine-config.yaml
You can watch worker nodes being rebooted to apply the updated policy:
oc get mcp
If you are running starter pattern, PodDisruptionBudgets on some pods might prevent a node from restarting gracefully. You can force deletion of pods on this node by first identifying a node for which scheduling is disabled:
oc get node
Use the node name to delete pods on this node:
node=...
oc delete pod --field-selector="spec.nodeName=$node" --all-namespaces
topCleaning up local images and caches
Before any test or use of the image signature, you must clean up the container images and the local cache, even if your image pull policy is "always". If an image is cached locally, it is not pulled again, and the image signature verification does not take place.
for node in $(oc get no -l node-role.kubernetes.io/worker --no-headers -o name); do
oc debug $node -- chroot /host sh -c "podman images | grep -e 'cp.icr.io/cp/cp4a' | awk '{print \$3}' | xargs podman rmi -f "
done
Signature validation in Linux command-line tools
skopeo
When it comes to inspecting and transporting images, skopeo is a useful tool as it does not need a docker or a daemon. It can be used easily in continuous integration (CI) pipelines to copy images between two registries, provide credentials for secured registries, or to promote images from a development registry into production.
Verifying a container image signature
If you pull the images from the IBM Entitled Registry with skopeo, you can enable the container image signature verification. The icp4a-pubkey1.gpg
, icp4a-pubkey2.gpg
, and icp4a-pubkey3.gpg
files that you created can be used to verify the images under a certain repository and path.
In the following example, images are pulled from cp.icr.io/cp/cp4a
and verified with the GPG public key that is in the icp4a-pubkey2.gpg
file. All images are rejected, except the signed images in the cp4a
folder.
The keyPaths
array is not supported in podman
and skopeo
. Instead, you have to point to a specific key file by using keyPath
: icp4a-pubkey2.gpg
policy-2.json
{
"default": [
{
"type": "reject"
}
],
"transports": {
"docker": {
"cp.icr.io/cp/cp4a": [
{
"type": "signedBy",
"keyType": "GPGKeys",
"keyPath": "icp4a-pubkey2.gpg"
}
]
}
}
}
Note: If
cp.icr.io
is specified, all of the images that are not signed under this folder are rejected. The skopeo command has the useful option--policy policy-2.json
, which sets a specific policy file instead of using the default/etc/containers/policy.json
file.
The following sample pulls one image into the local file system and validates its signature.
skopeo --policy ./policy-2.json copy docker://cp.icr.io/cp/cp4a/ban/navigator:21.0.3-IF018-amd64 dir:./ban
When you pull images by using podman
, you can provide a --signature-policy policy1.json
option to point to a policy file.
Referencing the correct public key for signature validation, images can be pulled.
podman pull --signature-policy policy-2.json cp.icr.io/cp/cp4a/ums/ums:21.0.3-IF018-amd64
Trying to pull cp.icr.io/cp/cp4a/ums/ums:21.0.3-IF018-amd64...
Getting image source signatures
Checking if image destination supports signatures
...
Pulling images fails when the policy file references another public key.
podman pull --signature-policy policy-1.json cp.icr.io/cp/cp4a/ums/ums:21.0.3-IF018-amd64
Trying to pull cp.icr.io/cp/cp4a/ums/ums:21.0.3-IF018-amd64...
None of the signatures were accepted, reasons: Invalid GPG signature: gpgme.Signature{Summary:128, Fingerprint:"7C5CF97A39F13650", Status:gpgme.Error{err:0x7000009}, Timestamp:time.Time{wall:0x0, ext:63812637354, loc:(*time.Location)(0x55fc881421a0)}, ExpTimestamp:time.Time{wall:0x0, ext:62135596800, loc:(*time.Location)(0x55fc881421a0)}, WrongKeyUsage:false, PKATrust:0x0, ChainModel:false, Validity:0, ValidityReason:error(nil), PubkeyAlgo:1, HashAlgo:8}; Invalid GPG signature: gpgme.Signature{Summary:128, Fingerprint:"7C5CF97A39F13650", Status:gpgme.Error{err:0x7000009}, Timestamp:time.Time{wall:0x0, ext:63812637429, loc:(*time.Location)(0x55fc881421a0)}, ExpTimestamp:time.Time{wall:0x0, ext:62135596800, loc:(*time.Location)(0x55fc881421a0)}, WrongKeyUsage:false, PKATrust:0x0, ChainModel:false, Validity:0, ValidityReason:error(nil), PubkeyAlgo:1, HashAlgo:8}
Error: error pulling image "cp.icr.io/cp/cp4a/ums/ums:21.0.3-IF018-amd64": unable to pull cp.icr.io/cp/cp4a/ums/ums:21.0.3-IF018-amd64: unable to pull image: Source image rejected: None of the signatures were accepted, reasons: Invalid GPG signature: gpgme.Signature{Summary:128, Fingerprint:"7C5CF97A39F13650", Status:gpgme.Error{err:0x7000009}, Timestamp:time.Time{wall:0x0, ext:63812637354, loc:(*time.Location)(0x55fc881421a0)}, ExpTimestamp:time.Time{wall:0x0, ext:62135596800, loc:(*time.Location)(0x55fc881421a0)}, WrongKeyUsage:false, PKATrust:0x0, ChainModel:false, Validity:0, ValidityReason:error(nil), PubkeyAlgo:1, HashAlgo:8}; Invalid GPG signature: gpgme.Signature{Summary:128, Fingerprint:"7C5CF97A39F13650", Status:gpgme.Error{err:0x7000009}, Timestamp:time.Time{wall:0x0, ext:63812637429, loc:(*time.Location)(0x55fc881421a0)}, ExpTimestamp:time.Time{wall:0x0, ext:62135596800, loc:(*time.Location)(0x55fc881421a0)}, WrongKeyUsage:false, PKATrust:0x0, ChainModel:false, Validity:0, ValidityReason:error(nil), PubkeyAlgo:1, HashAlgo:8}
topVerifying key material
This step is optional. You can verify the public keys referenced in this documentation once, but you do not need to repeat this process when you apply policies to multiple clusters.
