Containers
New product name and repository
As of version 11.0.0, IBM Security Verify Access is now known as IBM Verify Identity Access.
Note the container images are now published in a new repository aticr.io/ivia/<image>
.
IBM Verify Identity Access containers are available from the IBM Cloud Container Registry:
Production Containers:
- Web Reverse Proxy
icr.io/ivia/ivia-wrp - AAC and Federation Runtime
icr.io/ivia/ivia-runtime - OpenID Connect Provider
icr.io/isva/verify-access-oidc-provider - Distributed Session Cache
icr.io/ivia/ivia-dsc
Configuration Containers:
- Configuration Container
icr.io/ivia/ivia-config - Snapshot Manager
icr.io/ivia/ivia-snapshotmgr - Verify Identity Access Operator
icr.io/isva/verify-access-operator-bundle
icr.io/isva/verify-access-operator - Configuration Container (Legacy)
icr.io/isva/verify-access
Supporting Containers:
- Open LDAP
icr.io/isva/verify-access-openldap - Postgres SQL
icr.io/ivia/ivia-postgresql
IBM Application Gateway:
- IBM Application Gateway
icr.io/ibmappgateway/ibm-application-gateway - IBM Application Gateway Operator
icr.io/ibmappgateway/ibm-application-gateway-operator
icr.io/ibmappgateway/ibm-application-gateway-operator-bundle - IBM Application Gateway Demo Resource Server
icr.io/ibmappgateway/ibm-application-gateway-demo-resource-server
Additional IBM Application Gateway information is documented here.
For more information about IBM Verify Identity Access Container Support, see the Documentation Hub.
Web Reverse Proxy
The Verify Identity Access Web Reverse Proxy (WRP) Docker image provides the Web Reverse Proxy capabilities of Verify Identity Access.
Modular Version | Container URL and tags |
---|---|
11.0.0 | icr.io/ivia/ivia-wrp:11.0.0.0 |
10.0.8 | icr.io/isva/verify-access-wrp:10.0.8.0_IF2 icr.io/isva/verify-access-wrp:10.0.8.0_20240915-2010 icr.io/isva/verify-access-wrp:10.0.8.0_IF1 icr.io/isva/verify-access-wrp:10.0.8.0 |
10.0.7 | icr.io/isva/verify-access-wrp:10.0.7.0_IF2 icr.io/isva/verify-access-wrp:10.0.7.0_IF1 icr.io/isva/verify-access-wrp:10.0.7.0 |
10.0.6 | icr.io/isva/verify-access-wrp:10.0.6.0_IF1 icr.io/isva/verify-access-wrp:10.0.6.0 |
10.0.5 | icr.io/isva/verify-access-wrp:10.0.5.0_IF1 icr.io/isva/verify-access-wrp:10.0.5.0 |
10.0.4 | icr.io/isva/verify-access-wrp:10.0.4.0_IF2 icr.io/isva/verify-access-wrp:10.0.4.0_IF1 icr.io/isva/verify-access-wrp:10.0.4.0_20220912 icr.io/isva/verify-access-wrp:10.0.4.0 |
10.0.3 | icr.io/isva/verify-access-wrp:10.0.3.1_20220715 icr.io/isva/verify-access-wrp:10.0.3.1_20220517 icr.io/isva/verify-access-wrp:10.0.3.1 icr.io/isva/verify-access-wrp:10.0.3.0 |
10.0.2 | icr.io/isva/verify-access-wrp:10.0.2.0_IF1 icr.io/isva/verify-access-wrp:10.0.2.0 |
10.0.1 and earlier | N/A |
AAC and Federation Runtime
The Verify Identity Access Runtime Docker image provides the Advanced Access Control and Federation capabilities of Verify Identity Access.
