Verifying the CloudBees CI on modern cloud platforms Docker images

2 minute read

CloudBees CI on modern cloud platforms uses Docker containers to run a cluster of computers within the Kubernetes container management system.

CloudBees CI on modern cloud platforms includes the following Docker containers:

  • cloudbees-cloud-core-oc: Operations center

  • cloudbees-core-mm: Managed controller

In a standard installation, the CloudBees Helm chart pulls the CloudBees CI cloudbees-cloud-core-oc and cloudbees-core-mm images from the public Docker Hub repository.

The CloudBees CI Docker images are signed, so that you can verify their origin and authenticity. Verifying the origin and authenticity of public Docker images is an optional step in the installation process. It can help ensure that you are not the victim of a "man-in-the-middle" attack or other types of image tampering.

You should verify the signatures before you run the Docker images. If you have an internal Docker registry that pulls images to use internally, you might verify the images at that time.

In order to verify the CloudBees CI Docker images, you must download Cosign verification software. Cosign is a component of the Sigstore solution, a collection of projects designed to make software signatures easier.

You create a text file using the CloudBees public key, and then run the Cosign verification process. The CloudBees public key is as follows:

-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEiID18L4gntpfEdZS20+KXe5965cj
IzA5r4X2TNQJPmInN7gmcQglubRgfA/wNLtli/3wR3jepeHulb33SbWoNw==
-----END PUBLIC KEY-----

To verify the authenticity of CloudBees CI Docker images, complete the following steps:

  1. Create a text file that contains the CloudBees public key. Cosign must be able to access the file to verify the images or the verification will fail.

    You can copy and paste the key into a text file, or you can use the following command to create the text file and populate it with the CloudBees public key:

    echo -e "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEiID18L4gntpfEdZS20+KXe5965cj\nIzA5r4X2TNQJPmInN7gmcQglubRgfA/wNLtli/3wR3jepeHulb33SbWoNw==\n-----END PUBLIC KEY-----" > cloudbees.key
  2. Type one of the following commands to verify the images.

    • To verify the operations center image for version 2.361.1.2, type:

      cosign verify --key cloudbees.key cloudbees/cloudbees-cloud-core-oc:2.361.1.2

    • To verify the managed controller image for version 2.361.1.2 type:

      cosign verify --key cloudbees.key cloudbees/cloudbees-core-mm:2.361.1.2

    Cosign responds with a message that indicates whether the images are validated as authentic. An exit code of 0 indicates that the images are authentic. If the images are not validated as authentic, you should contact CloudBees Support.