- If you want to verify the
icp4a-pubkey3.gpg
file, which is used to sign images since March 2023.-
Create a file
icp4a-cert3.pem
and add the following public certificate in the PEM format.-----BEGIN CERTIFICATE----- MIIHrDCCBZSgAwIBAgIQDw7smApOleo+HxSb9Nw/nTANBgkqhkiG9w0BAQsFADBp MQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMT OERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0 IDIwMjEgQ0ExMB4XDTIzMDExNjAwMDAwMFoXDTI0MTEwNzIzNTk1OVowgbAxCzAJ BgNVBAYTAlVTMREwDwYDVQQIEwhOZXcgWW9yazEPMA0GA1UEBxMGQXJtb25rMTQw MgYDVQQKEytJbnRlcm5hdGlvbmFsIEJ1c2luZXNzIE1hY2hpbmVzIENvcnBvcmF0 aW9uMREwDwYDVQQLEwhJQk0gQ0NTUzE0MDIGA1UEAxMrSW50ZXJuYXRpb25hbCBC dXNpbmVzcyBNYWNoaW5lcyBDb3Jwb3JhdGlvbjCCAiIwDQYJKoZIhvcNAQEBBQAD ggIPADCCAgoCggIBAMA79t9p7Pi92Nci5l80Wqk6kA4fOzz0SEGC7EZUdR3Haa0Z Rmg0RkHf8VZU74iWZblyVms1K+gEMIXWhXrdQMGJlRygTWVLQewpAm6EQrFmoFRF k4HkTXYSN9VtLrGf5HcS5t16kHCU3C/WsKra6fgoOHFjumGXSLADW5a7GfjJTQsp D8H8n/qNkv95xKOXMhNg2xt87CYIV5GGOZ5LG4yhvNZ30D9wsDqw+HuwNPNKbImn /bvpyHcyKO7EcsB0QV1H+ha/KHhcrTh1FFCHZ5ywnabn4SxLUN5hsWHB2C8wa0FX Pp98MorsEEy39yyBP3BlfgEP3soM8V0CwA00LnmKlgjEwqIMOuy4cnV4PVSppQZ1 M6cy5P4ALVF+yNxvHCXQUi191DSsFQWYcTDWpNJwM1r5ZIp+WPfzqU9XmFad44bn xQa7W9C4YclyHBwZhEgO+B5gL6XD+r+MQKqB4uucnH0lVwxSaRNsPF9MMZ7zaYip uLAHfz9ugC6MoKkKS9kWE/k4jKUSbIJ9EJn/S6XyG/NLeQKMblBKMFVweiUrvn74 JdvrJg1rCZBhWM+TUq417pj5NWXSexiq1ISOeSc7gtGwpfZkfGQBKKYWokKNsARC ITHQHSZndFNRdH3Zj9TLtde26zKYaV4KRb5sezYXT72LfaX027GCX8PuDVbLAgMB AAGjggIGMIICAjAfBgNVHSMEGDAWgBRoN+Drtjv4XxGG+/5hewiIZfROQjAdBgNV HQ4EFgQUxLMdmDoj+mKloepbI4E15+Bdz6owDgYDVR0PAQH/BAQDAgeAMBMGA1Ud JQQMMAoGCCsGAQUFBwMDMIG1BgNVHR8Ega0wgaowU6BRoE+GTWh0dHA6Ly9jcmwz LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVTaWduaW5nUlNBNDA5 NlNIQTM4NDIwMjFDQTEuY3JsMFOgUaBPhk1odHRwOi8vY3JsNC5kaWdpY2VydC5j b20vRGlnaUNlcnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIx Q0ExLmNybDA+BgNVHSAENzA1MDMGBmeBDAEEATApMCcGCCsGAQUFBwIBFhtodHRw Oi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwgZQGCCsGAQUFBwEBBIGHMIGEMCQGCCsG AQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wXAYIKwYBBQUHMAKGUGh0 dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0ZWRHNENvZGVT aWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3J0MAwGA1UdEwEB/wQCMAAwDQYJ KoZIhvcNAQELBQADggIBAF/Liexfoe54yBVD5kArBWUM+pLn6QL77paywkbg6knP iBvQMRiyTcCcyVwrBSw+Y0WS2TfJ8PH+0YozF20DD9XCmnQ6ESTdGK5PWN1jnz1p pS6yiksvgYCmqr3bTxnTQRnX7UTNX0JcAKa147T0dXj7cOd1pgZ0u6jDCXkLkQ4H AvM/jFcPohe3zdyHJIbGmCUbV895KqQqBwj8znhL24mSQOTiYZPLh33A/UfqLaPN ws1iGCwViDk5pD4+ygVQ7Fcxx77GrTmqU1DmJrcG2/tkPmJsdHdxI01k1RaExVnL 0kLL7QsagtdxxRpkwbA87s6l2wu+yakdk642OIJqNcH1b+E7mO1tgCR4zzkOrr70 TWbxI8Rgfm6AuVJMwdnbHRCX1vqxf+B1s0MxMeC8Q0ihC17T+j5BE0T6ghgbceE7 oYa49bOv2Gl/mvWtEJdMEg2fhLEdemgUubOf7zGDy5Y2rkIgvHgX2PC7xyxE8gjH gRE2vbo59f/5cbkrttdh0ydmM0qJassAFJBTAtIyQGHEIRhynO3/OkFOeqbnd8Rx cSbCS8NI0lXuoFjvfYGCjRA3p7EdUbc2WZGsfM729cYoJCkT8ReTyxK+/uLD7Vw8 5R+S47yuqQWWHh+nBThRrVNUbwz3DI2Hi5+GlBWH7giDKYxdWzb83pJEYvbvdTHz -----END CERTIFICATE-----
