Installing and Using the CTE Signing Tool
To use this tool to gather signatures from other container images and then push them to CipherTrust Manager, complete the following steps:
-
Download a container image:
a. From a public repository, type:
./cte-sign --cdi --image=<image name> --tag=<image version>b. From a private repository, type:
./cte-sign --cdi --image=<image name with url> --tag=<image version> --repo-user=<repo username> --repo-password=<repo password> -
Get a list of signature set IDs from CipherTrust Manager, type:
./cte-sign --cm --signature-sets list --ip=<CM IP> --user=<CM username> --password=<CM password> --cm-domain=<CM Domain> -
Create a signature set for the process set or Container Image Digest set, type:
./cte-sign --cm --signature-sets create --sigset-name=<signature-set-name> --sigset-type=<signature-set-type> --ip=<CM IP> --user=<CM username> --password=<CM password> --cm-domain=<CM Domain> -
Send the signatures collected from the downloaded container image to CipherTrust Manager in a signature set ID, type:
./cte-sign --cm --signature-sets add-signatures --sigset-name=<signature-set-name> --path=<source-path> --ip=<CM IP> --user=<CM username> --password=<CM password> --cm-domain=<CM Domain> -
Cleanup and remove the image directory, type:
./cte-sign --cleanup -
Retrieve container image digests
a. Retrieve digests for pod spec yaml file:
./cte-sign --digest --podspec=<pod spec file name> --kubeconfig=<kubeconfig file path>b. Retrieve digest for public image:
./cte-sign --digest --image=<image name> --tag=<image tag>c. Retrieve digest for private image:
./cte-sign --digest --image=<image name> --tag=<image tag> --repo-user=<repo username> --repo-password=<repo password> -
Retrieve and push Container Image Digest to CipherTrust Manager
a. Retrieve and push for public image:
./cte-sign --digest --push-to-cm --image=<image name> --tag=<image tag> --ip=<CM IP> --user=<CM username> --password=<CM password> --sigset-name=<signature-set-name> --cm-domain=<CM Domain>b. Retrieve and push for private image:
./cte-sign --digest --push-to-cm --image=<image name> --tag=<image tag> --repo-user=<repo username> --repo-password=<repo password> --ip=<CM IP> --user=<CM username> --password=<CM password> --sigset-name=<signature-set-name>--cm-domain=<CM Domain>c. Retrieve and push for public/private images using pod spec yaml file:
./cte-sign --digest --push-to-cm --podspec=<pod spec file name> --ip=<CM IP> --user=<CM username> --password=<CM password> --sigset-name=<signature-set-name> --cm-domain=<CM Domain>
CLI Argument Definitions
| Argument | Definition |
|---|---|
| --cleanup | Delete the container image files and directories. |
| --cm-domain | (Optional) Provide this option only if an operation belongs to a specific domain, other than the root domain. |
| --image | Container image name/URL. |
| --ip | CipherTrust Manager IP address. |
| --kubeconfig | kubeconfig file for retrieving pod digests. |
| --password | Password of CipherTrust Manager credential. |
| --path | The binary path from the downloaded container image, for the files that need to be pushed to CipherTrust Manager. ex: /usr/bin |
| --podspec | Pod specification yaml file. |
| --repo-password | Password/AccessToken for the private repository. |
| --repo-user | Username for private repository access. |
| --sigset-name | The signature set name where signatures will be contained. |
| --sigset-type | The signature set type. Application: for process signatures. Container-Image for container image signature. |
| --tag | Container image version. |
| --user | Username of CipherTrust Manager credential. |
