Verify Container Image Authenticity
DH2i publishes container images for all products that run in containerized environments. This includes DxEnterprise and DxOperator.
For end users who wish to verify the authenticity of these images, DH2i publishes signatures alongside the images in the Notary v2 format.
info
The DH2i container image signing certificate is available at:
Verify Image Signature Using Notation CLI
To verify the signature of an image:
-
Install the Notation CLI tool - See guide.
-
Download the DH2i certificate:
curl https://repos.dh2i.com/dh2i-notary.crt -o dh2i-notary.crt -
Add the DH2i certificate to the Notation certificate store:
notation certificate add --type ca --store dh2i dh2i-notary.crt -
Configure the trust policy, including the DH2i certificate.
-
Create a trust policy file:
trustpolicy.json{
"version": "1.0",
"trustPolicies": [
{
"name": "dh2i-images",
"registryScopes": [ "*" ],
"signatureVerification": {
"level" : "strict"
},
"trustStores": [ "ca:dh2i" ],
"trustedIdentities": [
"*"
]
}
]
} -
Import the trust policy:
notation policy import trustpolicy.json
-
-
Verify the signature:
notation verify docker.io/dh2i/dxe:latest
notation verify docker.io/dh2i/dxoperator:latestTypically, this command would be run against a specific SHA256 image ID. The example above is using the
latesttag.