-
Create a file
icp4a-issuer-cert3.pem
and add the following issuer public certificate in the PEM format.-----BEGIN CERTIFICATE----- MIIGsDCCBJigAwIBAgIQCK1AsmDSnEyfXs2pvZOu2TANBgkqhkiG9w0BAQwFADBi MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 d3cuZGlnaWNlcnQuY29tMSEwHwYDVQQDExhEaWdpQ2VydCBUcnVzdGVkIFJvb3Qg RzQwHhcNMjEwNDI5MDAwMDAwWhcNMzYwNDI4MjM1OTU5WjBpMQswCQYDVQQGEwJV UzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMTOERpZ2lDZXJ0IFRy dXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0IDIwMjEgQ0ExMIIC IjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA1bQvQtAorXi3XdU5WRuxiEL1 M4zrPYGXcMW7xIUmMJ+kjmjYXPXrNCQH4UtP03hD9BfXHtr50tVnGlJPDqFX/IiZ wZHMgQM+TXAkZLON4gh9NH1MgFcSa0OamfLFOx/y78tHWhOmTLMBICXzENOLsvsI 8IrgnQnAZaf6mIBJNYc9URnokCF4RS6hnyzhGMIazMXuk0lwQjKP+8bqHPNlaJGi TUyCEUhSaN4QvRRXXegYE2XFf7JPhSxIpFaENdb5LpyqABXRN/4aBpTCfMjqGzLm ysL0p6MDDnSlrzm2q2AS4+jWufcx4dyt5Big2MEjR0ezoQ9uo6ttmAaDG7dqZy3S vUQakhCBj7A7CdfHmzJawv9qYFSLScGT7eG0XOBv6yb5jNWy+TgQ5urOkfW+0/tv k2E0XLyTRSiDNipmKF+wc86LJiUGsoPUXPYVGUztYuBeM/Lo6OwKp7ADK5GyNnm+ 960IHnWmZcy740hQ83eRGv7bUKJGyGFYmPV8AhY8gyitOYbs1LcNU9D4R+Z1MI3s MJN2FKZbS110YU0/EpF23r9Yy3IQKUHw1cVtJnZoEUETWJrcJisB9IlNWdt4z4FK PkBHX8mBUHOFECMhWWCKZFTBzCEa6DgZfGYczXg4RTCZT/9jT0y7qg0IU0F8WD1H s/q27IwyCQLMbDwMVhECAwEAAaOCAVkwggFVMBIGA1UdEwEB/wQIMAYBAf8CAQAw HQYDVR0OBBYEFGg34Ou2O/hfEYb7/mF7CIhl9E5CMB8GA1UdIwQYMBaAFOzX44LS cV1kTN8uZz/nupiuHA9PMA4GA1UdDwEB/wQEAwIBhjATBgNVHSUEDDAKBggrBgEF BQcDAzB3BggrBgEFBQcBAQRrMGkwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRp Z2ljZXJ0LmNvbTBBBggrBgEFBQcwAoY1aHR0cDovL2NhY2VydHMuZGlnaWNlcnQu Y29tL0RpZ2lDZXJ0VHJ1c3RlZFJvb3RHNC5jcnQwQwYDVR0fBDwwOjA4oDagNIYy aHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VHJ1c3RlZFJvb3RHNC5j cmwwHAYDVR0gBBUwEzAHBgVngQwBAzAIBgZngQwBBAEwDQYJKoZIhvcNAQEMBQAD ggIBADojRD2NCHbuj7w6mdNW4AIapfhINPMstuZ0ZveUcrEAyq9sMCcTEp6QRJ9L /Z6jfCbVN7w6XUhtldU/SfQnuxaBRVD9nL22heB2fjdxyyL3WqqQz/WTauPrINHV UHmImoqKwba9oUgYftzYgBoRGRjNYZmBVvbJ43bnxOQbX0P4PpT/djk9ntSZz0rd KOtfJqGVWEjVGv7XJz/9kNF2ht0csGBc8w2o7uCJob054ThO2m67Np375SFTWsPK 6Wrxoj7bQ7gzyE84FJKZ9d3OVG3ZXQIUH0AzfAPilbLCIXVzUstG2MQ0HKKlS43N b3Y3LIU/Gs4m6Ri+kAewQ3+ViCCCcPDMyu/9KTVcH4k4Vfc3iosJocsL6TEa/y4Z XDlx4b6cpwoG1iZnt5LmTl/eeqxJzy6kdJKt2zyknIYf48FWGysj/4+16oh7cGvm oLr9Oj9FpsToFpFSi0HASIRLlk2rREDjjfAVKM7t8RhWByovEMQMCGQ8M4+uKIw8 