Using a Signed and Verified CCC Container Image
Utilizing a signed and verified CCC container image significantly enhances the security and reliability of your system environment. It can help you mitigate security risks, build trust among users, and ensure compliance with industry standards and regulations. Follow these steps to use a signed and verified CCC container image:
Access the CCC package you've downloaded by following the instructions outlined on the Installing Crypto Command Center page.
Transfer the key file (key.pub
) to the directory /home/ccc
.
Create a directory named thalesdiscpl
within the sigstore
directory:
mkdir -p /var/lib/containers/sigstore/thalesdiscpl
Place the signature file (ccc@sha256=280dcb42613fbcaa7c3cfc6f38db873802484e96677b7881a1c6c7e51d488dda
) in the newly created thalesdiscpl
directory.
Open the policy.json
file using the command vi /etc/containers/policy.json
.
Change the value of type
field from insecureAcceptAnything
to reject
in the policy.json
file, implying that container images will be rejected if they do not meet certain security criteria:
"default": [
{
"type": "insecureAcceptAnything"
}
],
Add the following code snippet above the line "registry.redhat.io": [
:
"docker.io/thalesdiscpl": [
{
"keyType": "GPGKeys",
"type": "signedBy",
"keyPath": "/home/ccc/key.pub"
}
],
Open the .yaml file using the command vi /etc/containers/registries.d/docker.io-thalesdiscpl.yaml
and add the following code to the file:
docker:
docker.io/thalesdiscpl:
sigstore: file:///var/lib/containers/sigstore
Pull the CCC image by using podman pull docker.io/thalesdiscpl/ccc:4.3.0
(for Podman) or crictl pull docker.io/thalesdiscpl/ccc:4.3.0
(for Kubernetes or Helm) or docker pull docker.io/thalesdiscpl/ccc:4.3.0
(for Azure).
Verify that the image pull operation was successful and that the desired container image has been properly loaded into the local environment by using the command podman images
(for Podman) or crictl images
(for Kubernetes or Helm) or docker images
(for Azure), and then checking for the confirmation message:
Writing manifest to image destination Storing signatures Loaded image: docker.io/thalesdiscpl/ccc:4.3.0
Proceed to complete your CCC installation by referring to the relevant section on the Installing Crypto Command Center page, based on your deployment method. For Podman, follow steps 10 through 20. For Kubernetes, follow steps 11 through 21. For Helm, follow steps 12 through 21. For Azure, follow steps 6 to 13 in case of private connections and steps 8 to 15 in case of public connections.