search

Docker image signing and verification

Docker images that are part of the TRUE Connector are signed using cosignarrow-up-right. In releases section, you can find appropriate version of cosign executable, appropriate of the target OS.

Signed images starts with following versions:

rdlabengpa/ids_execution_core_container:v1.14.8\

rdlabengpa/ids_be_data_app:v0.3.8\

rdlabengpa/ids_uc_data_app_platoon:v1.7.9\

rdlabengpa/ids_uc_data_app_platoon_pip:v1.0.0\

Once images are downloaded, you can verify the signature by executing following command, (trueconn.pub file can be found in the ecc_cert folder) and response should be like following

NOTE: Versions of cosing greater than 2.0.x will require to provide additional flag --insecure-ignore-tlog, to avoid message like following:

Error: no matching signatures:
signature not found in transparency log
main.go:69: error during command execution: no matching signatures:
signature not found in transparency log
cosign verify --insecure-ignore-tlog --key trueconn.pub rdlabengpa/ids_execution_core_container:v1.14.8

WARNING: Skipping tlog verification is an insecure practice that lacks of transparency and auditability verification for the signature.
Verification for index.docker.io/rdlabengpa/ids_execution_core_container:v1.14.8 --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - The signatures were verified against the specified public key

[
	{
        "critical": {
            "identity": {
                "docker-reference": "index.docker.io/rdlabengpa/ids_execution_core_container"
            },
            "image": {
                "docker-manifest-digest": "sha256:9435112a13ecde7fc3bb2ccdfabc3178866c88685462c3c7b399726fb40bf6ed"
            },
            "type": "cosign container image signature"
        },
        "optional": null
    }
]

Last updated