y4+ICw2/O/TOHnuO77Xry7fwdxPm5yg/rBKupS8ibEH5glwVZsxsDsrFhsP2JjMM B0ug0wcCampAMEhLNKhRILutG4UI4lkNbcoFUCvqShyepf2gpx8GdOfy1lKQ/a+F SCH5Vzu0nAPthkX0tGFuv2jiJmCG6sivqf6UHedjGzqGVnhO -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIFkDCCA3igAwIBAgIQBZsbV56OITLiOQe9p3d1XDANBgkqhkiG9w0BAQwFADBi MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 d3cuZGlnaWNlcnQuY29tMSEwHwYDVQQDExhEaWdpQ2VydCBUcnVzdGVkIFJvb3Qg RzQwHhcNMTMwODAxMTIwMDAwWhcNMzgwMTE1MTIwMDAwWjBiMQswCQYDVQQGEwJV UzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQu Y29tMSEwHwYDVQQDExhEaWdpQ2VydCBUcnVzdGVkIFJvb3QgRzQwggIiMA0GCSqG SIb3DQEBAQUAA4ICDwAwggIKAoICAQC/5pBzaN675F1KPDAiMGkz7MKnJS7JIT3y ithZwuEppz1Yq3aaza57G4QNxDAf8xukOBbrVsaXbR2rsnnyyhHS5F/WBTxSD1If xp4VpX6+n6lXFllVcq9ok3DCsrp1mWpzMpTREEQQLt+C8weE5nQ7bXHiLQwb7iDV ySAdYyktzuxeTsiT+CFhmzTrBcZe7FsavOvJz82sNEBfsXpm7nfISKhmV1efVFiO DCu3T6cw2Vbuyntd463JT17lNecxy9qTXtyOj4DatpGYQJB5w3jHtrHEtWoYOAMQ jdjUN6QuBX2I9YI+EJFwq1WCQTLX2wRzKm6RAXwhTNS8rhsDdV14Ztk6MUSaM0C/ CNdaSaTC5qmgZ92kJ7yhTzm1EVgX9yRcRo9k98FpiHaYdj1ZXUJ2h4mXaXpI8OCi EhtmmnTK3kse5w5jrubU75KSOp493ADkRSWJtppEGSt+wJS00mFt6zPZxd9LBADM fRyVw4/3IbKyEbe7f/LVjHAsQWCqsWMYRJUadmJ+9oCw++hkpjPRiQfhvbfmQ6QY uKZ3AeEPlAwhHbJUKSWJbOUOUlFHdL4mrLZBdd56rF+NP8m800ERElvlEFDrMcXK chYiCd98THU/Y+whX8QgUWtvsauGi0/C1kVfnSD8oR7FwI+isX4KJpn15GkvmB0t 9dmpsh3lGwIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIB hjAdBgNVHQ4EFgQU7NfjgtJxXWRM3y5nP+e6mK4cD08wDQYJKoZIhvcNAQEMBQAD ggIBALth2X2pbL4XxJEbw6GiAI3jZGgPVs93rnD5/ZpKmbnJeFwMDF/k5hQpVgs2 SV1EY+CtnJYYZhsjDT156W1r1lT40jzBQ0CuHVD1UvyQO7uYmWlrx8GnqGikJ9yd +SeuMIW59mdNOj6PWTkiU0TryF0Dyu1Qen1iIQqAyHNm0aAFYF/opbSnr6j3bTWc fFqK1qI4mfN4i/RN0iAL3gTujJtHgXINwBQy7zBZLq7gcfJW5GqXb5JQbZaNaHqa sjYUegbyJLkJEVDXCLG4iXqEI2FCKeWjzaIgQdfRnGTZ6iahixTXTBmyUEFxPT9N cCOGDErcgdLMMpSEDQgJlxxPwO5rIHQw0uA5NBCFIRUBCOhVMt5xSdkoF1BN5r5N 0XWs0Mr7QbhDparTwwVETyw2m+L64kW4I1NsBm9nVX9GtUw/bihaeSbSpKhil9Ie 4u1Ki7wb/UdKDd9nZn6yW0HQO+T0O/QEY+nvwlQAUaCKKsnOeMzV6ocEGLPOr0mI r/OSmbaz5mEP0oUA51Aa5BuVnRmhuZyxm7EAHu/QD09CbMkKvO5D+jpxpchNJqU1 /YldvIViHTLSoCtU7ZpXwdv6EM8Zt4tKG48BtieVU+i2iW1bvGjUI+iLUaJW+fCm gKDWHrO8Dw9TdSmq6hN35N6MgSGtBxBHEa2HPQfRdbzP82Z+ -----END CERTIFICATE-----
-
Run the following commands to verify the GPG key and its issuer with the
Table 1. Commands to verify certificate issuance and validity for icp4a-pubkey3.gpgicp4a-cert3.pem
andicp4a-issuer3.pem
files.Key verification Command Description openssl x509 -text -in icp4a-cert3.pem
Displays the IBM Cloud Pak for Business Automation public certificate. Verify that the "Subject" line is IBM, and the "Issuer" is www.digicert.com. The icp4a-cert3.pem certificate is signed by Digicert.
