SLE BCI Documentation
GitHubToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Verify SLE Base Container Images

Introduction

Verifying container images allows you to confirm their provenance, thus ensuring the supply chain security. This document demonstrates how to verify container images using Cosign and how to integrate the verification step into your Podman installation.

Verifying SLE BCI with Cosign

To verify a SLE BCI image, run Cosign in the container. The command below fetches the signing key from the SUSE server and uses it to verify the latest BCI-Base container image.

> podman run --rm -it gcr.io/projectsigstore/cosign verify \
    --key https://ftp.suse.com/pub/projects/security/keys/container-key.pem \
    registry.suse.com/bci/bci-base:latest | tail -1 | jq

[
  {
    "critical": {
      "identity": {
        "docker-reference": "registry.suse.com/bci/bci-base"
      },
      "image": {
        "docker-manifest-digest": "sha256:52a828600279746ef669cf02a599660cd53faf4b2430a6b211d593c3add047f5"
      },
      "type": "cosign container image signature"
    },
    "optional": {
      "creator": "OBS"
    }
  }
]

The signing key can be used to verify all SLE BCI container images, and it also ships with SLE 15 (the /usr/share/container-keys/suse-container-key.pem file).

You can also check SLE BCI container images against rekor, the immutable tamper resistant ledger. For example:

> podman run --rm -it -e COSIGN_EXPERIMENTAL=1 gcr.io/projectsigstore/cosign \
    verify --key https://ftp.suse.com/pub/projects/security/keys/container-key.pem \
    registry.suse.com/bci/bci-base:latest | tail -1 | jq
[
  {
    "critical": {
      "identity": {
        "docker-reference": "registry.suse.com/bci/bci-base"
      },
      "image": {
        "docker-manifest-digest": "sha256:52a828600279746ef669cf02a599660cd53faf4b2430a6b211d593c3add047f5"
      },
      "type": "cosign container image signature"
    },
    "optional": {
      "creator": "OBS"
    }
  }
]

If verification fails, the output of the cosign verify command is similar to the one below.

Error: no matching signatures:
crypto/rsa: verification error
main.go:62: error during command execution: no matching signatures:
crypto/rsa: verification error

Verifying SLE BCI with Podman

There are three main prerequisites to verify SLE Base Container Images using Podman. First, specify registry.suse.com as the registry for which image verification will be enabled.

Update Podman registries configuration

Skip this step on SLE or openSUSE, as the correct configuration is already in place.

Add the following configuration to /etc/containers/registries.d/default.yaml:

docker:
  registry.suse.com:
    use-sigstore-attachments: true

Instead of editing the default.yaml, you can create a new file in /etc/containers/registries.d/ with a filename of your choice.

Update signature verification policy (/etc/containers/policy.json)

Next, modify the /etc/containers/policy.json file. Under the docker attribute, add the registry.suse.com configuration similar to the following:

{
  "default": [
    {
      "type": "insecureAcceptAnything"
    }
  ],
  "transports": {
    "docker-daemon": {
      "": [
        {
          "type": "insecureAcceptAnything"
        }
      ]
    },
    "docker": {
      "registry.suse.com": [
        {
          "type": "sigstoreSigned",
          "keyPath": "/usr/share/pki/containers/suse-container-key.pem",
          "signedIdentity": {
            "type": "matchRepository"
          }
        }
      ]
    }
  }
}

The specified configuration instructs Podman, Skopeo and Buildah to verify images under the registry.suse.com repository. This way, before pulling the image, Podman checks the validity of the signature using the specified public key, and rejects the image if the validation fails.

Do not remove existing entries in transports.docker. Instead append the entry for registry.suse.com to the list.

Fetch the SUSE Container signing key

This step is optional on SLE. The signing key is already installed under /usr/share/pki/containers/suse-container-key.pem.

Fetch the public key used to sign SLE BCIs from SUSE Signing Keys, or use the following command:

> sudo curl -s https://ftp.suse.com/pub/projects/security/keys/container-key.pem \
    -o /usr/share/pki/containers/suse-container-key.pem

Verifying if the image is signed

Buildah, Podman and Skopeo will automatically verify every image pulled from registry.suse.com from now on. There are no additional steps required.

If verification fails, the command returns an error message as follows:

> podman pull registry.suse.com/bci/bci-base:latest
Trying to pull registry.suse.com/bci/bci-base:latest...
Error: copying system image from manifest list: Source image rejected: Signature for identity registry.suse.com/bci/bci-base is not accepted

If there are no issues with the signed image and your configuration, you can continue with your usual development workflow.