Verify Dynatrace image signatures
In the contemporary landscape, supply chain attacks have become a prevalent threat vector. Our approach to countering this risk involves delivering immutable and signed images, which serve as the cornerstone for bolstering security measures.
This page outlines the process of verifying Dynatrace image signatures, thereby establishing authenticity and safeguarding software integrity.
Prerequisites
Before you begin, be sure to meet the following prerequisites:
- required Cosign for image signature verification
- required Read access to Dynatrace image repositories when using a private registry
Verify image signatures using Cosign
The following sections describe how Dynatrace image signatures can be verified using Cosign. For simplicity, all examples reference Dynatrace component repositories on public Amazon ECR, but are valid and applicable to any registry holding Dynatrace images.
If you are looking for alternatives to Amazon ECR, see Supported public registries.
Image signing is only performed on Dynatrace images of supported public registries. Images on the Dynatrace built-in registry are not signed.
Dynatrace Operator
Dynatrace Operator is an open-source project hosted and built on GitHub. As a consequence, signing and verification slightly differs from other Dynatrace components.
Dynatrace ActiveGate
The following command shows how to verify the Dynatrace ActiveGate image signature using the public key from ca.dynatrace.com:
cosign verify --insecure-ignore-tlog --key https://ca.dynatrace.com/v1/cosign.pub \public.ecr.aws/dynatrace/dynatrace-activegate:<tag>
Dynatrace Code Modules
The following command shows how to verify the Dynatrace Code Modules image signature using the public key from ca.dynatrace.com:
cosign verify --insecure-ignore-tlog --key https://ca.dynatrace.com/v1/cosign.pub \public.ecr.aws/dynatrace/dynatrace-codemodules:<tag>
Dynatrace OneAgent
The following command shows how to verify the Dynatrace OneAgent image signature using the public key from ca.dynatrace.com:
cosign verify --insecure-ignore-tlog --key https://ca.dynatrace.com/v1/cosign.pub \public.ecr.aws/dynatrace/dynatrace-oneagent:<tag>
Image signing
While the Dynatrace Operator project already uses Cosign v2 for image signing, other Dynatrace component images are signed using Cosign v1. As support for transparency log was experimental in Cosign v1, the --insecure-ignore-tlog flag is required for verification.
Verify Software Bill of Materials (SBOM) Attestation
Attestations enable users to confirm that a Software Bill of Materials (SBOM) comes from a trusted source in the software supply chain. By trusting the container image producer's declaration of the included software, users can safely integrate the SBOM into their workflows.
Dynatrace Operator
Use the following command to verify the Software Bill of Materials (SBOM) attestation1 of a Dynatrace Operator2 image:
cosign verify-attestation \--certificate-identity-regexp 'https://github\.com/Dynatrace/dynatrace-operator/\.github/workflows/.+' \--certificate-oidc-issuer https://token.actions.githubusercontent.com \--type cyclonedx \public.ecr.aws/dynatrace/dynatrace-operator:<tag>
Supported from Dynatrace Operator version 0.12.0.
Dynatrace Operator image is available on Amazon ECR from version 1.0.0. For more information, see supported public registries.
The SBOM in CycloneDX format can be extracted from the in-toto attestation by extending the command from above with jq3 filters:
cosign verify-attestation \--certificate-identity-regexp 'https://github\.com/Dynatrace/dynatrace-operator/\.github/workflows/.+' \--certificate-oidc-issuer https://token.actions.githubusercontent.com \--type cyclonedx \public.ecr.aws/dynatrace/dynatrace-operator:<tag> | \jq '.payload | @base64d | fromjson | .predicate' > sbom.json
The jq CLI is a useful tool for working with JSON.
Executing the command creates the sbom.json file in the local file system, containing the SBOM of the Dynatrace Operator image.