gpg2 -v --list-packets icp4a-pubkey3.gpg
Displays the GPG public key. Verify that pkey[0] is the same as the "Modulus" of icp4a-cert3.pem. The command validates that icp4a-pubkey3.gpg is the public key (in GPG format) for IBM Cloud Pak for Business Automation.
openssl ocsp -no_nonce \ -issuer icp4a-issuer3.pem \ -cert icp4a-cert3.pem \ -VAfile icp4a-issuer3.pem \ -text -url http://ocsp.digicert.com
Verifies that the certificate icp4a.pem comes from Digicert by using the Online Certificate Status Protocol (OCSP).
-
-
Optional: If you want to verify the
icp4a-pubkey2.gpg
file, which was used to sign images starting with 21.0.1-IF004 and before March 2023.-
Create a file
icp4a-cert2.pem
and add the following public certificate in the PEM format.-----BEGIN CERTIFICATE----- MIIFdDCCBFygAwIBAgIQDofrKzCsbdRrg6R+pu8vWTANBgkqhkiG9w0BAQsFADBy MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 d3cuZGlnaWNlcnQuY29tMTEwLwYDVQQDEyhEaWdpQ2VydCBTSEEyIEFzc3VyZWQg SUQgQ29kZSBTaWduaW5nIENBMB4XDTE5MDYyNzAwMDAwMFoXDTIxMDcwMTEyMDAw MFowgbAxCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhOZXcgWW9yazEPMA0GA1UEBxMG QXJtb25rMTQwMgYDVQQKEytJbnRlcm5hdGlvbmFsIEJ1c2luZXNzIE1hY2hpbmVz IENvcnBvcmF0aW9uMREwDwYDVQQLEwhJQk0gQ0NTUzE0MDIGA1UEAxMrSW50ZXJu YXRpb25hbCBCdXNpbmVzcyBNYWNoaW5lcyBDb3Jwb3JhdGlvbjCCASIwDQYJKoZI hvcNAQEBBQADggEPADCCAQoCggEBAMCTZAwu9qGHHajCkPJqxCjQTfojtUz9h0rU n2UACCwcEkW+f8/Q/OcJ+ecUDDZwKPj1+1gE3yivEk5KS5ATeneHP+DbUL2Ouyur Cg181ujlZFSwjEDSEv3LBXwS+44sAp01jQAI4Ee/aDzYpJr9tkyDds8DcivWNlne ONCsDPADO+GnYGi/kXBTTFiqb0PAJv93jJhoQnbyMVavAZ1GdUe6iiG7k/JShAym 3ivCJTXJvcJpto0SkajhkXb/TuxV2FK/WJ6p9Axr+sLpdwUAvKC3+/HNAN5KQ+XF ZvzAGrOr+yAjklvAbojnl/cQw/rt3+9bMDrYU1teTwNYxEvNYMcCAwEAAaOCAcUw ggHBMB8GA1UdIwQYMBaAFFrEuXsqCqOl6nEDwGD5LfZldQ5YMB0GA1UdDgQWBBRh HPobjHmPzyDJZsLVBlf/zImp5jAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYI KwYBBQUHAwMwdwYDVR0fBHAwbjA1oDOgMYYvaHR0cDovL2NybDMuZGlnaWNlcnQu Y29tL3NoYTItYXNzdXJlZC1jcy1nMS5jcmwwNaAzoDGGL2h0dHA6Ly9jcmw0LmRp Z2ljZXJ0LmNvbS9zaGEyLWFzc3VyZWQtY3MtZzEuY3JsMEwGA1UdIARFMEMwNwYJ YIZIAYb9bAMBMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LmRpZ2ljZXJ0LmNv bS9DUFMwCAYGZ4EMAQQBMIGEBggrBgEFBQcBAQR4MHYwJAYIKwYBBQUHMAGGGGh0 dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBOBggrBgEFBQcwAoZCaHR0cDovL2NhY2Vy dHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0U0hBMkFzc3VyZWRJRENvZGVTaWduaW5n Q0EuY3J0MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQELBQADggEBACCmH7YUx2O/ 3s599Fk1I8kOJvtkGTccrsrwOEumDiS3BWQJbUKqilr2IhGUA2c1O/zfi0uA3Oem Fm3a4wwgtrvme7AkWJNgIdH9FeHGOVan6mB5E318UJ7WJGErPiqk0Xoq0bFGfsoh oDSX8INKi2hiEa0Aurt+3FZr0IoJkPyscUSoK/mWZx3dUI1+hXozLhfWZjKnC9wj 9pa6OKHqvS0Xfl/VQyzX59d3w4bzcalb+kK5N7/dbBlcopvWF5jCOD+WZxkn2Xhe aGrTT9LluqInVZ7UR5lQ4iDC7v09i37MoeBZiV20xMHUSVTj4F1ecSdthphymute GOc/2vekRHo= -----END CERTIFICATE-----
-
Create a file
icp4a-issuer2.pem
