In the contemporary landscape, supply chain attacks have become a prevalent threat vector. Our approach to countering this risk involves delivering immutable and signed images, which serve as the cornerstone for bolstering security measures.
This page outlines the process of verifying Dynatrace image signatures, thereby establishing authenticity and safeguarding software integrity.
Before you begin, be sure to meet the following prerequisites:
The following sections describe how Dynatrace image signatures can be verified using Cosign. For simplicity, all examples reference Dynatrace component repositories on public Amazon ECR, but are valid and applicable to any registry holding Dynatrace images.
If you are looking for alternatives to Amazon ECR, see Supported public registries.
Image signing is only performed on Dynatrace images of supported public registries. Images on the Dynatrace built-in registry are not signed.
Dynatrace signs images with Cosign, but only signing data for Dynatrace Operator is uploaded to the public Sigstore transparency log. This allows standard verification for the Operator. For other images, the --insecure-ignore-tlog
flag is required during verification.
Dynatrace Operator is an open-source project hosted and built on GitHub. As a consequence, signing and verification slightly differs from other Dynatrace components.
The following command shows how to verify the Dynatrace ActiveGate image signature using the public key from ca.dynatrace.com
:
cosign verify --insecure-ignore-tlog --key https://ca.dynatrace.com/v1/cosign.pub \public.ecr.aws/dynatrace/dynatrace-activegate:<tag>
The following command shows how to verify the Dynatrace Code Modules image signature using the public key from ca.dynatrace.com
:
cosign verify --insecure-ignore-tlog --key https://ca.dynatrace.com/v1/cosign.pub \public.ecr.aws/dynatrace/dynatrace-codemodules:<tag>
The following command shows how to verify the Dynatrace OneAgent image signature using the public key from ca.dynatrace.com
:
cosign verify --insecure-ignore-tlog --key https://ca.dynatrace.com/v1/cosign.pub \public.ecr.aws/dynatrace/dynatrace-oneagent:<tag>
The following command shows how to verify the Dynatrace Kubernetes Node Configuration Collector image signature using the public key from ca.dynatrace.com
:
cosign verify --insecure-ignore-tlog --key https://ca.dynatrace.com/v1/cosign.pub \public.ecr.aws/dynatrace/dynatrace-k8s-node-config-collector:<tag>
Attestations enable users to confirm that a Software Bill of Materials (SBOM) comes from a trusted source in the software supply chain. By trusting the container image producer's declaration of the included software, users can safely integrate the SBOM into their workflows.
Use the following command to verify the Software Bill of Materials (SBOM) attestation1 of a Dynatrace Operator2 image:
cosign verify-attestation \--certificate-identity-regexp 'https://github\.com/Dynatrace/dynatrace-operator/\.github/workflows/.+' \--certificate-oidc-issuer https://token.actions.githubusercontent.com \--type cyclonedx \public.ecr.aws/dynatrace/dynatrace-operator:<tag>
Supported from Dynatrace Operator version 0.12.0.
Dynatrace Operator image is available on Amazon ECR from version 1.0.0. For more information, see supported public registries.
The SBOM in CycloneDX format can be extracted from the in-toto attestation by extending the command from above with jq
3 filters:
cosign verify-attestation \--certificate-identity-regexp 'https://github\.com/Dynatrace/dynatrace-operator/\.github/workflows/.+' \--certificate-oidc-issuer https://token.actions.githubusercontent.com \--type cyclonedx \public.ecr.aws/dynatrace/dynatrace-operator:<tag> | \jq '.payload | @base64d | fromjson | .predicate' > sbom.json
The jq CLI is a useful tool for working with JSON.
Executing the command creates the sbom.json
file in the local file system, containing the SBOM of the Dynatrace Operator image.
ActiveGate version 1.303+
Use the following command to verify the Software Bill of Materials (SBOM) attestation of a Dynatrace ActiveGate image.
Make sure to specify the desired CPU architecture. Options are amd64
, arm64
, and s390x
.
digest=$(docker manifest inspect public.ecr.aws/dynatrace/dynatrace-activegate:<tag> | \jq -r '.manifests[] | select(.platform.architecture=="amd64") | .digest')cosign verify-attestation --insecure-ignore-tlog --key https://ca.dynatrace.com/v1/cosign.pub --type cyclonedx \public.ecr.aws/dynatrace/dynatrace-activegate@$digest
The SBOM in CycloneDX format can be extracted from the in-toto attestation by extending the command from above with jq
1 filters:
cosign verify-attestation --insecure-ignore-tlog --key https://ca.dynatrace.com/v1/cosign.pub --type cyclonedx \public.ecr.aws/dynatrace/dynatrace-activegate@$digest | \jq '.payload | @base64d | fromjson | .predicate' > sbom.json
The jq CLI is a useful tool for working with JSON.
Executing the command creates the sbom.json
file in the local file system, containing the SBOM of the Dynatrace ActiveGate image.