Verify SLE Base Container Images
Introduction
Verifying container images allows you to confirm their provenance, thus ensuring the supply chain security. This document demonstrates how to verify container images using Cosign and how to integrate the verification step into your Podman installation.
Verifying SLE BCI with Cosign
To verify a SLE BCI image, run Cosign in the container. The command below fetches the signing key from the SUSE server and uses it to verify the latest BCI-Base container image.
> podman run --rm -it gcr.io/projectsigstore/cosign verify \
--key https://ftp.suse.com/pub/projects/security/keys/container-key.pem \
registry.suse.com/bci/bci-base:latest | tail -1 | jq
[
{
"critical": {
"identity": {
"docker-reference": "registry.suse.com/bci/bci-base"
},
"image": {
"docker-manifest-digest": "sha256:52a828600279746ef669cf02a599660cd53faf4b2430a6b211d593c3add047f5"
},
"type": "cosign container image signature"
},
"optional": {
"creator": "OBS"
}
}
]
The signing key can be used to verify all SLE BCI container images, and it also
ships with SLE 15 (the /usr/share/container-keys/suse-container-key.pem
file).
You can also check SLE BCI container images against rekor, the immutable tamper resistant ledger. For example:
> podman run --rm -it -e COSIGN_EXPERIMENTAL=1 gcr.io/projectsigstore/cosign \
verify --key https://ftp.suse.com/pub/projects/security/keys/container-key.pem \
registry.suse.com/bci/bci-base:latest | tail -1 | jq
[
{
"critical": {
"identity": {
"docker-reference": "registry.suse.com/bci/bci-base"
},
"image": {
"docker-manifest-digest": "sha256:52a828600279746ef669cf02a599660cd53faf4b2430a6b211d593c3add047f5"
},
"type": "cosign container image signature"
},
"optional": {
"creator": "OBS"
}
}
]
If verification fails, the output of the cosign verify
command is similar to the one below.
Error: no matching signatures: crypto/rsa: verification error main.go:62: error during command execution: no matching signatures: crypto/rsa: verification error
Verifying SLE BCI with Podman
There are three main prerequisites to verify SLE Base Container Images using Podman. First, specify registry.suse.com
as the registry for which image verification will be enabled.
Update Podman registries configuration
Skip this step on SLE or openSUSE, as the correct configuration is already in place.
Add the following configuration to /etc/containers/registries.d/default.yaml
:
docker:
registry.suse.com:
use-sigstore-attachments: true
Instead of editing the default.yaml
, you can create a new file in
/etc/containers/registries.d/
with a filename of your choice.
Update signature verification policy (/etc/containers/policy.json
)
Next, modify the /etc/containers/policy.json file.
Under the docker
attribute, add the registry.suse.com
configuration similar to the following:
{
"default": [
{
"type": "insecureAcceptAnything"
}
],
"transports": {
"docker-daemon": {
"": [
{
"type": "insecureAcceptAnything"
}
]
},
"docker": {
"registry.suse.com": [
{
"type": "sigstoreSigned",
"keyPath": "/usr/share/pki/containers/suse-container-key.pem",
"signedIdentity": {
"type": "matchRepository"
}
}
]
}
}
}
The specified configuration instructs Podman, Skopeo and Buildah to verify images under the
registry.suse.com
repository. This way, before pulling the image, Podman checks the validity of the signature using the specified public key, and rejects the image if the validation fails.
Do not remove existing entries in
transports.docker
. Instead append the entry forregistry.suse.com
to the list.
Fetch the SUSE Container signing key
This step is optional on SLE. The signing key is already installed under
/usr/share/pki/containers/suse-container-key.pem
.
Fetch the public key used to sign SLE BCIs from SUSE Signing Keys, or use the following command:
> sudo curl -s https://ftp.suse.com/pub/projects/security/keys/container-key.pem \
-o /usr/share/pki/containers/suse-container-key.pem
Verifying if the image is signed
Buildah, Podman and Skopeo will automatically verify every image pulled from registry.suse.com
from now on. There are no additional steps required.
If verification fails, the command returns an error message as follows:
> podman pull registry.suse.com/bci/bci-base:latest
Trying to pull registry.suse.com/bci/bci-base:latest...
Error: copying system image from manifest list: Source image rejected: Signature for identity registry.suse.com/bci/bci-base is not accepted
If there are no issues with the signed image and your configuration, you can continue with your usual development workflow.