and add the following issuer public certificate in the PEM format.-----BEGIN CERTIFICATE----- MIIFMDCCBBigAwIBAgIQBAkYG1/Vu2Z1U0O1b5VQCDANBgkqhkiG9w0BAQsFADBl MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 d3cuZGlnaWNlcnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJv b3QgQ0EwHhcNMTMxMDIyMTIwMDAwWhcNMjgxMDIyMTIwMDAwWjByMQswCQYDVQQG EwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNl cnQuY29tMTEwLwYDVQQDEyhEaWdpQ2VydCBTSEEyIEFzc3VyZWQgSUQgQ29kZSBT aWduaW5nIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA+NOzHH8O Ea9ndwfTCzFJGc/Q+0WZsTrbRPV/5aid2zLXcep2nQUut4/6kkPApfmJ1DcZ17aq 8JyGpdglrA55KDp+6dFn08b7KSfH03sjlOSRI5aQd4L5oYQjZhJUM1B0sSgmuyRp wsJS8hRniolF1C2ho+mILCCVrhxKhwjfDPXiTWAYvqrEsq5wMWYzcT6scKKrzn/p fMuSoeU7MRzP6vIK5Fe7SrXpdOYr/mzLfnQ5Ng2Q7+S1TqSp6moKq4TzrGdOtcT3 jNEgJSPrCGQ+UpbB8g8S9MWOD8Gi6CxR93O8vYWxYoNzQYIH5DiLanMg0A9kczye n6Yzqf0Z3yWT0QIDAQABo4IBzTCCAckwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNV HQ8BAf8EBAMCAYYwEwYDVR0lBAwwCgYIKwYBBQUHAwMweQYIKwYBBQUHAQEEbTBr MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wQwYIKwYBBQUH MAKGN2h0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEFzc3VyZWRJ RFJvb3RDQS5jcnQwgYEGA1UdHwR6MHgwOqA4oDaGNGh0dHA6Ly9jcmw0LmRpZ2lj ZXJ0LmNvbS9EaWdpQ2VydEFzc3VyZWRJRFJvb3RDQS5jcmwwOqA4oDaGNGh0dHA6 Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEFzc3VyZWRJRFJvb3RDQS5jcmww TwYDVR0gBEgwRjA4BgpghkgBhv1sAAIEMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8v d3d3LmRpZ2ljZXJ0LmNvbS9DUFMwCgYIYIZIAYb9bAMwHQYDVR0OBBYEFFrEuXsq CqOl6nEDwGD5LfZldQ5YMB8GA1UdIwQYMBaAFEXroq/0ksuCMS1Ri6enIZ3zbcgP MA0GCSqGSIb3DQEBCwUAA4IBAQA+7A1aJLPzItEVyCx8JSl2qB1dHC06GsTvMGHX fgtg/cM9D8Svi/3vKt8gVTew4fbRknUPUbRupY5a4l4kgU4QpO4/cY5jDhNLrddf RHnzNhQGivecRk5c/5CxGwcOkRX7uq+1UcKNJK4kxscnKqEpKBo6cSgCPC6Ro8Al EeKcFEehemhor5unXCBc2XGxDI+7qPjFEmifz0DLQESlE/DmZAwlCEIysjaKJAL+ L3J+HNdJRZboWR3p+nRka7LrZkPas7CM1ekN3fYBIM6ZMWM9CBoYs4GbT8aTEAb8 B4H6i9r5gkn3Ym6hU/oSlBiFLpKR6mhsRDKyZqHnGKSaZFHv -----END CERTIFICATE-----
-
Run the following commands to verify the GPG key and its issuer with the
Table 2. Commands to verify certificate issuance and validity for icp4a-pubkey2.gpgicp4a-cert2.pem
andicp4a-issuer2.pem
files.Key verification Command Description openssl x509 -text -in icp4a-cert2.pem
Displays the IBM Cloud Pak for Business Automation public certificate. Verify that the "Subject" line is IBM, and the "Issuer" is www.digicert.com. The icp4a-cert2.pem certificate is signed by Digicert.
gpg2 -v --list-packets icp4a-pubkey2.gpg
Displays the GPG public key. Verify that pkey[0] is the same as the "Modulus" of icp4a-cert2.pem. The command validates that icp4a-pubkey2.gpg is the public key (in GPG format) for IBM Cloud Pak for Business Automation.
openssl ocsp -no_nonce \ -issuer icp4a-issuer2.pem \ -cert icp4a-cert2.pem \ -VAfile icp4a-issuer2.pem \ -text -url http://ocsp.digicert.com
Verifies that the certificate icp4a.pem comes from Digicert by using the Online Certificate Status Protocol (OCSP).
