Verify Dynatrace Operator image and SBOM
Verify Dynatrace Operator image signature
The procedure you need to verify the image signature varies depending on the Dynatrace Operator version you're running.
Dynatrace Operator version 0.11.0+
-
Select one of the following options.
Dynatrace Operator version 0.10.4 or earlier
-
Select one of the following options:
Check the Software Bill of Materials (SBOM)
Dynatrace Operator version 0.12.0+
To check the Software Bill of Materials (SBOM) of a Dynatrace Operator image, use Cosign to verify the attestation and retrieve the signed SBOM.
-
Run the following command to get the signed SBOM.
1cosign verify-attestation \2--certificate-identity=https://github.com/Dynatrace/dynatrace-operator/.github/workflows/release.yaml@refs/tags/<version> \3--certificate-oidc-issuer=https://token.actions.githubusercontent.com \4--type cyclonedx docker.io/dynatrace/dynatrace-operator:<version> \5| jq -r .payload | base64 -d | jq -r .predicate > sbom.jsonThis creates the file
sbom.jsonin your local file system with the SBOM of the operator image.