Verifying the CloudBees CI on traditional platforms Docker images

2 minute read

CloudBees supports running CloudBees CI on traditional platforms in Docker containers, subject to the following constraints:

  • The Docker image must be the image provided by CloudBees. CloudBees CI on traditional platforms includes the following Docker containers:

    • cloudbees/cloudbees-core-oc: Operations center

    • cloudbees/cloudbees-core-cm: Client controller

  • The Docker Engine used to run these containers must run on a Linux platform and must be a standalone Docker Engine provided by Docker, Inc. or by a Linux distribution provider (such as Red Hat or CentOS).

  • The Docker environment cannot be managed by a container orchestration tool or cluster manager such as Kubernetes, OpenShift, Docker Swarm, Mesos, or Amazon ECS.

The CloudBees CI Docker images are signed, so that you can verify their origin and authenticity. Verifying the origin and authenticity of public Docker images is an optional step in the installation process. It can help ensure that you are not the victim of a "man-in-the-middle" attack or other types of image tampering.

You should verify the signatures before you run the Docker images. If you have an internal Docker registry that pulls images to use internally, you might verify the images at that time.

In order to verify the CloudBees CI Docker images, you must download Cosign verification software. Cosign is a component of the Sigstore solution, a collection of projects designed to make software signatures easier.

You create a text file using the CloudBees public key, and then run the Cosign verification process. The CloudBees public key is as follows:

-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEiID18L4gntpfEdZS20+KXe5965cj
IzA5r4X2TNQJPmInN7gmcQglubRgfA/wNLtli/3wR3jepeHulb33SbWoNw==
-----END PUBLIC KEY-----

To verify the authenticity of CloudBees CI Docker images, complete the following steps:

  1. Create a text file that contains the CloudBees public key. Cosign must be able to access the file to verify the images or the verification will fail.

    You can copy and paste the key into a text file, or you can use the following command to create the text file and populate it with the CloudBees public key:

    echo -e "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEiID18L4gntpfEdZS20+KXe5965cj\nIzA5r4X2TNQJPmInN7gmcQglubRgfA/wNLtli/3wR3jepeHulb33SbWoNw==\n-----END PUBLIC KEY-----" > cloudbees.key
  2. Type one of the following commands to verify the images.

    • To verify the operations center image for version 2.332.1.4, type:

      cosign verify --key cloudbees.key cloudbees/cloudbees-core-oc:2.332.1.4

    • To verify the client controller image for version 2.332.1.4, type:

      cosign verify --key cloudbees.key cloudbees/cloudbees-core-cm:2.332.1.4

      Cosign responds with a message that indicates whether the images are validated as authentic. An exit code of 0 indicates that the images are authentic. If the images are not validated as authentic, you should contact CloudBees Support.