-
-
Optional: If you want to verify the
icp4a-pubkey1.gpg
file, which was used to sign images before 21.0.1-IF004.-
Create a file
icp4a-cert1.pem
and add the following public certificate in the PEM format.-----BEGIN CERTIFICATE----- MIIFdDCCBFygAwIBAgIQDofrKzCsbdRrg6R+pu8vWTANBgkqhkiG9w0BAQsFADBy MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 d3cuZGlnaWNlcnQuY29tMTEwLwYDVQQDEyhEaWdpQ2VydCBTSEEyIEFzc3VyZWQg SUQgQ29kZSBTaWduaW5nIENBMB4XDTE5MDYyNzAwMDAwMFoXDTIxMDcwMTEyMDAw MFowgbAxCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhOZXcgWW9yazEPMA0GA1UEBxMG QXJtb25rMTQwMgYDVQQKEytJbnRlcm5hdGlvbmFsIEJ1c2luZXNzIE1hY2hpbmVz IENvcnBvcmF0aW9uMREwDwYDVQQLEwhJQk0gQ0NTUzE0MDIGA1UEAxMrSW50ZXJu YXRpb25hbCBCdXNpbmVzcyBNYWNoaW5lcyBDb3Jwb3JhdGlvbjCCASIwDQYJKoZI hvcNAQEBBQADggEPADCCAQoCggEBAMCTZAwu9qGHHajCkPJqxCjQTfojtUz9h0rU n2UACCwcEkW+f8/Q/OcJ+ecUDDZwKPj1+1gE3yivEk5KS5ATeneHP+DbUL2Ouyur Cg181ujlZFSwjEDSEv3LBXwS+44sAp01jQAI4Ee/aDzYpJr9tkyDds8DcivWNlne ONCsDPADO+GnYGi/kXBTTFiqb0PAJv93jJhoQnbyMVavAZ1GdUe6iiG7k/JShAym 3ivCJTXJvcJpto0SkajhkXb/TuxV2FK/WJ6p9Axr+sLpdwUAvKC3+/HNAN5KQ+XF ZvzAGrOr+yAjklvAbojnl/cQw/rt3+9bMDrYU1teTwNYxEvNYMcCAwEAAaOCAcUw ggHBMB8GA1UdIwQYMBaAFFrEuXsqCqOl6nEDwGD5LfZldQ5YMB0GA1UdDgQWBBRh HPobjHmPzyDJZsLVBlf/zImp5jAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYI KwYBBQUHAwMwdwYDVR0fBHAwbjA1oDOgMYYvaHR0cDovL2NybDMuZGlnaWNlcnQu Y29tL3NoYTItYXNzdXJlZC1jcy1nMS5jcmwwNaAzoDGGL2h0dHA6Ly9jcmw0LmRp Z2ljZXJ0LmNvbS9zaGEyLWFzc3VyZWQtY3MtZzEuY3JsMEwGA1UdIARFMEMwNwYJ YIZIAYb9bAMBMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LmRpZ2ljZXJ0LmNv bS9DUFMwCAYGZ4EMAQQBMIGEBggrBgEFBQcBAQR4MHYwJAYIKwYBBQUHMAGGGGh0 dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBOBggrBgEFBQcwAoZCaHR0cDovL2NhY2Vy dHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0U0hBMkFzc3VyZWRJRENvZGVTaWduaW5n Q0EuY3J0MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQELBQADggEBACCmH7YUx2O/ 3s599Fk1I8kOJvtkGTccrsrwOEumDiS3BWQJbUKqilr2IhGUA2c1O/zfi0uA3Oem Fm3a4wwgtrvme7AkWJNgIdH9FeHGOVan6mB5E318UJ7WJGErPiqk0Xoq0bFGfsoh oDSX8INKi2hiEa0Aurt+3FZr0IoJkPyscUSoK/mWZx3dUI1+hXozLhfWZjKnC9wj 9pa6OKHqvS0Xfl/VQyzX59d3w4bzcalb+kK5N7/dbBlcopvWF5jCOD+WZxkn2Xhe aGrTT9LluqInVZ7UR5lQ4iDC7v09i37MoeBZiV20xMHUSVTj4F1ecSdthphymute GOc/2vekRHo= -----END CERTIFICATE-----
-
Create a file
icp4a-issuer1.pem
and add the following issuer public certificate in the PEM format.-----BEGIN CERTIFICATE----- MIIFMDCCBBigAwIBAgIQBAkYG1/Vu2Z1U0O1b5VQCDANBgkqhkiG9w0BAQsFADBl MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 d3cuZGlnaWNlcnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJv b3QgQ0EwHhcNMTMxMDIyMTIwMDAwWhcNMjgxMDIyMTIwMDAwWjByMQswCQYDVQQG EwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNl cnQuY29tMTEwLwYDVQQDEyhEaWdpQ2VydCBTSEEyIEFzc3VyZWQgSUQgQ29kZSBT aWduaW5nIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA+NOzHH8O Ea9ndwfTCzFJGc/Q+0WZsTrbRPV/5aid2zLXcep2nQUut4/6kkPApfmJ1DcZ17aq 