Download signed images from Docker Hub

To ensure the integrity of all runtime container images published and downloaded for production systems, image signing support is now available for all Apigee hybrid images using Docker Hub. All hybrid runtime images are publicly available for download from the Google Docker Hub account.

Hybrid images are signed with Docker Content Trust, a feature that lets users verify the integrity and publisher of every image built and running in a Docker registry. These signatures allow client-side or runtime verification of specific image tags against publisher keys, ensuring that the image is exactly what the publisher created and pushed for publication.

If you are using a Kubernetes cluster without internet access to deploy your hybrid runtime services, you will need to download the container images to a local container registry and then access the registry from your Kubernetes cluster.

To download a signed container image, you should have Docker installed and use the docker pull command as follows. Be sure to append the correct tag to each image name. For example, the tag for apigee-synchronizer is 1.3.6, as shown below.

Namespace: apigee-system

docker pull google/apigee-kube-rbac-proxy:v0.4.1
docker pull google/apigee-operators:1.3.6
docker pull google/apigee-installer:1.3.6

Namespace: apigee

docker pull google/apigee-authn-authz:1.3.6
docker pull google/apigee-cassandra-backup-utility:1.3.6
docker pull google/apigee-connect-agent:1.3.6
docker pull google/apigee-hybrid-cassandra-client:1.3.6
docker pull google/apigee-hybrid-cassandra:1.3.6
docker pull google/apigee-mart-server:1.3.6
docker pull google/apigee-prom-prometheus:v2.9.2
docker pull google/apigee-runtime:1.3.6
docker pull google/apigee-stackdriver-logging-agent:1.6.8
docker pull google/apigee-stackdriver-prometheus-sidecar:0.7.5
docker pull google/apigee-synchronizer:1.3.6
docker pull google/apigee-udca:1.3.6
docker pull google/apigee-watcher:1.3.6

Verify container image signer and signatures

To verify that an image has been signed, run the following command:

docker trust inspect --pretty $IMAGE_NAME:$IMAGE_TAG

The output of this command will let you know whether the tagged image is signed, the name of the signers, and a list of signers and keys. For example:

docker trust inspect --pretty google/apigee-mart-server:1.3.6

Signatures for google/apigee-mart-server:1.3.6
SIGNED TAG          DIGEST                                      
SIGNERSbeta2
a607b0e7acba41544e5db8e74b039e9314fdcfdc6f1acf73094d3179fc2af322   asf
-admin
List of signers and their keys for google/apigee-mart-server:1.3.6
SIGNER              
KEYSasf-admin           7d4abdbb7bfd
Administrative keys for google/apigee-mart-server:1.3.6
Repository Key:       80f86b047965f6dec0c056b1938a7f8cfb894ba8014fba36a18d0923173d394a
Root Key:     6f2d60f90a0d78dd6254d3d47613a4dd6eb0880f83411e6f8b122b84dbef69ca