Using a Signed and Verified CCC Container Image
Utilizing a signed and verified CCC container image significantly enhances the security and reliability of your system environment. It can help you mitigate security risks, build trust among users, and ensure compliance with industry standards and regulations. Follow these steps to use a signed and verified CCC container image:
1Access the CCC package you've downloaded by following the instructions outlined on the Installing Crypto Command Center page.
2Transfer the key file (key.pub
) to the directory /home/ccc
.
3Create a directory named thalesdiscpl
within the sigstore
directory:
4Place the signature file (ccc@sha256=280dcb42613fbcaa7c3cfc6f38db873802484e96677b7881a1c6c7e51d488dda
) in the newly created thalesdiscpl
directory.
5Open the policy.json
file using the command vi /etc/containers/policy.json
.
6Change the value of type
field from insecureAcceptAnything
to reject
in the policy.json
file, implying that container images will be rejected if they do not meet certain security criteria:
7Add the following code snippet above the line "registry.redhat.io": [
:
8Open the .yaml file using the command vi /etc/containers/registries.d/docker.io-thalesdiscpl.yaml
and add the following code to the file:
9Pull the CCC image by using podman pull docker.io/thalesdiscpl/ccc:4.3.0
(for Podman) or crictl pull docker.io/thalesdiscpl/ccc:4.3.0
(for Kubernetes or Helm) or docker pull docker.io/thalesdiscpl/ccc:4.3.0
(for Azure).
10Verify that the image pull operation was successful and that the desired container image has been properly loaded into the local environment by using the command podman images
(for Podman) or crictl images
(for Kubernetes or Helm) or docker images
(for Azure), and then checking for the confirmation message:
Writing manifest to image destination Storing signatures Loaded image: docker.io/thalesdiscpl/ccc:4.3.0
11Proceed to complete your CCC installation by referring to the relevant section on the Installing Crypto Command Center page, based on your deployment method. For Podman, follow steps 10 through 20. For Kubernetes, follow steps 11 through 21. For Helm, follow steps 12 through 21. For Azure, follow steps 6 to 13 in case of private connections and steps 8 to 15 in case of public connections.