Modular Version | Container URL and tags |
---|---|
11.0.0 | icr.io/ivia/ivia-runtime:11.0.0.0 |
10.0.8 | icr.io/isva/verify-access-runtime:10.0.8.0_IF2 icr.io/isva/verify-access-runtime:10.0.8.0_20240915-2010 icr.io/isva/verify-access-runtime:10.0.8.0_IF1 icr.io/isva/verify-access-runtime:10.0.8.0 |
10.0.7 | icr.io/isva/verify-access-runtime:10.0.7.0_IF2 icr.io/isva/verify-access-runtime:10.0.7.0_IF1 icr.io/isva/verify-access-runtime:10.0.7.0 |
10.0.6 | icr.io/isva/verify-access-runtime:10.0.6.0_IF1 icr.io/isva/verify-access-runtime:10.0.6.0 |
10.0.5 | icr.io/isva/verify-access-runtime:10.0.5.0_IF1 icr.io/isva/verify-access-runtime:10.0.5.0 |
10.0.4 | icr.io/isva/verify-access-runtime:10.0.4.0_IF2 icr.io/isva/verify-access-runtime:10.0.4.0_IF1 icr.io/isva/verify-access-runtime:10.0.4.0_20220912 icr.io/isva/verify-access-runtime:10.0.4.0 |
10.0.3 | icr.io/isva/verify-access-runtime:10.0.3.1_20220715 icr.io/isva/verify-access-runtime:10.0.3.1_20220517 icr.io/isva/verify-access-runtime:10.0.3.1 icr.io/isva/verify-access-runtime:10.0.3.0 |
10.0.2 | icr.io/isva/verify-access-runtime:10.0.2.0_IF1 icr.io/isva/verify-access-runtime:10.0.2.0 |
10.0.1 and earlier | N/A |
OpenID Connect Provider
The Security Verify Access OpenID Connect Provider.
Version | Container URL and tags |
---|---|
24.10 | icr.io/isva/verify-access-oidc-provider:24.10 |
24.08 | icr.io/isva/verify-access-oidc-provider:24.08 |
24.06 | icr.io/isva/verify-access-oidc-provider:24.06 |
24.04 | icr.io/isva/verify-access-oidc-provider:24.04 |
23.12 | icr.io/isva/verify-access-oidc-provider:23.12 |
23.03 | icr.io/isva/verify-access-oidc-provider:23.03 |
Distributed Session Cache
The Verify Identity Access Distributed Session Cache (DSC) Docker image provides the distributed session cache capabilities of Verify Identity Access.
IVIA also natively supports Redis as a native DSC equivalent.
Modular Version | Container URL and tags |
---|---|
11.0.0 | icr.io/ivia/ivia-dsc:11.0.0.0 |
10.0.8 | icr.io/isva/verify-access-dsc:10.0.8.0_IF2 icr.io/isva/verify-access-dsc:10.0.8.0_20240915-2010 icr.io/isva/verify-access-dsc:10.0.8.0_IF1 icr.io/isva/verify-access-dsc:10.0.8.0 |
10.0.7 | icr.io/isva/verify-access-dsc:10.0.7.0_IF2 icr.io/isva/verify-access-dsc:10.0.7.0_IF1 icr.io/isva/verify-access-dsc:10.0.7.0 |
10.0.6 | icr.io/isva/verify-access-dsc:10.0.6.0_IF1 icr.io/isva/verify-access-dsc:10.0.6.0 |
10.0.5 | icr.io/isva/verify-access-dsc:10.0.5.0_IF1 icr.io/isva/verify-access-dsc:10.0.5.0 |
10.0.4 | icr.io/isva/verify-access-dsc:10.0.4.0_IF2 icr.io/isva/verify-access-dsc:10.0.4.0_IF1 icr.io/isva/verify-access-dsc:10.0.4.0_20220912 icr.io/isva/verify-access-dsc:10.0.4.0 |
10.0.3 | icr.io/isva/verify-access-dsc:10.0.3.1_20220715 icr.io/isva/verify-access-dsc:10.0.3.1_20220517 icr.io/isva/verify-access-dsc:10.0.3.1 icr.io/isva/verify-access-dsc:10.0.3.0 |
10.0.2 | icr.io/isva/verify-access-dsc:10.0.2.0_IF1 icr.io/isva/verify-access-dsc:10.0.2.0 |
10.0.1 and earlier | N/A |
Configuration Container
Configuration Container
This new container replaces the existing
verify-access
container.
The Verify Identity Access Configuration image contains the services that can be used to configure a Verify Identity Access container environment.
