Using a Signed and Verified CCC Container Image
Using signed and verified CCC container images significantly improves the security and reliability of the system. Image signature verification helps mitigate supply-chain risks, ensures image integrity, builds user trust, and supports compliance with industry security standards. Follow the procedures below to verify CCC container images and package integrity before deployment.
Verifying Images Pulled from a Docker Repository
Download the CCC package from the Thales Support Portal and extract the public key. Ensure the public key file is available on the system where image verification will be performed.
Use cosign to verify the CCC image signature before proceeding with deployment.
cosign verify --key </path/to/public/key/file> <docker_image_name>
Example:
cosign verify --key pub.key docker.io/thalesdiscpl/ccc:app-4.5.0
Pull the required CCC application and database images:
docker pull thalesdiscpl/ccc:app-4.5.0 docker pull thalesdiscpl/ccc:db-4.5.0
Verifying CCC Package Images
Download the CCC package from the Thales Support Portal.
Extract the downloaded CCC package archive:
tar -xvf <ccc_package_name>.tar
Verify that the calculated checksum matches the expected value listed in the sha256sum file:
df24accdf76e03fb1b6cf6f0081f511aa55b15e1884cbdc907603f6e0934b130
Use the package only if the calculated checksum exactly matches the expected checksum value.
Important Considerations
-
Always verify CCC images before deploying them in any environment.
-
Do not use images or packages if signature or checksum verification fails.
-
Contact Thales Support if verification issues persist.
