Recently, Red Hat announced the technical preview of Red Hat Trusted Artifact Signer which is a production-ready deployment of the Sigstore project for enterprise use. In this article, we will learn how to use Trusted Artifact Signer when signing, attesting and verifying a container image with cosign and Enterprise Contract (EC).
Before starting, we must deploy Trusted Artifact Signer on our Red Hat OpenShift cluster by following Chapter 1 of the Deployment Guide. Be sure to also run the source ./tas-env-variables.sh script to set up the shell variables (URLs) to the Sigstore services endpoints (Fulcio, Rekor etc).
Once Trusted Artifact Signer is up and running, we no longer need to be logged in to the OpenShift cluster:
oc logout
Next, we will need a container image to play with. This can be any container image in any Open Container Initiative (OCI) registry, e.g. quay.io. The only requirement is that we must have write access to the repository. For convenience, we will set a shell variable with the image reference:
IMAGE=quay.io/lucarval/rhtas-test@sha256:6b95efc134c2af3d45472c0a2f88e6085433df058cc210abb2bb061ac4d74359
That’s it for the prerequisites. Things are about to get exciting.
Let’s get signing
First, let’s tell cosign and EC to use Trusted Artifact Signer instead of the publicly available sigstore deployment:
cosign initialize --mirror=$TUF_URL --root=$TUF_URL/root.json
Now we are ready to sign the image:
cosign sign -y --fulcio-url=$FULCIO_URL --rekor-url=$REKOR_URL \
--oidc-issuer=$OIDC_ISSUER_URL $IMAGE
The command above will cause your default web browser to open to a login page. This is the Keycloak instance created during the Trusted Artifact Signer deployment. Login with the credentials of an existing user.
The image should now be signed.
Before verifying the image signature, let’s also create a Supply-chain Levels for Software Architects (SLSA) Provenance attestation and associate it with the container image. Usually, the system responsible for building the container image is also responsible for doing this. Here, we simply create a sample SLSA Provenance:
echo '{
"builder": {
"id": "https://localhost/dummy-id"
},
"buildType": "https://localhost/dummy-type",
"invocation": {},
"buildConfig": {},
"metadata": {
"buildStartedOn": "2023-09-25T16:26:44Z",
"buildFinishedOn": "2023-09-25T16:28:59Z",
"completeness": {
"parameters": false,
"environment": false,
"materials": false
},
"reproducible": false
},
"materials": []
}
' > predicate.json
Now we sign and attach the predicate above as an attestation to the image.
cosign attest -y --fulcio-url=$FULCIO_URL \
--rekor-url=$REKOR_URL \
--oidc-issuer=$OIDC_ISSUER_URL \
--predicate predicate.json \
--type slsaprovenance $IMAGE
Just as before, a web browser will appear. Authentication happens automatically as you are already logged in.
Finally, we will use EC to verify the signature and attestation of the image.
ec validate image --image $IMAGE \
--certificate-identity-regexp '.*' \
--certificate-oidc-issuer-regexp '.*' \
--output yaml --show-successes
The command above should display a detailed report of the verifications performed as well as detailed information about the signatures.
NOTE: When verifying a container image, avoid using a loose regular expression like the example above. Instead, be as specific as possible to be sure the signatures match the expected identity.
I hope you enjoyed this high level overview showcasing how to use Red Hat Trusted Artifact Signer with cosign and Enterprise Contract!
Sobre el autor
Luiz Carvalho is a Principal Software Engineer at Red Hat. He has years of experience in container build systems and supply chain security. He has been involved in various open source projects, including Tekton Chains and cosign. More recently, he has worked with his team on building a mechanism to standardize the process of validating supply chain security with the Enterprise Contract.
Más similar
Navegar por canal
Automatización
Las últimas novedades en la automatización de la TI para los equipos, la tecnología y los entornos
Inteligencia artificial
Descubra las actualizaciones en las plataformas que permiten a los clientes ejecutar cargas de trabajo de inteligecia artificial en cualquier lugar
Nube híbrida abierta
Vea como construimos un futuro flexible con la nube híbrida
Seguridad
Vea las últimas novedades sobre cómo reducimos los riesgos en entornos y tecnologías
Edge computing
Conozca las actualizaciones en las plataformas que simplifican las operaciones en el edge
Infraestructura
Vea las últimas novedades sobre la plataforma Linux empresarial líder en el mundo
Aplicaciones
Conozca nuestras soluciones para abordar los desafíos más complejos de las aplicaciones
Programas originales
Vea historias divertidas de creadores y líderes en tecnología empresarial
Productos
- Red Hat Enterprise Linux
- Red Hat OpenShift
- Red Hat Ansible Automation Platform
- Servicios de nube
- Ver todos los productos
Herramientas
- Training y Certificación
- Mi cuenta
- Soporte al cliente
- Recursos para desarrolladores
- Busque un partner
- Red Hat Ecosystem Catalog
- Calculador de valor Red Hat
- Documentación
Realice pruebas, compras y ventas
Comunicarse
- Comuníquese con la oficina de ventas
- Comuníquese con el servicio al cliente
- Comuníquese con Red Hat Training
- Redes sociales
Acerca de Red Hat
Somos el proveedor líder a nivel mundial de soluciones empresariales de código abierto, incluyendo Linux, cloud, contenedores y Kubernetes. Ofrecemos soluciones reforzadas, las cuales permiten que las empresas trabajen en distintas plataformas y entornos con facilidad, desde el centro de datos principal hasta el extremo de la red.
Seleccionar idioma
Red Hat legal and privacy links
- Acerca de Red Hat
- Oportunidades de empleo
- Eventos
- Sedes
- Póngase en contacto con Red Hat
- Blog de Red Hat
- Diversidad, igualdad e inclusión
- Cool Stuff Store
- Red Hat Summit