Modular Version | Container URL and tags |
---|---|
11.0.0 | icr.io/ivia/ivia-config:11.0.0.0 |
10.0.8 | icr.io/isva/verify-access-config:10.0.8.0_IF2 icr.io/isva/verify-access-config:10.0.8.0_20240915-2010 icr.io/isva/verify-access-config:10.0.8.0_IF1 icr.io/isva/verify-access-config:10.0.8.0 |
Configuration Container (Legacy)
The Verify Identity Access image contains the services that can be used to configure a Verify Identity Access container environment.
Configuration Container (Legacy)
This container is superseded by the new lightweight
verify-access-config
container in version 10.0.8. Future versions of Verify Identity Access will not include theverify-access
container andverify-access-config
must be used instead.
In versions earlier than 10.0.4, this container can also operate as the web reverse proxy and the AAC and federation runtime. For more information, see the Documentation Center for details on migrating to the improved lightweight containers)
Modular Version | Container URL and tags |
---|---|
10.0.8 | icr.io/isva/verify-access:10.0.8.0_IF2 icr.io/isva/verify-access:10.0.8.0_20240915-2010 icr.io/isva/verify-access:10.0.8.0_IF1 icr.io/isva/verify-access:10.0.8.0 |
10.0.7 | icr.io/isva/verify-access:10.0.7.0_IF2 icr.io/isva/verify-access:10.0.7.0_IF1 icr.io/isva/verify-access:10.0.7.0 |
10.0.6 | icr.io/isva/verify-access:10.0.6.0_IF1 icr.io/isva/verify-access:10.0.6.0 |
10.0.5 | icr.io/isva/verify-access:10.0.5.0_IF1 icr.io/isva/verify-access:10.0.5.0 |
10.0.4 | icr.io/isva/verify-access:10.0.4.0_IF2 icr.io/isva/verify-access:10.0.4.0_IF1 icr.io/isva/verify-access:10.0.4.0_20220912 icr.io/isva/verify-access:10.0.4.0 |
10.0.3 | icr.io/isva/verify-access:10.0.3.1_20220715 icr.io/isva/verify-access:10.0.3.1_20220517 icr.io/isva/verify-access:10.0.3.1 icr.io/isva/verify-access:10.0.3.0 |
10.0.2 | icr.io/isva/verify-access:10.0.2.0_IF1 icr.io/isva/verify-access:10.0.2.0 |
10.0.1 | icr.io/isva/verify-access:10.0.1.0_IF1 icr.io/isva/verify-access:10.0.1.0_20210226 icr.io/isva/verify-access:10.0.1.0 |
10.0.0 | icr.io/isva/verify-access:10.0.0.1 icr.io/isva/verify-access:10.0.0.0_20200810 icr.io/isva/verify-access:10.0.0.0_20200723 icr.io/isva/verify-access:10.0.0.0 |
Operator
The Verify Identity Access Operator for Kubernetes Deployment.
Modular Version | Container URL and tags |
---|---|
22.10 | icr.io/isva/verify-access-operator-bundle:22.10.0 icr.io/isva/verify-access-operator:22.10.0 |
21.10 | icr.io/isva/verify-access-operator-bundle:21.10.0 icr.io/isva/verify-access-operator:21.10.0 |
Snapshot Manager
The Verify Identity Access container for snapshot manager.
