Add ISO image verification instructions (#4667)
This commit is contained in:
parent
04dbe506ab
commit
e377712319
20
README.md
20
README.md
|
@ -16,24 +16,30 @@ Whether deployed as a container or a container host, CBL-Mariner consumes limite
|
|||
|
||||
When security vulnerabilities arise, CBL-Mariner supports both a package-based update model and an image based update model. Leveraging the common [RPM Package Manager](https://rpm.org/) system, CBL-Mariner makes the latest security patches and fixes available for download with the goal of fast turn-around times.
|
||||
|
||||
# Getting Started with CBL-Mariner:
|
||||
Build
|
||||
## Getting Started with CBL-Mariner
|
||||
|
||||
### Build
|
||||
|
||||
Instructions for building CBL-Mariner may be found here: [Toolkit Documentation](./toolkit/README.md).
|
||||
|
||||
ISO
|
||||
You can try CBL-Mariner with the following ISO Image:
|
||||
### ISO
|
||||
|
||||
You can try CBL-Mariner with the following ISO images:
|
||||
|
||||
- [Mariner 2.0 x86_64 ISO](https://aka.ms/mariner-2.0-x86_64-iso).
|
||||
- [Mariner 1.0 x86_64 ISO](https://aka.ms/mariner-1.0-x86_64-iso).
|
||||
|
||||
After downloading the ISO, use these instructions to install and use in a Hyper-V VM.
|
||||
Before using a downloaded ISO, [verify the checksum and signature of the image](toolkit/docs/security/iso-image-verification.md).
|
||||
|
||||
After downloading the ISO, use [the quickstart instructions](toolkit/docs/quick_start/quickstart.md) to install and use the image in a Hyper-V VM.
|
||||
|
||||
Note: Support for the ISO is community based. Before filing a new bug or feature request, please search the list of Github Issues. If you are unable to find a matching issue, please report new bugs by clicking [here](https://github.com/microsoft/CBL-Mariner/issues) or create a new feature request by clicking [here](https://github.com/microsoft/CBL-Mariner/issues/new). For additional information refer to the [support.md](https://github.com/microsoft/CBL-Mariner/blob/2.0/SUPPORT.md) file.
|
||||
|
||||
# Trademarks
|
||||
## Trademarks
|
||||
|
||||
This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft trademarks or logos is subject to and must follow [Microsoft's Trademark & Brand Guidelines](https://www.microsoft.com/en-us/legal/intellectualproperty/trademarks/usage/general). Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship. Any use of third-party trademarks or logos are subject to those third-party's policies.
|
||||
|
||||
# Acknowledgments
|
||||
## Acknowledgments
|
||||
|
||||
Any Linux distribution, including CBL-Mariner, benefits from contributions by the open software community. We gratefully acknowledge all contributions made from the broader open source community, in particular:
|
||||
|
||||
|
|
|
@ -0,0 +1,31 @@
|
|||
# Verifying pre-built ISO image
|
||||
|
||||
| Release Branch | ISO Image | SHA-256 Checksum File | Checksum Signature |
|
||||
| -------------- | --------- | --------------------- | ------------------ |
|
||||
| 1.0 | <https://aka.ms/mariner-1.0-x86_64-iso> | <https://aka.ms/mariner-1.0-x86_64-iso-checksum> | <https://aka.ms/mariner-1.0-x86_64-iso-checksum-signature> |
|
||||
| 2.0 | <https://aka.ms/mariner-2.0-x86_64-iso> | <https://aka.ms/mariner-2.0-x86_64-iso-checksum> | <https://aka.ms/mariner-2.0-x86_64-iso-checksum-signature> |
|
||||
|
||||
Once the ISO image, the checksum, and the checksum signature files are downloaded, it is strongly recommended that the integrity of the image is verified. This is a two-step process. First, ensure that the checksum file has not been tampered with by verifying the signature against Mariner's RPM signing public key. Second, check that the ISO image was not corrupted during the download. The following bash script shows the commands necessary to check both steps:
|
||||
|
||||
```bash
|
||||
# Assumption: we are in the directory containing the downloaded files
|
||||
# Replace "1.0" in these variables with the release branch being verified
|
||||
CHECKSUM_FILE="mariner-1.0-x86_64.iso.sha256"
|
||||
SIGNATURE_FILE="mariner-1.0-x86_64.iso.sha256.gpg"
|
||||
|
||||
# Download the Mariner RPM signing public key
|
||||
wget https://raw.githubusercontent.com/microsoft/CBL-Mariner/2.0/SPECS/mariner-repos/MICROSOFT-RPM-GPG-KEY
|
||||
|
||||
# Import the RPM signing public key into the local GPG keystore
|
||||
gpg --import MICROSOFT-RPM-GPG-KEY
|
||||
|
||||
# Verify that the checksum file was produced by the Mariner team
|
||||
# The output of this command should contain the following string:
|
||||
# 'Good signature from "Mariner RPM Release Signing <marinerrpmprod@microsoft.com>"'
|
||||
gpg --verify "$SIGNATURE_FILE" "$CHECKSUM_FILE"
|
||||
|
||||
# Verify that the ISO image checksum matches the expected checksum
|
||||
# We need to fix the line endings on the signature file to get sha256sum to accept it
|
||||
dos2unix "$SIGNATURE_FILE"
|
||||
sha256sum --check "$CHECKSUM_FILE"
|
||||
```
|
Loading…
Reference in New Issue