CoreOS publishes new Container Linux images for each release across a variety of platforms and hosting providers. Each channel has its own set of images (stable, beta, alpha) that are posted to our storage site. Along with each image, a signature is generated from the CoreOS Image Signing Key and posted.
After downloading your image, you should verify it with
gpg tool. First, download the image signing key:
curl -O https://coreos.com/security/image-signing-key/CoreOS_Image_Signing_Key.asc
Next, import the public key and verify that the ID matches the website: CoreOS Image Signing Key
gpg --import --keyid-format LONG CoreOS_Image_Signing_Key.asc gpg: key 50E0885593D2DCB4: public key "CoreOS Buildbot (Offical Builds) <email@example.com>" imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 2u
Now we're ready to download an image and it's signature, ending in .sig. We're using the QEMU image in this example:
curl -O https://stable.release.core-os.net/amd64-usr/current/coreos_production_qemu_image.img.bz2 curl -O https://stable.release.core-os.net/amd64-usr/current/coreos_production_qemu_image.img.bz2.sig
Verify image with
gpg --verify coreos_production_qemu_image.img.bz2.sig gpg: Signature made Tue Jun 23 09:39:04 2015 CEST using RSA key ID E5676EFC gpg: Good signature from "CoreOS Buildbot (Offical Builds) <firstname.lastname@example.org>"
Good signature message indicates that the file signature is valid. Go launch some machines now that we've successfully verified that this Container Linux image isn't corrupt, that it was authored by CoreOS, and wasn't tampered with in transit.