Modular Version | Container URL and tags |
---|---|
11.0.0 | icr.io/ivia/ivia-snapshotmgr:11.0.0.0 |
10.0.8 | icr.io/isva/verify-access-snapshotmgr:10.0.8.0_IF2 icr.io/isva/verify-access-snapshotmgr:10.0.8.0_20240915-2010 icr.io/isva/verify-access-snapshotmgr:10.0.8.0_IF1 icr.io/isva/verify-access-snapshotmgr:10.0.8.0 |
10.0.7 | icr.io/isva/verify-access-snapshotmgr:10.0.7.0_IF2 icr.io/isva/verify-access-snapshotmgr:10.0.7.0_IF1 icr.io/isva/verify-access-snapshotmgr:10.0.7.0 |
10.0.6 | icr.io/isva/verify-access-snapshotmgr:10.0.6.0_IF1 icr.io/isva/verify-access-snapshotmgr:10.0.6.0 |
10.0.5 | icr.io/isva/verify-access-snapshotmgr:10.0.5.0 |
10.0.4 | icr.io/isva/verify-access-snapshotmgr:10.0.4.0 |
10.0.3 | icr.io/isva/verify-access-snapshotmgr:10.0.3.1_IF1 icr.io/isva/verify-access-snapshotmgr:10.0.3.1 icr.io/isva/verify-access-snapshotmgr:10.0.3.0 |
10.0.2 | icr.io/isva/verify-access-snapshotmgr:10.0.2.0 |
10.0.1 and earlier | N/A |
OpenLDAP
The verify-access-openldap image extends the osixia/openldap Docker image by adding the Verify Identity Access "secAuthority=Default" schema and suffix to the registry. This image can be used to quickly build a user registry for use with Verify Identity Access in non-production environments.
Modular Version | Container URL and tags |
---|---|
10.0.6 | icr.io/isva/verify-access-openldap:10.0.6.0_IF1 icr.io/isva/verify-access-openldap:10.0.6.0 |
10.0.5 | icr.io/isva/verify-access-openldap:10.0.5.0_IF1 icr.io/isva/verify-access-openldap:10.0.5.0 |
10.0.4 | icr.io/isva/verify-access-openldap:10.0.4.0_IF2 icr.io/isva/verify-access-openldap:10.0.4.0_IF1 icr.io/isva/verify-access-openldap:10.0.4.0 |
10.0.3 | icr.io/isva/verify-access-openldap:10.0.3.1_20220715 icr.io/isva/verify-access-openldap:10.0.3.1 icr.io/isva/verify-access-openldap:10.0.3.0 |
10.0.2 | icr.io/isva/verify-access-openldap:10.0.2.0_IF1 icr.io/isva/verify-access-openldap:10.0.2.0 |
10.0.1 | icr.io/isva/verify-access-openldap:10.0.1.0_IF1 icr.io/isva/verify-access-openldap:10.0.1.0 |
10.0.0 | icr.io/isva/verify-access-openldap:10.0.0.1 icr.io/isva/verify-access-openldap:10.0.0.0 |
PostgreSQL
The verify-access-postgresql image extends the official postgres Docker image by adding SSL support and the Verify Identity Access schema to the image. This image can be used to quickly deploy a database for use with the Federation and Advanced Access Control offerings of Verify Identity Access in non-production environments.
Modular Version | Container URL and tags |
---|---|
11.0.0 | icr.io/ivia/ivia-postgresql:11.0.0.0 |
10.0.8 | icr.io/isva/verify-access-postgresql:10.0.8.0_IF2 icr.io/isva/verify-access-postgresql:10.0.8.0_20240915-2010 icr.io/isva/verify-access-postgresql:10.0.8.0_IF1 icr.io/isva/verify-access-postgresql:10.0.8.0 |
10.0.7 | icr.io/isva/verify-access-postgresql:10.0.7.0_IF2 icr.io/isva/verify-access-postgresql:10.0.7.0_IF1 icr.io/isva/verify-access-postgresql:10.0.7.0 |
10.0.6 | icr.io/isva/verify-access-postgresql:10.0.6.0_IF1 icr.io/isva/verify-access-postgresql:10.0.6.0 |
10.0.5 | icr.io/isva/verify-access-postgresql:10.0.5.0_IF1 icr.io/isva/verify-access-postgresql:10.0.5.0 |
10.0.4 | icr.io/isva/verify-access-postgresql:10.0.4.0_IF2 icr.io/isva/verify-access-postgresql:10.0.4.0_IF1 icr.io/isva/verify-access-postgresql:10.0.4.0 |
10.0.3 | icr.io/isva/verify-access-postgresql:10.0.3.1_20220715 icr.io/isva/verify-access-postgresql:10.0.3.1 icr.io/isva/verify-access-postgresql:10.0.3.0 |
10.0.2 | icr.io/isva/verify-access-postgresql:10.0.2.0_IF1 icr.io/isva/verify-access-postgresql:10.0.2.0 |
10.0.1 | icr.io/isva/verify-access-postgresql:10.0.1.0_IF1 icr.io/isva/verify-access-postgresql:10.0.1.0 |
10.0.0 | icr.io/isva/verify-access-postgresql:10.0.0.1 icr.io/isva/verify-access-postgresql:10.0.0.0 |
Verifying Image Signatures
From December 2022, all IBM Verify Identity Access container images are signed so that their origin and content can be verified.
