Verify Dynatrace Operator image and SBOM
Verify Dynatrace Operator image signature
The procedure you need to verify the image signature varies depending on the Dynatrace Operator version you're running.
Dynatrace Operator version 0.11.0+
-
Select one of the following options.
cosign verify --key https://github.com/Dynatrace/dynatrace-operator/releases/download/<version>/cosign.pub dynatrace/dynatrace-operator:<version>cosign verify --certificate-identity=https://github.com/Dynatrace/dynatrace-operator/.github/workflows/publish-images.yaml@refs/tags/<version> --certificate-oidc-issuer=https://token.actions.githubusercontent.com dynatrace/dynatrace-operator:<version>
Dynatrace Operator version 0.10.4 or earlier
-
Select one of the following options:
cosign verify --insecure-ignore-tlog=true --key https://github.com/Dynatrace/dynatrace-operator/releases/download/<version>/cosign.pub dynatrace/dynatrace-operator:<version>Dynatrace Operator version 0.9.0+
cosign verify --certificate-identity=https://github.com/Dynatrace/dynatrace-operator/.github/workflows/publish-images.yaml@refs/tags/<version> --certificate-oidc-issuer=https://token.actions.githubusercontent.com dynatrace/dynatrace-operator:<version>
Check the Software Bill of Materials (SBOM)
Dynatrace Operator version 0.12.0+
To check the Software Bill of Materials (SBOM) of a Dynatrace Operator image, use Cosign to verify the attestation and retrieve the signed SBOM.
-
Run the following command to get the signed SBOM.
cosign verify-attestation \ --certificate-identity=https://github.com/Dynatrace/dynatrace-operator/.github/workflows/release.yaml@refs/tags/<version> \ --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ --type cyclonedx docker.io/dynatrace/dynatrace-operator:<version> \ | jq -r .payload | base64 -d | jq -r .predicate > sbom.jsonThis creates the file
sbom.jsonin your local file system with the SBOM of the operator image.