search

WASdev / websphere-liberty-operator

Deploy and manage containerized Liberty applications on Kubernetes. Documentation: https://ibm.biz/wlo-docs
Apache License 2.0
9 stars 4 forks source link

Verify that the instructions to validate signed images are still accurate #473

Open leochr opened 1 year ago

leochr commented 1 year ago

Image signing process changed for WLO. Verify that the instructions are still correct. If not, provide the new instructions to ID: https://www.ibm.com/docs/en/was-liberty/base?topic=operator-verifying-code-signed-images

leochr commented 1 year ago

@mcurran-us Is this something you could verify/follow-up? Thank you

mcurran-us commented 1 year ago

@leochr yes, I did look at this and I know what needs to be changed, but in trying out the instructions I realized there is a problem in figuring out what fingerprint to tell the customer to use if they have imported multiple keys into the GPG keystone. Previously, we used the signing-alias since the fingerprint looked like this: pub rsa4096 2021-06-02 [SCEA] 91FFD9A642D060B66B802B9D4D210F6946102B8E uid [ unknown] WebSphereLiberty but now it looks like this: pub rsa4096 2023-02-10 [SCE] [expires: 2027-02-09] E70E5D6C3F1E452CB0F67DF1BD9FD5BE9E68CA00 uid [ unknown] International Business Machines Corporation <psirt@us.ibm.com>1j There is nothing unique to search on except for maybe the expiration date which is not ideal. So, I'm trying to find out if there are other alternatives.

dmuelle commented 1 year ago

Doc issue to update the WLO doc, pending the outcome here: https://github.ibm.com/websphere/operator-docs/issues/384

mcurran-us commented 1 year ago

Updates for the instructions to validate signed images:

mQINBGPmbEgBEADngOaoWkCGOA6wEXSEiy0p/ccG0vmRdMQzm4o0sIPsZ+spdj1b VQAZx23yGctE30JTu2YAaZEyH2cqgO+iEGMSz9yY6PDwcIn5y7N+tNXoUKdinPJ2 6T4bTypJ1SileGncUVU3U1xAZIH2Cmcn5wmXS/9GKIbtkUQ708RQLKVEFESpjgjr VKjpxn8pd+0niQniq5h7iNf6cYAQnCsdH/z8oifWnacipEuBDJ9lF30YRiLhK7m6 FTOdBGeF7XohUOI/AGw0erEuTc80YvX/i+IUmf/hqHxY+A/hEjgFkvXxh8zAmCDU It1v/LV+c9vdjz/hNb+jGI1te3z3xMDQz1WCMIYflyw6ex9nmP7EcFFPG/kRVAMx cu+glm71QC7Q9ftx1ZvAfYXhNMCr6b91z1e3XYM/Whx9qNkyc8MnoZtq5lxJGRkL rgB8RrWGP55R7oWbEn80ppT6MtINy6Ft7TZhnjsI6VEsEcB2qi6TC/0/29z9c2z6 DuFFDQ/y/Naqb+mbDhdahhX1t5ABWTgcv+h+EZzs1QRV/ScBFqJMgV6O+BNbsXpZ /1z0crs6yAHQujK4mgoHEyEiP7/3OVF1Wazlyap9PwU7Y4LKEfdrO2+CIR5AuivR 3PRNhU5NWYvEn9bnIXMsacAfLBTv5lFZqT15PFggtoonDZJHCIncnoQyQwARAQAB tD5JbnRlcm5hdGlvbmFsIEJ1c2luZXNzIE1hY2hpbmVzIENvcnBvcmF0aW9uIDxw c2lydEB1cy5pYm0uY29tPokCOgQTAQgAJAUCY+ZsSAIbDwULCQgHAgYVCgkICwIE FgIDAQIeAQUJB4TN/wAKCRC9n9W+nmjKAGHmD/9QDewA9bYLE6SAePCyFg2/tWAe U2Ot+nO2QtUn0amF0hPNIv2q4sgVoJ/4tfMyK2JytuvfHCbWlM6rGaUhAdOlR83Q ATl8d1KhWEOnYDwiBrOlOkyn/Qw3Wv209bNDpd3Y6l1Kootv8F1xbCszkYc1FsJB Y3i4Cu2asQR3eMCNqAQTIsfKQRWc6dtn9/L0allKR+OOAJRlHZ3woRUbb0NeOYjM 44awORcHvuO7nivIWNntKrqCg/twVVtQrVcLbr9p60adTLQ2kC/E6t5J2G0gy4sX jy+GAHdZlXr8Yl0wUE36n5bmo016gfV1mlxj1StpHi4kVTB/8xEQBBxaPnaRB7TF SCTIhAdTt6+Ko+QVLGMEChDJ5HSzDKzSVK/p6BhesFz5xADH2aNdMw4xzwf56Ooa prAaTQtSE9/LlQQZ+GvAJaeUj8e1Dtu0yQrXanyrMkRl1iNywYNXTB/cbALp06SI BcRRdyVghNF2kcm6sEhWKS2IyTqLNM7t3UV9SLZanBT1/PlBHifoC/GWR8mAVcUl wWWLiisj04+mDuy/J9Gu6R8PNS+WQo6aHZPOjN3k1boHjrLzpc6/0DX5p+1AwsYo Omz0ERJdt888LZ4HY+iEC/G2VMqCMn8iS1Q0KbZ+H8gS3Q194UqFUa6M3JOmfZdQ rRtygUT5grK8h6/pFg== =rXKG -----END PGP PUBLIC KEY BLOCK-----