The following PGP key can be used for verifying IBM Verify Identity Access container images.
In the steps that follow, this key is referred to as public.gpg
.
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBGKxCgABEADH8H3skpjrOFvaOIm39tc2DcP4UhfeZxc36eQRKuWYCFtcC8RC
8Rdt2N9vxItRR35UHWFswuyJVFie/YgYFRW93JqApSE3qvEmzB7dUofeSyeYsiXU
VxziYZbPHCOI9GD8TQs1dG+SvTg23FGFbEweGcDvRbmEWM6o+eT9SotPlr+GApmN
g5LmR6V0K8WFG03BopZeqyky4hCgyoMGh1dqaU0kKwFOs6Zn0Dny6byPJJFpiQz2
yuINsInazGMywh6SwB1MAIoLAyiIPVKEAOCr/KRmLFU1tBFk5zafkaLOLk3jzql3
O33ldIH7ZYt6qdFxEuuiClklHXnWLI3hn3EZZ4HALuBrSU3njuTuERLs1YWq5BmS
xP8yASmKmYD0eeXXwOJtG7xmPNaABfhuXjzCI8KodQiBHrU1KXfvFu1m0308cXUl
IjRCMKwBjX/+JMKokFIc1iWYw6pvFsFlHXzCryCNMMkXGAhKuwcubKxFoNdjv1Fw
cq7iw6KSQPOxTGf8L3jPze81WhLIGDaRwgENK4iVxmY1AuzuWKfGsGeCRqMP8i3c
GeEMyTqmbAFtbB81EgWPTcOB0nBF9xqKSUphIog0UBkEVhVH2Le3/xT2nGIuVcCP
ch8W6+ZNVY/SnHLZFGKznPoWfAg7NaloZHQPYaSGYtYJw47R2hErASc18QARAQAB
tBRJQk1Db2RlU2lnbkNlcnRCMDYyMokCOQQTAQgAIwUCYrEKAAIbLwcLCQgHAwIB
BhUIAgkKCwQWAgMBAh4BAheAAAoJEA4BfqVXI1g0IOcQAI8Uz7BJh0XsC44U2a+F
0xWvN9Iy8agyiWB13MGPNEK10Aap6TMAYx89Fkl96VXf2f9+zRUauIbR6MiJnsAw
7Pvv9u6vw8tspEKgceosW5RprtKN0yyHCWUsmsYA8dWudLSauZgIZo2LR7gsz5Xe
U3C8g3Q5vFuHHESANIKLgoTUPKj3+arWR0ZZqMM/F6Ls457FZBplsf/3KFETmeMb
OUzxUxC8k5Ez8ygNFLqtM5wHATcgGZMCDghAiZdZ7RcO46+MSnunrKQZBOHBdFSc
YPmb2u2wk7wo4aLvtjLcsitRcjhDgeWxnzLChbA2Gec9d8SU6E97BwkFeb/J08Tz
zFgKEdw9yGoZUE4qPa3E6tk8u9eP/ffPmtjXZ+A08dpi1wbnd2/EkA06hC/nD28L
hyTeKnL8HxbDgbU3yY22vVRJoG4mF6cEWsvin+X3d2X2+CJRuw8c+jyP4Qk30rQT
B1v5/0UZG191ENyUqUAREcBNEKm99dlqaxKcTrD08C8p2rB961v/MJDw27FExQrz
rf2w9wr5Hv4jMWY7lkityS0hfGp1wi63cRhhAJ1QY6V/5LDesgFpXmfl4tKIpkV1
xEDlteYX8VZj5ht7w14zohAl516GHJuKVL2To9Swe98U+/x+1eDxb28hT2PqbCr9
jBnteIsLzl4hCi86VcI1vpmZ
=49Ad
-----END PGP PUBLIC KEY BLOCK-----
From March 2023, use the following PGP key to verify IBM Verify Identity Access container images.
