(Optional) Verify downloaded files and the online image signatures pulled from DockerHub
When deploying ObjectScale, you can verify downloaded signature verification files and the image signatures of the software images to be pulled from DockerHub.
Steps
On a local Linux workstation, verify the signatures file.
openssl dgst -sha256 -verify obs-public-1.3.0 .pem -signature ./objectscale-signatures-1.3.0 .tgz.signed.bin objectscale-signatures-1.3.0 .tgz
When successful, the signature validation returns
Verified OK .
Expand the signature bundle files into a
signatures subdirectory:
Make a new subdirectory names
signatures .
Expand the
objectscale-signatures-1.3.0 .tgz into this subdirectory.
tar xvf objectscale-signatures-1.3.0 .tgz -C signatures
As an example, the output for the 1.3.0 ObjectScale release is shown:
./objectscale-images-1.3.0.tgz.02.signed.bin
./OBJECTSCALE_CE_30TB.xml.signed.bin
./objectscale-images-mgt-1.3.0.sh.signed.bin
./objectscale-images-1.3.0.tgz.05.signed.bin
./obs-public-1.3.0.pem.signed.bin
./objectscale-images-1.3.0.tgz.06.signed.bin
./objectscale-online-image-digests-1.3.0.txt.signed.bin
./dellemc-csi-helm-charts-1.3.0-121.2e006fb.tgz.signed.bin
./objectscale-verify-online-digests-1.3.0.sh.signed.bin
./objectscale-images-1.3.0.tgz.03.signed.bin
./objectscale-images-1.3.0.tgz.04.signed.bin
./objectscale-helm-charts-1.3.0.tgz.signed.bin
./objectscale-manifest-1.3.0.json.signed.bin
./objectscale-images-1.3.0.tgz.00.signed.bin
./objectscale-images-1.3.0.tgz.01.signed.bin
Verify the public key file:
openssl dgst -sha256 -verify obs-public-1.3.0 .pem -signature signatures/obs-public-1.3.0 .pem.signed.bin obs-public-1.3.0 .pem
When successful, the signature validation returns
Verified OK .
Once you have validated that the
obs-public-1.3.0 .pem is valid, you can use that file to verify each of the other downloaded files:
openssl dgst -sha256 -verify obs-public-1.3.0 .pem -signature signatures/<SIGNED.BIN_FILENAME> <DOWNLOADED_FILENAME>
For example, to verify the
OBJECTSCALE_CE_30TB.xml file, you would use the following command:
openssl dgst -sha256 -verify obs-public-1.3.0 .pem -signature signatures/OBJECTSCALE_CE_30TB.xml.signed.bin OBJS_FREE_30TB_5307094_18-Oct-2021.xml
Repeat this process for all other downloaded files.
After verifying the downloaded files, including the public key, verify the image signatures of the software images to be pulled from DockerHub.
Create the
netrc file with the required entries in the following format with your DockerHub username and password.
machine auth.docker.io
login <DOCKERHUB-USERNAME>
password <PASSWORD>
Set perform permissions in the script:
chmod +x objectscale-verify-online-digests-1.3.0 .sh
Verify the images to be downloaded from DockerHub by running the command:
./objectscale-verify-online-digests-1.3.0 .sh <netrc-file>
When successful, the successful signature validation returns
MATCHED .
