As of v10.10, CloudBees CD/RO’s Docker images are signed to allow you to verify their origin and authenticity. Verifying the origin and authenticity of Docker images is an optional step in the installation process. However, it is suggested to help prevent you from installing possibly malicious images.
To verify the CloudBees CD/RO Docker images, you must download Cosign verification software.
Cosign is a component of the Sigstore solution, a collection of projects designed to make software signatures easier. For the following task, cosign verify is used.
|
To verify the authenticity of CloudBees CD/RO Docker images:
-
To verify the Docker image against the CloudBees public key, run:
cosign verify --key https://cdn.cloudbees.com/keyring/cloudbees.pub docker.io/cloudbees/<product-docker-repo>:<image-tag>
-
(OPTIONAL) The previous step used:
-
cosign verify --key https://cdn.cloudbees.com/keyring/cloudbees.pub
Alternatively, you can use a local copy of
cloudbees.pub
: -
cosign verify --key path/to/local/cloudbees.pub
To save a local copy of
cloudbees.pub
, run:wget https://cdn.cloudbees.com/keyring/cloudbees.pub
-
Confirming and troubleshooting Docker image verification
This section describes positive and negative examples of Docker image verification.
The following is a positive example of cosign verify
used to verify the CloudBees public key against the cbflow-web
Docker image for tag 9.1.0.138283_1.0.3_20191027
:
cosign verify --key https://cdn.cloudbees.com/keyring/cloudbees.pub docker.io/cloudbees/cbflow-web:9.1.0.138283_1.0.3_20191027 Verification for index.docker.io/cloudbees/cbflow-web:9.1.0.138283_1.0.3_20191027 -- The following checks were performed on each of these signatures: - The cosign claims were validated - The signatures were verified against the specified public key [{"critical":{"identity":{"docker-reference":"index.docker.io/cloudbees/cbflow-web"},"image":{"docker-manifest-digest":"sha256:c3d278d7d47ae6da3611418148af6591b192a82195237e8aef72d0e0a179c2bf"},"type":"cosign container image signature"},"optional":null}]
The following is a negative example of cosign verify
unable to verify the key against the signature:
cosign verify --key cosign.pub docker.io/cloudbees/cbflow-web:9.1.0.138283_1.0.3_20191027 Error: no matching signatures: invalid signature when validating ASN.1 encoded signature main.go:62: error during command execution: no matching signatures: invalid signature when validating ASN.1 encoded signature
This is typically caused by an incorrect public key path or URL being passed to cosign verify
. In this example, the cosign.pub
key was used instead of cloudbees.pub
or https://cdn.cloudbees.com/keyring/cloudbees.pub
.
The following is a negative example of cosign verify
unable to locate the specified Docker image:
cosign verify --key https://cdn.cloudbees.com/keyring/cloudbees.pub docker.io/cloudbees/cbflow-web:9.2.0.138283_1.0.3_20191027 Error: entity not found in registry main.go:62: error during command execution: entity not found in registry
This is typically caused by an incorrect Docker image repo URL or tag being passed. In this example, the image tag 9.2.0.138283_1.0.3_20191027
does not exist for cbflow-web
.
If the image you are trying to verify is not validated as authentic, and you have confirmed you are using the correct key, repo URL, and image tag, please contact CloudBees Support. |