8JyGpdglrA55KDp+6dFn08b7KSfH03sjlOSRI5aQd4L5oYQjZhJUM1B0sSgmuyRp wsJS8hRniolF1C2ho+mILCCVrhxKhwjfDPXiTWAYvqrEsq5wMWYzcT6scKKrzn/p fMuSoeU7MRzP6vIK5Fe7SrXpdOYr/mzLfnQ5Ng2Q7+S1TqSp6moKq4TzrGdOtcT3 jNEgJSPrCGQ+UpbB8g8S9MWOD8Gi6CxR93O8vYWxYoNzQYIH5DiLanMg0A9kczye n6Yzqf0Z3yWT0QIDAQABo4IBzTCCAckwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNV HQ8BAf8EBAMCAYYwEwYDVR0lBAwwCgYIKwYBBQUHAwMweQYIKwYBBQUHAQEEbTBr MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wQwYIKwYBBQUH MAKGN2h0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEFzc3VyZWRJ RFJvb3RDQS5jcnQwgYEGA1UdHwR6MHgwOqA4oDaGNGh0dHA6Ly9jcmw0LmRpZ2lj ZXJ0LmNvbS9EaWdpQ2VydEFzc3VyZWRJRFJvb3RDQS5jcmwwOqA4oDaGNGh0dHA6 Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEFzc3VyZWRJRFJvb3RDQS5jcmww TwYDVR0gBEgwRjA4BgpghkgBhv1sAAIEMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8v d3d3LmRpZ2ljZXJ0LmNvbS9DUFMwCgYIYIZIAYb9bAMwHQYDVR0OBBYEFFrEuXsq CqOl6nEDwGD5LfZldQ5YMB8GA1UdIwQYMBaAFEXroq/0ksuCMS1Ri6enIZ3zbcgP MA0GCSqGSIb3DQEBCwUAA4IBAQA+7A1aJLPzItEVyCx8JSl2qB1dHC06GsTvMGHX fgtg/cM9D8Svi/3vKt8gVTew4fbRknUPUbRupY5a4l4kgU4QpO4/cY5jDhNLrddf RHnzNhQGivecRk5c/5CxGwcOkRX7uq+1UcKNJK4kxscnKqEpKBo6cSgCPC6Ro8Al EeKcFEehemhor5unXCBc2XGxDI+7qPjFEmifz0DLQESlE/DmZAwlCEIysjaKJAL+ L3J+HNdJRZboWR3p+nRka7LrZkPas7CM1ekN3fYBIM6ZMWM9CBoYs4GbT8aTEAb8 B4H6i9r5gkn3Ym6hU/oSlBiFLpKR6mhsRDKyZqHnGKSaZFHv -----END CERTIFICATE-----
-
Run the following commands to verify the GPG key and its issuer with the
Table 3. Commands to verify certificate issuance and validity for icp4a-pubkey1.gpgicp4a-cert1.pem
andicp4a-issuer1.pem
files.Key verification Command Description openssl x509 -text -in icp4a-cert1.pem
Displays the IBM Cloud Pak for Business Automation public certificate. Verify that the "Subject" line is IBM, and the "Issuer" is www.digicert.com. The icp4a-cert1.pem certificate is signed by Digicert.
gpg2 -v --list-packets icp4a-pubkey1.gpg
Displays the GPG public key. Verify that pkey[0] is the same as the "Modulus" of icp4a-cert1.pem. The command validates that icp4a-pubkey1.gpg is the public key (in GPG format) for IBM Cloud Pak for Business Automation.
openssl ocsp -no_nonce \ -issuer icp4a-issuer1.pem \ -cert icp4a-cert1.pem \ -VAfile icp4a-issuer1.pem \ -text -url http://ocsp.digicert.com
Verifies that the certificate icp4a.pem comes from Digicert by using the Online Certificate Status Protocol (OCSP).
-
Scanning for vulnerabilities
All of the Cloud Pak container images pass rigorous image vulnerability scans during the development lifecycle, but new vulnerabilities are discovered almost every day. It is likely that most of the vulnerabilities you find are related to the Linux® kernel or to a few embedded packages. IBM tracks these vulnerabilities and provides fixes for them in fix packs or subsequent releases. To find out more, you can contact IBM support.
topRelated Information
Was this topic helpful?
Document Information
Modified date:
16 March 2023
UID
ibm16959627