As an example, the command and output for the ObjectScale
1.3.0 release is shown:
./objectscale-verify-online-digests-1.3.0 .sh netrc
objectscale/atlas:2.0.1-24.gdc2ce0c - MATCHED
objectscale/atlas-operator:1.1.0-215.196feb4 - MATCHED
objectscale/csi-baremetal-node:1.3.0-648.59a295a - MATCHED
objectscale/csi-baremetal-node-kernel-5.4:1.3.0-648.59a295a - MATCHED
objectscale/csi-baremetal-controller:1.3.0-648.59a295a - MATCHED
objectscale/csi-baremetal-halmgr:1.3.0-648.59a295a - MATCHED
objectscale/csi-baremetal-basemgr:1.3.0-648.59a295a - MATCHED
objectscale/csi-baremetal-loopbackmgr:1.3.0-648.59a295a - MATCHED
objectscale/csi-baremetal-scheduler-extender:1.3.0-648.59a295a - MATCHED
objectscale/csi-baremetal-scheduler-patcher:1.3.0-648.59a295a - MATCHED
objectscale/csi-baremetal-node-controller:1.3.0-648.59a295a - MATCHED
objectscale/csi-provisioner:v3.1.0 - MATCHED
objectscale/csi-node-driver-registrar:v2.5.0 - MATCHED
objectscale/livenessprobe:v2.6.0 - MATCHED
objectscale/csi-resizer:v1.4.0 - MATCHED
objectscale/kube-scheduler:v0.23.10 - MATCHED
objectscale/csi-baremetal-operator:1.3.0-121.2e006fb - MATCHED
objectscale/csi-baremetal-pre-upgrade-crds:1.3.0-121.2e006fb - MATCHED
objectscale/secondary-scheduler-operator:1.3.0-121.2e006fb - MATCHED
objectscale/dcm:3.8.5.0-p3.139575.5eee936b537 - MATCHED
objectscale/decks:3.0.2-406.31bbcb7 - MATCHED
objectscale/supportassist-ese-notifier:3.0.2-406.31bbcb7 - MATCHED
objectscale/ese-callback:3.0.2-406.31bbcb7 - MATCHED
objectscale/decks-support-store:3.0.2-406.31bbcb7 - MATCHED
objectscale/telemetry-upload:3.0.2-406.31bbcb7 - MATCHED
objectscale/dell-supportassist-ese:3.0.2-406.31bbcb7 - MATCHED
objectscale/base-service-tools:3.0.2-406.31bbcb7 - MATCHED
objectscale/ecs-flex-graphql:1.3.0-1174.2e6d1085 - MATCHED
objectscale/objectscale-portal:1.3.0-310.74d790a2 - MATCHED
objectscale/fabric-proxy:1.3.1-53.0a30b8c - MATCHED
objectscale/iamsvc:3.8.5.0-p3.139574.ac3145de1f6 - MATCHED
objectscale/kahm:2.113.2-265.4a07fa1 - MATCHED
objectscale/kahm-testapp:2.113.2-265.4a07fa1 - MATCHED
objectscale/mock-notifier:2.113.2-265.4a07fa1 - MATCHED
objectscale/snmp-notifier:2.113.2-265.4a07fa1 - MATCHED
objectscale/management-gateway:1.3.0-388.a27f3b4 - MATCHED
objectscale/influxdb:3.8.5.0-1633.83a83598 - MATCHED
objectscale/telegraf:3.8.5.0-1633.83a83598 - MATCHED
objectscale/fluxd:3.8.5.0-1633.83a83598 - MATCHED
objectscale/grafana:3.8.5.0-1633.83a83598 - MATCHED
objectscale/throttler:3.8.5.0-1633.83a83598 - MATCHED
objectscale/rsyslog:3.8.5.0-1633.83a83598 - MATCHED
objectscale/nginx:3.8.5.0-1633.83a83598 - MATCHED
objectscale/prometheus:3.8.5.0-1633.83a83598 - MATCHED
objectscale/statefuldaemonset-operator:3.8.5.0-1633.83a83598 - MATCHED
objectscale/logging-injector:3.8.5.0-1633.83a83598 - MATCHED
objectscale/influxdb-operator:3.8.5.0-1633.83a83598 - MATCHED
objectscale/fluent-bit:3.8.5.0-1633.83a83598 - MATCHED
objectscale/confd-sidecar:3.8.5.0-1633.83a83598 - MATCHED
objectscale/dellmon-pre-upgrade-crds:3.8.5.0-1633.83a83598 - MATCHED
objectscale/blob-service:3.8.5.0-p3.139575.5eee936b537 - MATCHED
objectscale/chunk-manager:3.8.5.0-p3.139575.5eee936b537 - MATCHED
objectscale/storageserver:3.8.5.0-p3.139575.5eee936b537 - MATCHED
objectscale/storageserver-manager:3.8.5.0-p3.139575.5eee936b537 - MATCHED
objectscale/event-service:3.8.5.0-p3.139575.5eee936b537 - MATCHED