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBGQi5+YBEAC5xD1R8ui5UKrsoIZv3CPWanF+iM2v4MIsQ5aHDfjU4ILOX3KI
WSSaam+p3wCHC58WXD/M6RAIDgMQs2unbMpdymxp0jlZ5mtuJ84V+jwn1s7cDal1
frjyI0tFrCUh6ZnnwL5/X28BFnvkERwUUp5r3QXdNQLXn/WaZeXanuV9Go8GjiBc
ic82Sbeb/n0/j0Cw6qRsMlsJwc5xVgqoRYhMKFodcvI6+/mZbtHy5907p2rZpjAu
9aOQt2qbxPruQj6g4WYI+gv07pNuiH7lIZMhYoudOh31L3K4xwepdm+9n45o48py
hxXtr8WASMzk3YdJUJ6s+9jSjWtLxLHXxt/TB30Q0rDRYIRcC5gIlp2NnOWLYkCd
Z5DvJHKxvhdb5DM8WAtnpo/oErMMbhpS0qs0o8tY9tjA3iGYxBQfuwvBVrOoz6l7
sGlgBayYwFGoKQO/jNcHy/ZjgwXTc9htJ39O/7G2wftZ+EEdV7W7FXWKC4Jnlle1
AnyPvrSq4b+pEAAHIwcn3WOEjKX5JQCN/RhOmWypckZXRCaOPFYkrQ6sTNAvrkJl
oxI88dnOG1Djq0M9ugFuPuAV7WCfP92hnUnln8b6+qNRJIzJmW7U+SoHI5nezE5p
HkHn2f9ZJRqxSXnGtmjCkNVrX0ky2OI/a9FutQMJivt+HhMU9yacMlfbPwARAQAB
tCZJQk0gU2VjdXJpdHkgVmVyaWZ5IDxwc2lydEB1cy5pYm0uY29tPokCOgQTAQgA
JAUCZCLn5gIbDwULCQgHAgYVCgkICwIEFgIDAQIeAQUJAAAAAAAKCRAoldmCfU8c
HH8UD/kBzVtaea0Yy2Hl0V/I6thYN8hLbBWoZkCTLyZfP19r/ZvHKoqxzyQ/8dC9
xeQjNfobFtXVRSmeUEfikgM3QbV1nbIk+pl30Ck9GkNIoEdvEKKTlvgyi1ZJ0d60
CDw6hE6BY4rjQIRoHpRbWDq674A8gekAUl3pS0tPgMKHPkZkTzdFzZm9vOcAhLP+
h+NhVIGCG5VPegNhrTel77ubhhk5eIIJsX/PM1YgRC9hAljrir5DUQFRsc1OBj57
6i3ObkwmN8DY8smakqLj78gmeU5wWq4WH72527JwevBNzfFArg9tA2aEOeUaoFPy
KhDXARQmIAcpvs3iO753GVcDLOPClGjCWs3b50yy2adY34aYE7ElRcop4jt9GBn7
PbPSDJ9+CGWd2leZen+RmyGrW1v2uCjQzV5ZJz4Ky8iU4EVse+ttQZSOrH1MxRk8
16Cx0axb34mRKuFEVFxHNkNLecszfe2xYExRdTvp8Yc0In3m38tHt3mF2Kh5bzjf
DxXD8YLDYsMWNxBVk1jrhSYR7j8taKdeFzAhtm7Ezp1E0iEm9r0mNYwBVLOkD4PG
PaBFwhP1n80lGa3TpOvE23P6b6UkcL5qHVwVIaiUp1jz+ye1tO/B0hIPdF1kYDt0
dGmqCEMXGzFzxfNUzZsKV9fcxl9kHM0EZ03wB5XiOrrhyYC/5Q==
=X68Z
-----END PGP PUBLIC KEY BLOCK-----
Automatic Signature Verification Enforcement
Some container environments can be configured with policy that enforces signature verification on all images that are pulled into the environment.