- Step 2 needs to be changed to 
`export fingerprint=E70E5D6C3F1E452CB0F67DF1BD9FD5BE9E68CA00`

- Last part of Step 3 needs to be change to

Repeat this step for each of the images to verify: icr.io/cpopen/websphere-liberty-operator:-<amd64 | ppc64le | s390x> icr.io/cpopen/websphere-liberty-operator-bundle: icr.io/cpopen/websphere-liberty-operator-catalog:-<amd64 | ppc64le | s390x>


- Multiple references in Step 4 need to be changed to always use signature-1 instead of signature-x and signature-2.
dmuelle commented 1 year ago

Thanks @mcurran-us @leochr - I will update the docs. I have a couple questions when you have a chance

  1. Where does this public key block come from? It appears to be different from the WL Public Key that we use to verify release packages. I'm wondering how we will keep the doc current when it changes. For the release packages, we link out to the key on DHE instead of posting a hard copy.
  2. The second part of step 3 is a little confusing- do we expect the users will generally need to verify all three packages listed- operator, bundle, and catalog?
mcurran-us commented 1 year ago

@dmuelle

  1. The public key block comes from issuing the gpg2 --export command and specifying the signing fingerprint. It changed this time because we had to switch from using the CISO signing service to using the Garasign signing service. I don't know what DHE is so I can't comment on that.
  2. They could; whether or not they would is another question. I based the documentation off of other IBM documentation I had found which listed all 3 images.
dmuelle commented 1 year ago

Thanks @mcurran-us - just a couple more questions when you have a chance:

The public key block comes from issuing the gpg2 --export command and specifying the signing fingerprint.

  1. Is that something the user could do as part of this process? If so, might be a way to ensure they're always running with the current key. If not, then we can stick with hard coding the value into the page.
  2. For Step 2: Calculate the fingerprint, does that command automatically make the fingerprint available as ${fingerprint} in step 4, or does the user copy it into the command in step 4 to replace ${fingerprint}?
  3. Now that the command in step 2 has changed, is "Calculate the fingerprint." still an accurate description or should it be something like "Export the fingerprint" ?
  4. Where does the signature-1 file come from? Do you get it from the skopeo copy command in step 3?
dmuelle commented 1 year ago

Also- is there more than one "WebSphere Liberty public key"? The one in this issue does not match the one on Fix Central.

Which is fine if there is meant to be a different public key for verifying the operator but I want to be careful about calling two different things "the WebSphere Liberty public key" at different places in the docs.

mcurran-us commented 1 year ago
  1. The customer cannot issue that command as it requires access to the signing service.
  2. Yes, because of the export command. It will automatically replace the ${fingerprint} with the actual value.
  3. Export the fingerprint would be more accurate.
  4. The signature-1 file gets downloaded as part of the skopeo copy command.
  5. There is only one code-signing public key, but there could be other public keys associated with WebSphere Liberty. Maybe we could refer to it as the WebSphere Liberty code signing public key or something like that.
dmuelle commented 1 year ago

Thank you @mcurran-us - would you review the updated topic and let me know if any further changes are needed?

https://ibmdocs-test.dcs.ibm.com/docs/en/SSAW57_liberty_test?topic=operator-verifying-code-signed-images

Thanks!

mcurran-us commented 1 year ago

@dmuelle Looks good to me.
Thanks!