Verify Dynatrace image signatures

In the contemporary landscape, supply chain attacks have become a prevalent threat vector. Our approach to countering this risk involves delivering immutable and signed images, which serve as the cornerstone for bolstering security measures.

This page outlines the process of verifying Dynatrace image signatures, thereby establishing authenticity and safeguarding software integrity.

Prerequisites

Before you begin, be sure to meet the following prerequisites:

  • required Cosign for image signature verification
  • required Read access to Dynatrace image repositories when using a private registry

Verify image signatures using Cosign

The following sections describe how Dynatrace image signatures can be verified using Cosign. For simplicity, all examples reference Dynatrace component repositories on public Amazon ECR, but are valid and applicable to any registry holding Dynatrace images.

If you are looking for alternatives to Amazon ECR, see Supported public registries.

Image signing is only performed on Dynatrace images of supported public registries. Images on the Dynatrace built-in registry are not signed.

Dynatrace signs images with Cosign, but only signing data for Dynatrace Operator is uploaded to the public Sigstore transparency log. This allows standard verification for the Operator. For other images, the --insecure-ignore-tlog flag is required during verification.

Dynatrace Operator

Dynatrace Operator is an open-source project hosted and built on GitHub. As a consequence, signing and verification slightly differs from other Dynatrace components.

Dynatrace ActiveGate

The following command shows how to verify the Dynatrace ActiveGate image signature using the public key from ca.dynatrace.com:

cosign verify --insecure-ignore-tlog --key https://ca.dynatrace.com/v1/cosign.pub \
public.ecr.aws/dynatrace/dynatrace-activegate:<tag>

Dynatrace Code Modules

The following command shows how to verify the Dynatrace Code Modules image signature using the public key from ca.dynatrace.com:

cosign verify --insecure-ignore-tlog --key https://ca.dynatrace.com/v1/cosign.pub \
public.ecr.aws/dynatrace/dynatrace-codemodules:<tag>

Dynatrace OneAgent

The following command shows how to verify the Dynatrace OneAgent image signature using the public key from ca.dynatrace.com:

cosign verify --insecure-ignore-tlog --key https://ca.dynatrace.com/v1/cosign.pub \
public.ecr.aws/dynatrace/dynatrace-oneagent:<tag>

Dynatrace Kubernetes Node Configuration Collector

The following command shows how to verify the Dynatrace Kubernetes Node Configuration Collector image signature using the public key from ca.dynatrace.com:

cosign verify --insecure-ignore-tlog --key https://ca.dynatrace.com/v1/cosign.pub \
public.ecr.aws/dynatrace/dynatrace-k8s-node-config-collector:<tag>

Verify Software Bill of Materials (SBOM) Attestation

Attestations enable users to confirm that a Software Bill of Materials (SBOM) comes from a trusted source in the software supply chain. By trusting the container image producer's declaration of the included software, users can safely integrate the SBOM into their workflows.

Dynatrace Operator

Use the following command to verify the Software Bill of Materials (SBOM) attestation1 of a Dynatrace Operator2 image:

cosign verify-attestation \
--certificate-identity-regexp 'https://github\.com/Dynatrace/dynatrace-operator/\.github/workflows/.+' \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--type cyclonedx \
public.ecr.aws/dynatrace/dynatrace-operator:<tag>
1

Supported from Dynatrace Operator version 0.12.0.

2

Dynatrace Operator image is available on Amazon ECR from version 1.0.0. For more information, see supported public registries.

The SBOM in CycloneDX format can be extracted from the in-toto attestation by extending the command from above with jq3 filters:

cosign verify-attestation \
--certificate-identity-regexp 'https://github\.com/Dynatrace/dynatrace-operator/\.github/workflows/.+' \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--type cyclonedx \
public.ecr.aws/dynatrace/dynatrace-operator:<tag> | \
jq '.payload | @base64d | fromjson | .predicate' > sbom.json
3

The jq CLI is a useful tool for working with JSON.

Executing the command creates the sbom.json file in the local file system, containing the SBOM of the Dynatrace Operator image.

Dynatrace ActiveGate

ActiveGate version 1.303+

Use the following command to verify the Software Bill of Materials (SBOM) attestation of a Dynatrace ActiveGate image. Make sure to specify the desired CPU architecture. Options are amd64, arm64, and s390x.

digest=$(docker manifest inspect public.ecr.aws/dynatrace/dynatrace-activegate:<tag> | \
jq -r '.manifests[] | select(.platform.architecture=="amd64") | .digest')
cosign verify-attestation --insecure-ignore-tlog --key https://ca.dynatrace.com/v1/cosign.pub --type cyclonedx \
public.ecr.aws/dynatrace/dynatrace-activegate@$digest

The SBOM in CycloneDX format can be extracted from the in-toto attestation by extending the command from above with jq1 filters:

cosign verify-attestation --insecure-ignore-tlog --key https://ca.dynatrace.com/v1/cosign.pub --type cyclonedx \
public.ecr.aws/dynatrace/dynatrace-activegate@$digest | \
jq '.payload | @base64d | fromjson | .predicate' > sbom.json
1

The jq CLI is a useful tool for working with JSON.

Executing the command creates the sbom.json file in the local file system, containing the SBOM of the Dynatrace ActiveGate image.