Integrity Control

For information security, configure Docker image integrity verification for Gramax images.

Verify image signatures

After downloading images with new versions, run signature verification.

1. Download the public key from gram.ax/enterprise-public-key.pem.

2. Verify the key hash. It must match:

   $ sha256sum "~/Downloads/enterprise-public-key.pem"
   4830d12cf79d5ab7799668c4891e3dd926903a15f497e27d1118727e57e5668b

3. Verify image signature using cosign:

   cosign verify --key "~/Downloads/enterprise-public-key.pem" <image-name>

   In an isolated perimeter

   If you only have access to registry.gram.ax, use:

   cosign verify \
   --key "~/Downloads/enterprise-public-key.pem" \
   --offline \
   --rekor-url="" \
   --insecure-ignore-tlog \
   <image-name>

Run Docker images in Readonly mode

Create a directory (for example, readonly-setup) to store configuration files for Readonly mode.

Start Docker. Open terminal, move to the directory, and run:

curl https://gram.ax/readonly-enterprise-docker-compose.yaml -O docker-compose.yaml https://gram.ax/readonly-enterprise-caddyfile.Caddyfile -O Caddyfile
docker compose up

After that, Docker images run in Readonly mode, and the reverse proxy configures access.