folkslinux
/
CBL-Mariner
mirror of https://github.com/microsoft/CBL-Mariner.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add ISO image verification instructions (#4667)

This commit is contained in:
Olivia Crain 2023-01-23 11:05:31 -08:00 committed by GitHub
parent 04dbe506ab
commit e377712319
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 52 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
README.md
View File

@ -16,24 +16,30 @@ Whether deployed as a container or a container host, CBL-Mariner consumes limite
When security vulnerabilities arise, CBL-Mariner supports both a package-based update model and an image based update model. Leveraging the common [RPM Package Manager](https://rpm.org/) system, CBL-Mariner makes the latest security patches and fixes available for download with the goal of fast turn-around times.
# Getting Started with CBL-Mariner:
Build
## Getting Started with CBL-Mariner
### Build
Instructions for building CBL-Mariner may be found here: [Toolkit Documentation](./toolkit/README.md).
ISO
You can try CBL-Mariner with the following ISO Image:
### ISO
You can try CBL-Mariner with the following ISO images:
- [Mariner 2.0 x86_64 ISO](https://aka.ms/mariner-2.0-x86_64-iso).
- [Mariner 1.0 x86_64 ISO](https://aka.ms/mariner-1.0-x86_64-iso).
After downloading the ISO, use these instructions to install and use in a Hyper-V VM.
Before using a downloaded ISO, [verify the checksum and signature of the image](toolkit/docs/security/iso-image-verification.md).
After downloading the ISO, use [the quickstart instructions](toolkit/docs/quick_start/quickstart.md) to install and use the image in a Hyper-V VM.
Note: Support for the ISO is community based. Before filing a new bug or feature request, please search the list of Github Issues. If you are unable to find a matching issue, please report new bugs by clicking [here](https://github.com/microsoft/CBL-Mariner/issues) or create a new feature request by clicking [here](https://github.com/microsoft/CBL-Mariner/issues/new). For additional information refer to the [support.md](https://github.com/microsoft/CBL-Mariner/blob/2.0/SUPPORT.md) file.
# Trademarks
## Trademarks
This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft trademarks or logos is subject to and must follow [Microsoft's Trademark & Brand Guidelines](https://www.microsoft.com/en-us/legal/intellectualproperty/trademarks/usage/general). Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship. Any use of third-party trademarks or logos are subject to those third-party's policies.
# Acknowledgments
## Acknowledgments
Any Linux distribution, including CBL-Mariner, benefits from contributions by the open software community. We gratefully acknowledge all contributions made from the broader open source community, in particular:

31
toolkit/docs/security/iso-image-verification.md Normal file
View File

@ -0,0 +1,31 @@
# Verifying pre-built ISO image
| Release Branch | ISO Image | SHA-256 Checksum File | Checksum Signature |
| -------------- | --------- | --------------------- | ------------------ |
| 1.0 | <https://aka.ms/mariner-1.0-x86_64-iso> | <https://aka.ms/mariner-1.0-x86_64-iso-checksum> | <https://aka.ms/mariner-1.0-x86_64-iso-checksum-signature> |
| 2.0 | <https://aka.ms/mariner-2.0-x86_64-iso> | <https://aka.ms/mariner-2.0-x86_64-iso-checksum> | <https://aka.ms/mariner-2.0-x86_64-iso-checksum-signature> |
Once the ISO image, the checksum, and the checksum signature files are downloaded, it is strongly recommended that the integrity of the image is verified. This is a two-step process. First, ensure that the checksum file has not been tampered with by verifying the signature against Mariner's RPM signing public key. Second, check that the ISO image was not corrupted during the download. The following bash script shows the commands necessary to check both steps:
```bash
# Assumption: we are in the directory containing the downloaded files
# Replace "1.0" in these variables with the release branch being verified
CHECKSUM_FILE="mariner-1.0-x86_64.iso.sha256"
SIGNATURE_FILE="mariner-1.0-x86_64.iso.sha256.gpg"
# Download the Mariner RPM signing public key
wget https://raw.githubusercontent.com/microsoft/CBL-Mariner/2.0/SPECS/mariner-repos/MICROSOFT-RPM-GPG-KEY
# Import the RPM signing public key into the local GPG keystore
gpg --import MICROSOFT-RPM-GPG-KEY
# Verify that the checksum file was produced by the Mariner team
# The output of this command should contain the following string:
# 'Good signature from "Mariner RPM Release Signing <marinerrpmprod@microsoft.com>"'
gpg --verify "$SIGNATURE_FILE" "$CHECKSUM_FILE"
# Verify that the ISO image checksum matches the expected checksum
# We need to fix the line endings on the signature file to get sha256sum to accept it
dos2unix "$SIGNATURE_FILE"
sha256sum --check "$CHECKSUM_FILE"
```