Verify Flatcar Container Linux images with GPG
Kinvolk publishes new Flatcar Container Linux images for each release across a variety of platforms and hosting providers. Each channel has its own set of images ( stable , beta , alpha ) that are posted to our storage site. Along with each image, a signature is generated from the Flatcar Container Linux Image Signing Key and posted.
After downloading your image, you should verify it with
gpg tool. First, download the image signing key:
curl -L -O https://www.flatcar.org/security/image-signing-key/Flatcar_Image_Signing_Key.asc
Next, import the public key and verify that the ID matches the website: Flatcar Image Signing Key
gpg --import --keyid-format LONG Flatcar_Image_Signing_Key.asc gpg: key E25D9AED0593B34A: public key "Flatcar Buildbot (Official Builds) <[email protected]>" imported gpg: Total number processed: 1 gpg: imported: 1
Optionally, if you have your own gpg key, mark the key as valid in the local trustdb:
gpg --lsign-key E25D9AED0593B34A
Now we’re ready to download an image and it’s signature, ending in .sig. We’re using the QEMU image in this example:
curl -L -O https://stable.release.flatcar-linux.net/amd64-usr/current/flatcar_production_qemu_image.img.bz2 curl -L -O https://stable.release.flatcar-linux.net/amd64-usr/current/flatcar_production_qemu_image.img.bz2.sig
Verify image with
gpg --verify flatcar_production_qemu_image.img.bz2.sig gpg: assuming signed data in 'flatcar_production_qemu_image.img.bz2' gpg: Signature made Tue Aug 31 19:47:19 2021 CEST gpg: using RSA key 858A560F97C9AEB22EC1C732961DDDD5250D4A42 gpg: issuer "[email protected]" gpg: Good signature from "Flatcar Buildbot (Official Builds) <[email protected]>"
Good signature message indicates that the file signature is valid. Go launch some machines now that we’ve successfully verified that this Flatcar Container Linux image isn’t corrupt, that it was authored by Kinvolk, and wasn’t tampered with in transit.