Using a Signed and Verified CCC Container Image
Using signed and verified CCC container images enhances system security and reliability. Image signature verification mitigates supply-chain risks, ensures image integrity, and supports compliance with industry security standards. Follow the procedures below to verify CCC container images and package integrity before deployment.
Verifying Images Pulled from a Docker Repository
Download the CCC package from the Thales Support Portal and extract the public key. Ensure the public key file is available on the system where image verification will be performed.
Use cosign to verify the CCC image signature before proceeding with deployment.
cosign verify --key </path/to/public/key/file> <docker_image_name>
Example:
cosign verify --key pub.key docker.io/thalesdiscpl/ccc:app-4.5.0
Pull the required CCC application and database images:
docker pull thalesdiscpl/ccc:app-4.5.0 docker pull thalesdiscpl/ccc:db-4.5.0
Verifying the CCC Package Integrity
Download the CCC package from the Thales Support Portal.
Calculate the checksum of the CCC package archive.
sha256sum 610-012383-026-SW_SERVER_CRYPTO_CMD_CTR_V4.5.0_RevA.tar
Verify that the calculated checksum matches the expected value listed in the sha256sum file.
bd4db7b00cfb94540d1d8c8dc2c6176c7e951fd967f47c9bda8271b48a6ff378
Use the package only if the calculated checksum exactly matches the expected checksum value.
Important Considerations
-
Always verify CCC images before deploying them in any environment.
-
Do not use images or packages if signature or checksum verification fails.
-
Contact Thales Support if verification issues persist.
