IBM Cloud Docs
Signing images for trusted content in Container Registry

Signing images for trusted content in Container Registry

IBM Cloud® Container Registry provides trusted content technology so that you can sign images to ensure the integrity of images in your registry namespace.

By pulling and pushing signed images, you can verify that your images were pushed by the correct party, such as your continuous integration (CI) tools.

You can use Red Hat® signatures to sign your images.

Signing images by using Red Hat signatures

You can use various tools to create Red Hat signatures for your images. You can store your signed images for trusted content by using the Red Hat signatures extension API, which is supported by IBM Cloud Container Registry.

You can use the following tools to create Red Hat signatures:

Using Skopeo to sign images

To use Skopeo to sign your images, you must create a private GNU Privacy Guard (GnuPG or GPG) identity and then run the skopeo command.

The following example doesn't include Skopeo authentication.

  1. To create a GnuPG identity, run the following command.

    gpg --generate-key

  2. Push and sign the image at the same time by using the GnuPG identity to sign the image. Where <your_email> is the email address that you used to sign up for GnuPG, <repository:tag> is your repository and tag, and <image> is the name of your image in the format <region><namespace><repository:tag>, where <region> is the name of your region and <namespace> is the name of your namespace.

    To find the names of your images, run ibmcloud cr image-list. Combine the content of the Repository column (repository) and Tag column (tag) separated by a colon (:) to create the image name in the format repository:tag. If the list images command times out, see Why is it timing out when I list images? for assistance.

    skopeo --insecure-policy copy --sign-by <your_email> docker-daemon:<repository:tag> docker://<image>

    For example, where user@email.com is your GnuPG email address, bluebird:build1 is your repository and tag, and us.icr.io/birds/bluebird:build1 is the name of your image.

    skopeo --insecure-policy copy --sign-by user@email.com docker-daemon:bluebird:build1 docker://us.icr.io/birds/bluebird:build1

    macOS On macOS, if you get the error Error copying image to the remote destination: Error writing signatures: mkdir /var/lib/containers/sigstore: permission denied, override the internal default for registry configuration so that the correct signature storage is used by running the command with the --registries.d option.

    skopeo --registries.d . --insecure-policy copy --sign-by user@email.com docker-daemon:us.icr.io/birds/bluebird:build1 docker://us.icr.io/birds/bluebird:build1

Linux macOS On Linux® and macOS, the default configuration for the tools is to store the signatures locally. Storing signatures locally can lead to signature verification failure because the signature is not in the registry. To fix this problem, you can modify or delete the configuration file. On Linux®, the configuration is saved in /etc/containers/registries.d/default.yaml. On macOS, the configuration file is saved in /usr/local/etc/containers/registries.d/default.yaml. On macOS, when Skopeo is installed by using the Homebrew package manager, the configuration file might be at /opt/homebrew/Cellar/etc/containers/registries.d/default.yaml for Apple silicon, or /usr/local/Cellar/etc/containers/registries.d/default.yaml for Intel.

Using Podman to sign images

You can use Podman to sign images. For more information, see Podman.

Signing images by using the Red Hat OpenShift CLI

You can sign your images by using the Red Hat OpenShift CLI. For more information, see Red Hat OpenShift CLI. The Red Hat® OpenShift® CLI uses the oc command.