For example, in a Docker environment to enable automatic verification of image signatures, update the /etc/containers/policy.json
file to contain the following entries:
{
"default": [
{
"type": "reject"
}
],
"transports": {
"docker": {
"icr.io": [
{
"type": "signedBy",
"keyType": "GPGKeys",
"keyPath": "<path to public.gpg>"
}
]
}
}
}
Manual Signature Verification
Pre-requisites
Manual signature validation requires gpg2 and skopeo
-
Install
gpg2
if it is not already installed, by using the following commands- For Debian-based systems:
[demouser@demovm ~]$ sudo apt-get install gnupg2 -y
- For rpm based systems:
[demouser@demovm ~]$ sudo dnf install gnupg2 -y
- For MacOS systems:
[demouser@demovm ~]$ brew install gpg2
- Check the version of
gpg2
, make sure its GPG 2.1 or later.
[demouser@demovm ~]$ sudo gpg2 --version
-
Install
skopeo
, refer to the following link for instructions: Installing Skopeo- Check the version of
skopeo
, make sure that it is version 0.1.40.
[demouser@demovm ~]$ sudo skopeo --version
- Check the version of
-
Import the provided public key
public.gpg
using thegpg2
command.[demouser@demovm ~]$ sudo gpg2 --import <public.gpg> gpg: key 0E017555557235834: public key "IBMCodeSignCertSample" imported gpg: Total number processed: 1 gpg: imported: 1
- Retrieve the fingerprint by using the following command. The fingerprint is E0A1E35393BA0EBE5E5E04220E017EA557235834 in the following example.
[demouser@demovm ~]$ sudo gpg2 --list-keys /home/.gnupg/pubring.kbx ------------------------------- pub rsa4096 2022-06-21 [SCEA] E0A1E35393BA0EBE5E5E04220E017EA557235834 uid [ unknown] IBMCodeSignCertSample
From March 2023, Import the new public key
public.gpg
using thegpg2
command.[demouser@demovm ~]$ sudo gpg2 --import <public.gpg> gpg: key 2895D9827D4F1C1C: public key "IBM Security Verify Sample" imported gpg: Total number processed: 1 gpg: imported: 1
- Retrieve the fingerprint by using the following command. The fingerprint is 2CFC91AD5ADA21966710BE4C2895D9827D4F1C1C in the following example.
[demouser@demovm ~]$ sudo gpg2 --list-keys /home/.gnupg/pubring.kbx ------------------------ pub rsa4096 2023-03-28 [SCE] 2CFC91AD5ADA21966710BE4C2895D9827D4F1C1C uid [ unknown] IBM Security Verify Sample
Procedure
To verify the image signature, download the image by using the skopeo
command and then validate it using the fingerprint of public.pgp
which was retrieved in the previous steps.
Use skopeo
to download the image. The format of the skopeo
command is:
skopeo copy docker://<image-tag> dir:<image-dir>
Where:
<image-dir>
is a local file system path where the image content is stored.<image-tag>
is the complete tag for the image to verify.
For example:
[demouser@demovm ~]$ sudo skopeo copy \
docker://icr.io/isva/verify-access-oidc-provider:23.03 \
dir:/home/demouser/tmp/container
Use skopeo
to verify the image signature. The format of the skopeo
command is:
skopeo standalone-verify <image-dir>/manifest.json <image-tag> <fingerprint> <image-dir>/signature
Where:
<image-dir>
is a local file system path where the image content was stored during theskopeo copy
command.<image-tag>
is the complete tag of the image pulled during theskopeo copy
command.<fingerprint>
is the fingerprint ofpublic.pgp
.
If the signature is verified successfully, the Signature verified
message is displayed.
For example:
[demouser@demovm ~]$ sudo skopeo standalone-verify /home/demouser/tmp/container/manifest.json \
icr.io/isva/verify-access-oidc-provider:23.03 \
2CFC91AD5ADA21966710BE4C2895D9827D4F1C1C \
/home/demouser/tmp/container/signature-1
Signature verified, digest sha256:5c701fbbf9b63a2db17026cbd5104c234a883cbb81df648185696378a9259bd2
Updated 1 day ago