Verifying Packages
Purpose: For operators, shows how to validate package signatures, checksums, and SBOM contents.
Prerequisites
- The
zarf-package-opencenter-airgap-amd64-*.tar.zstartifact - The
package.sha256checksum file (generated during build) opencenter-airgapCLI installed (for theverifycommand)- Optional: Cosign CLI for signature verification
When to Verify
Verify at every zone boundary:
- After build completes in Zone A — confirm the artifact is intact.
- After transfer to removable media (Zone B) — confirm no corruption during copy.
- After loading onto the bastion in Zone C — confirm the artifact survived transport.
Steps
1. Checksum verification
The simplest check. Compare the SHA-256 hash against the recorded value:
sha256sum -c package.sha256
Expected output:
zarf-package-opencenter-airgap-amd64-1.0.0-rc2.tar.zst: OK
If this fails, the file is corrupted or was modified. Do not deploy it.
2. CLI verify command
The opencenter-airgap verify command performs deeper validation:
opencenter-airgap verify dist/zarf-package-opencenter-airgap-amd64-*.tar.zst
This checks:
- Archive integrity (decompression test)
- Component completeness against
artifact-manifest.json - SBOM presence and format
- Cosign signature (if the package was signed during build)
3. Cosign signature verification
If the build host signed the artifact with Cosign:
cosign verify-blob \
--key cosign.pub \
--signature dist/zarf-package-opencenter-airgap-amd64-*.tar.zst.sig \
dist/zarf-package-opencenter-airgap-amd64-*.tar.zst
The public key (cosign.pub) should be distributed through a separate trusted channel — not on the same media as the artifact.
4. SBOM inspection
Zarf embeds an SBOM (Software Bill of Materials) in the package. Extract and review it:
zarf package inspect dist/zarf-package-opencenter-airgap-amd64-*.tar.zst --sbom
This lists every container image, binary, and package included in the artifact. Use it to:
- Confirm expected components are present.
- Cross-reference against your organization's approved software list.
- Feed into vulnerability scanning tools (e.g., Grype, Trivy).
5. Scan for vulnerabilities (optional)
Run Trivy against the extracted SBOM or directly against the package:
trivy sbom sbom.json --severity HIGH,CRITICAL
The build pipeline runs Trivy during build. This step is for independent verification at the Zone B/C boundary.
Verification Checklist
| Check | Command | Pass criteria |
|---|---|---|
| SHA-256 checksum | sha256sum -c package.sha256 | Output shows OK |
| Archive integrity | opencenter-airgap verify <pkg> | Exit code 0, no errors |
| Cosign signature | cosign verify-blob ... | Verified OK |
| SBOM present | zarf package inspect --sbom | SBOM output is non-empty |
| No HIGH/CRITICAL CVEs | trivy sbom ... | Zero findings (or accepted exceptions) |
Troubleshooting
| Symptom | Likely cause | Fix |
|---|---|---|
| Checksum mismatch | File corrupted during transfer | Re-copy from Zone A media; verify source checksum first |
| Cosign verification fails | Wrong public key or tampered artifact | Confirm the correct cosign.pub; rebuild if tampering suspected |
| SBOM missing | Zarf CLI not available during build | Rebuild with Zarf CLI installed |
verify reports missing components | Incomplete build | Re-run opencenter-airgap build and verify before transfer |