To ensure the integrity of all runtime container images published and downloaded for production systems,
image signing support is now available for all Apigee hybrid images using Docker Hub. All hybrid runtime
images are publicly available for download from the
Google Docker Hub account.
Hybrid images are signed with
Docker Content Trust, a feature that lets users verify the integrity and publisher of every image
built and running in a Docker registry. These signatures allow client-side or runtime verification
of specific image tags against publisher keys, ensuring that the image is exactly what the publisher created and pushed for publication.
Download signed container images
If you are using a Kubernetes cluster without internet access to deploy your hybrid runtime services,
you will need to download the container images to a local container registry and then access the registry
from your Kubernetes cluster.
To download a signed container image, you should have Docker
installed and use the docker pull command as follows. Be sure to append the correct tag
to each image name. For example, the tag for apigee-synchronizer is 1.1.1,
as shown below.
The output of this command will let you know whether the tagged image is signed, the name of the signers,
and a list of signers and keys. For example:
docker trust inspect --pretty google/apigee-mart-server:1.1.1Signatures for google/apigee-mart-server:1.1.1
SIGNED TAG DIGEST SIGNERSbeta2
a607b0e7acba41544e5db8e74b039e9314fdcfdc6f1acf73094d3179fc2af322 asf-admin
List of signers and their keys for google/apigee-mart-server:1.1.1
SIGNER KEYSasf-admin 7d4abdbb7bfd
Administrative keys for google/apigee-mart-server:1.1.1
Repository Key: 80f86b047965f6dec0c056b1938a7f8cfb894ba8014fba36a18d0923173d394a
Root Key: 6f2d60f90a0d78dd6254d3d47613a4dd6eb0880f83411e6f8b122b84dbef69ca
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-26 UTC."],[[["\u003cp\u003eThe Apigee hybrid documentation version 1.1 is end-of-life and users should upgrade to a newer version.\u003c/p\u003e\n"],["\u003cp\u003eAll Apigee hybrid runtime images are signed and publicly available for download from the Google Docker Hub account, ensuring the integrity of images for production systems.\u003c/p\u003e\n"],["\u003cp\u003eHybrid images use Docker Content Trust to allow users to verify the integrity and publisher of every image, confirming that the image is exactly as published.\u003c/p\u003e\n"],["\u003cp\u003eSigned container images can be downloaded using the \u003ccode\u003edocker pull\u003c/code\u003e command, with the correct tag appended to each image name, as demonstrated with example images.\u003c/p\u003e\n"],["\u003cp\u003eThe \u003ccode\u003edocker trust inspect --pretty\u003c/code\u003e command can be used to verify if an image is signed, view the signers, and view the associated keys.\u003c/p\u003e\n"]]],[],null,["# Download signed images from Docker Hub\n\n| You are currently viewing version 1.1 of the Apigee hybrid documentation. **This version is end of life.** You should upgrade to a newer version. For more information, see [Supported versions](/apigee/docs/hybrid/supported-platforms#supported-versions).\n\n\nTo ensure the integrity of all runtime container images published and downloaded for production systems,\nimage signing support is now available for all Apigee hybrid images using Docker Hub. All hybrid runtime\nimages are publicly available for download from the [Google Docker Hub](https://hub.docker.com/u/google) account.\n\n\nHybrid images are signed with [Docker Content Trust](https://docs.docker.com/engine/security/trust/content_trust/), a feature that lets users verify the integrity and publisher of every image\nbuilt and running in a Docker registry. These signatures allow client-side or runtime verification\nof specific image tags against publisher keys, ensuring that the image is exactly what the publisher created and pushed for publication.\n\nDownload signed container images\n--------------------------------\n\nIf you are using a Kubernetes cluster without internet access to deploy your hybrid runtime services,\nyou will need to download the container images to a local container registry and then access the registry\nfrom your Kubernetes cluster.\n\n\nTo download a signed container image, you should have [Docker](https://docs.docker.com/get-started/)\ninstalled and use the `docker pull` command as follows. Be sure to append the correct tag\nto each image name. For example, the tag for `apigee-synchronizer` is `1.1.1`,\nas shown below. \n\n docker pull google/apigee-mart-server:1.1.1\n docker pull google/apigee-synchronizer:1.1.1\n docker pull google/apigee-runtime:1.1.1\n docker pull google/apigee-authn-authz:1.1.1\n docker pull google/apigee-cassandra-client:1.1.1\n docker pull google/apigee-cassandra-backup-utility:1.1.1\n docker pull google/apigee-cassandra:1.1.1\n docker pull google/apigee-udca:1.1.1\n docker pull google/apigee-stackdriver-logging-agent:1.6.8\n docker pull google/apigee-prom-prometheus:v2.9.2\n docker pull google/apigee-stackdriver-prometheus-sidecar:release-0.4.0\n docker pull google/busybox:1.30.1\n\nVerify container image signer and signatures\n--------------------------------------------\n\n\nTo verify that an image has been signed, run the following command: \n\n```\ndocker trust inspect --pretty $IMAGE_NAME:$IMAGE_TAG\n```\n\n\nThe output of this command will let you know whether the tagged image is signed, the name of the signers,\nand a list of signers and keys. For example: \n\n docker trust inspect --pretty google/apigee-mart-server:1.1.1\n\n Signatures for google/apigee-mart-server:1.1.1\n SIGNED TAG DIGEST SIGNERSbeta2\n a607b0e7acba41544e5db8e74b039e9314fdcfdc6f1acf73094d3179fc2af322 asf-admin\n List of signers and their keys for google/apigee-mart-server:1.1.1\n SIGNER KEYSasf-admin 7d4abdbb7bfd\n Administrative keys for google/apigee-mart-server:1.1.1\n Repository Key: 80f86b047965f6dec0c056b1938a7f8cfb894ba8014fba36a18d0923173d394a\n Root Key: 6f2d60f90a0d78dd6254d3d47613a4dd6eb0880f83411e6f8b122b84dbef69ca"]]
