Verifying image and non-image artifact signatures
Maintain the integrity of images that are built in the Continuous Integration (CI) pipeline before deployment by verifying image signatures.
Before you begin
Before you start working with image verification, be sure that you have the following prerequistes.
- You must have the GPG public key. For help generating your GPG key, see the documentation.
- You must add the environment variable
code-signing-certificatewith the base 64-encoded GPG public key.
Verifying images
A new prod-verify-artifact stage verifies the signature of an image in the Continuous Delivery (CD) pipeline. This stage performs the following steps:
-
Decodes the user-provided encoded GPG public key into a temporary file.
-
Creates a Docker container policy (
/etc/containers/policy.json) with the public key.{ "default": [ { "type": "reject" } ], "transports": { "docker-daemon": { "": [ { "type": "reject" } ] }, "docker": { "": [ { "type": "signedBy", "keyType": "GPGKeys", "keyPath": "/tmp/GPGPublicKey" } ] } } } -
Retrieves the list of artifacts for each artifact by using Skopeo to pull the image with the container policy.
skopeo copy docker://"${image}" dir:"${tmp_sign_dir}" --src-creds iamapikey:"${ibmcloud_api_key}"
If the signature is valid and verified by the public key that is provided by the user, the image pull is successful.
Verifying non-image artifacts
In DevSecOps pipelines, the signature of signed artifacts is subject to verification. This section outlines the prerequisites that users must meet before proceeding with artifact verification.
Before you begin
Before you can work with image verification, be sure that you have the following prerequisites.
-
Modify your pipeline configuration to enable the verifcation process. Add the following code snippet to your
.pipeline-config.yamlfile.verify-artifact: image: icr.io/continuous-delivery/pipeline/image-signing:1.0.0@sha256:e9d8e354668ba3d40be2aaee08298d2aa7f0e1c8a1829cca4094ec93830e3e6a image_pull_policy: IfNotPresent abort_on_failure: false dind: true script: | #!/usr/bin/env bash source /opt/commons/verify-artifact/verify_non_image_artifact.sh -
Download the artifact and store it in the pipeline runtime.
Before invoking the
verify-artifactstage, download and store the required artifacts in the Cocoa runtime. By default, all artifacts listed in tehlist_artifactscollection are verified. The following sample code demonstrates how to download an artifact from Cloud Object Storage and save it in the Cocoa runtime:#!/usr/bin/env bash export SECRET_PATH="/config/ibmcloud-api-key" . "${ONE_PIPELINE_PATH}"/iam/get_token SKIP_SIGN_ARTIFACTS_TYPE="$(get_env skip-sign-artifact-type "")" IFS=';' read -ra ARTIFACT_LIST <<<"$SKIP_SIGN_ARTIFACTS_TYPE" list_artifacts | while IFS= read -r artifact; do type="$(load_artifact "$artifact" "type")" if [[ ! "${ARTIFACT_LIST[@]}" =~ "$type" ]] && [[ "$type" != "image" ]]; then inventory_entry="$(load_artifact "$artifact" "inventory-entry")" inventory_entry=${inventory_entry///artifacts/$WORKSPACE} artifact_url=$(jq -r .'app_artifacts.artifact_url' ${inventory_entry}) echo "downloading the artifact ${artifact_url}" curl -H "Authorization: bearer ${IAM_ACCESS_TOKEN}" --output outputfile ${artifact_url} save_file "${artifact}" outputfile fi done
Verifying artifacts
In the artifact verification process, the user-provided GPG public key is imported into the GPG keyring. All artifacts listed in the list_artifacts collection will be verified. The stage attempts to retrieve the signature from
the inventory and performs the following verification:
gpg --verify "${signature}" "${artifactName}"
If the signature is valid and verified using the provided public key, the stage will record the evidence and mark the stage as successful.