Digital signatures provide a way to ensure that an image is both authentic (it originated from the expected source) and has integrity (it is what it's expected to be). The zos base container image has an associated sigstore image signature. A verification policy can optionally be established to ensure that copy/pull commands will only be successful if the image signature is verified.
Requirements to validate the zos base container image signature:
- Enable container image sigstore attachments to be read
- File with public key associated with signature
- Enable container image verification policy to require signature verification
Enable sigstore attachments
By default, the registries configuration directory is $HOME/.config/containers/registries.d if it exists, otherwise /etc/containers/registries.d. A file in that directory with a .yaml extension must be created/updated with content to set use-sigstore-attachments for icr.io/zoscp/zos. For example:
docker:
icr.io/zoscp/zos:
use-sigstore-attachments: true
Another option is to enable sigstore attachments by default:
default-docker:
use-sigstore-attachments: true
Use chtag as needed to ensure that the file is tagged appropriately. For example:
chtag -tc1047 /etc/containers/registries.d/default.yaml
Store public key
Create a file with the public key for the zos base container image signature:
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAojeGBis+evUK+qirB/co
kJtDB68QdeViJgnohw+9ir1OpvFhMs60KEmYpC4sv18OQf1l+yHSqNUwifLnT1cl
EAGU7lQNALGVx/sOdZrhnQAp4Von/yPlj+KAk0+MLnOnhSZqX1X/+0wcKIPcgcEi
kxjwa6j0oWxapGcKjV/hdPyN6VNxVG3to8h5kX3rVNoBarXz3JWuLHv14eVaVgeW
d7eOE3Gdi7BRz1KJgufaqkIupK0DSmkIP2xiZVyS8civ6I264Mzcyn5FJHFRCirg
UC77i4PVYnHxwPSeTeN0hXwY8kyLJJu2s0BPNjVs6GOXqihoOLwmdlPkRDtl9taq
9n/guqhfaQoRSlCBoGi8lbDwFZGtPtz0HG7yPifDsDzMKw1y31VhXrNHQvpyEGmc
1ZnOLP5kQy8ENJurWhcbHRBuN0muHHAO5ZL0p2xRpz5gczWwqx7UINoPUsmMDOm+
I1IAG0Jrg9uoDCewq0r/QHp0+5PJwSXifypQxOpuWhkK1liTcfxpCXxw51siVh1a
/p0ZlBFcgKh3bUD09ZOREk8qQJvGPOb/FJ7E7P/+bbSvotQEAGme+amjBe3vNZYU
EqMgmBPKt1FCximOe64vSZb5O62vrpgGz/CwX73pr58dNeQKQ6+PitYsDoC0TRYL
Go6jH7xpzgB9CXqGKSVvZfMCAwEAAQ==
-----END PUBLIC KEY-----
Use chtag as needed to ensure that the file is tagged appropriately. For example:
chtag -tc1047 /etc/containers/zos_key.pub
Enable verification policy
By default, the policy is read from $HOME/.config/containers/policy.json, if it exists, otherwise from /etc/containers/policy.json. You will add an "icr.io/zoscp/zos" entry to the "docker" section of the policy to look like this example:
{
"transports": {
"docker": {
"icr.io/zoscp/zos": [
{
"type": "sigstoreSigned",
"keyPath": "/etc/containers/zos_key.pub",
"signedIdentity": {
"type": "matchRepository"
}
}
]
}
}
}
Make sure to use that actual path to the file instead of /etc/containers/zos_key.pub.
Verify the signature
With the requirements in place, the container image signature will be verified when the image is the source of a skopeo copy command or podman pull command. The following shows some examples of doing commands that perform image signature verification:
$ skopeo copy --quiet docker://icr.io/zoscp/zos dir:/tmp/test-sig
$ podman pull --quiet --root=/var/lib/podman/storage icr.io/zoscp/zos
acb41fef011dbeefcad17d71df7135d5d0c9c6dec30e51f61099a66d14f2b9e8
The command will end with an error when the signature cannot be verified. The following is an example of an error when the ability to read container image sigstore attachments is disabled:
$ podman pull --quiet icr.io/zoscp/zos
Error: Source image rejected: A signature was required, but no signature exists
The following is an example of when the key does not match:
$ skopeo copy docker://icr.io/zoscp/zos dir:/tmp/sig-test
FATA[0000] Source image rejected: cryptographic signature verification failed: crypto/rsa: verification error