objectscale/object-heads:3.8.5.0-p3.139575.5eee936b537 - MATCHED
objectscale/diagnostic-service:3.8.5.0-p3.139575.5eee936b537 - MATCHED
objectscale/geo-receiver:3.8.5.0-p3.139575.5eee936b537 - MATCHED
objectscale/geoservice:3.8.5.0-p3.139575.5eee936b537 - MATCHED
objectscale/object-control:3.8.5.0-p3.139575.5eee936b537 - MATCHED
objectscale/record-manager:3.8.5.0-p3.139575.5eee936b537 - MATCHED
objectscale/rep:3.8.5.0-p3.139575.5eee936b537 - MATCHED
objectscale/resource-service:3.8.5.0-p3.139575.5eee936b537 - MATCHED
objectscale/metering:3.8.5.0-p3.139575.5eee936b537 - MATCHED
objectscale/space-reclaimer:3.8.5.0-p3.139575.5eee936b537 - MATCHED
objectscale/control-service:3.8.5.0-p3.139575.5eee936b537 - MATCHED
objectscale/storagemanagement-service:3.8.5.0-p3.139575.5eee936b537 - MATCHED
objectscale/ons:3.8.5.0-p3.139575.5eee936b537 - MATCHED
objectscale/nds:3.8.5.0-p3.139575.5eee936b537 - MATCHED
objectscale/objmt:3.8.5.0-p3.139575.5eee936b537 - MATCHED
objectscale/vnest:3.8.5.0-p3.139575.5eee936b537 - MATCHED
objectscale/dtsm:3.8.5.0-p3.139575.5eee936b537 - MATCHED
objectscale/nvmeengine:3.8.5.0-p3.139575.5eee936b537 - MATCHED
objectscale/nvmetargetviewer:3.8.5.0-p3.139575.5eee936b537 - MATCHED
objectscale/targetmgr:3.8.5.0-p3.139575.5eee936b537 - MATCHED
objectscale/targetcfg:3.8.5.0-p3.139575.5eee936b537 - MATCHED
objectscale/fedsvc:3.7.0.0-394.c64e8f82 - MATCHED
objectscale/objectscale-gateway:3.7.0.0-394.c64e8f82 - MATCHED
objectscale/objectscale-component-pre-update:1.3.0-351.adb9679 - MATCHED
objectscale/objectscale-manager-pre-update:1.3.0-351.adb9679 - MATCHED
objectscale/objectstore-connectivity:1.3.0-351.adb9679 - MATCHED
objectscale/objectstore-pre-update:1.3.0-351.adb9679 - MATCHED
objectscale/objectscale-inventory:1.3.0-351.adb9679 - MATCHED
objectscale/objectscale-insideiq:1.3.0-351.adb9679 - MATCHED
objectscale/objectscale-health:1.3.0-351.adb9679 - MATCHED
objectscale/objectscale-capacity:1.3.0-351.adb9679 - MATCHED
objectscale/objectscale-performance:1.3.0-351.adb9679 - MATCHED
objectscale/objectscale-license-usage:1.3.0-351.adb9679 - MATCHED
objectscale/objectscale-lcm:1.3.0-254.437c960 - MATCHED
objectscale/objectscale-operator:1.3.0-1188.f06d298d - MATCHED
objectscale/objectscale-restapi:1.3.0-144.697e704 - MATCHED
objectscale/object-service:3.8.5.0-p3.3524.1ea669c90 - MATCHED
objectscale/pravega-operator:0.5.7-309-5fc87406 - MATCHED
objectscale/crunchy-upgrade:ubi8-5.1.2-0 - MATCHED
objectscale/crunchy-pgbackrest:ubi8-2.38-2 - MATCHED
objectscale/crunchy-pgadmin4:ubi8-4.30-2 - MATCHED
objectscale/crunchy-postgres:ubi8-14.4-0 - MATCHED
objectscale/crunchy-pgbouncer:ubi8-1.16-4 - MATCHED
objectscale/crunchy-postgres-exporter:ubi8-5.1.2-0 - MATCHED
objectscale/postgres-operator:ubi8-5.2.0-114.c95664e-226 - MATCHED
objectscale/postgres-operator-upgrade:ubi8-5.1.2-0 - MATCHED
objectscale/objectscale-service-tools:2.96.0-389.6795989 - MATCHED
objectscale/cmf-switch:0.6.0-389.6795989 - MATCHED
objectscale/kubectl:v1.25.7 - MATCHED
objectscale/zookeeper:0.2.14-256-adadecf - MATCHED
objectscale/zookeeper-operator:0.2.14-256-adadecf - MATCHED
objectscale/install-controller:1.3.0-4196 - MATCHED
objectscale/objs-pre-upgrade-crds:1.3.0-4196 - MATCHED
objectscale/install-controller:1.3.0 - MATCHED
Results Image signature validation is completed.