Red Hat Summit Red Hat SummitSupportKonsoleEntwicklerDemo startenKontakt

Dieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.

Chapter 8. Signing container images

You can ensure image authenticity and integrity by signing container images on Red Hat Enterprise Linux. To sign your image, use a sigstore signature and this signing technique is compatible with any OCI compliant container registries. You can use Podman to sign the image before pushing it into a remote registry and configure consumers so that any unsigned image is rejected.

The sigstore signatures eliminate the need for a separate lookaside server because they store the signatures in the container registry. Signing container images helps to prevent supply chain attacks.

To sign container images with sigstore signatures by using a private key on Red Hat Enterprise Linux (RHEL), you can use the Podman tools with a locally managed key pair.

Prerequisites

  • The container-tools meta-package is installed.

Procedure

  1. Generate a sigstore public or private key pair: 

    $ skopeo generate-sigstore-key --output-prefix myKey.private

  2. Add the following content to the /etc/containers/registries.d/default.yaml file: 

    docker:
    <registry>:
        use-sigstore-attachments: true

    By setting the use-sigstore-attachments option, Podman and Skopeo can read and write the container sigstore signatures together with the image and save them in the same repository as the signed image.

    You can edit the system-wide registry configuration in the /etc/containers/registries.d/default.yaml file. You can also edit the registry or repository configuration section in any YAML file in the /etc/containers/registries.d directory.

    All YAML files are read and the filename can be arbitrary. A single scope (default-docker, registry, or namespace) can only exist in one file within the /etc/containers/registries.d/ directory.

  3. Build the container image by using a Containerfile in the current directory: 

    $ podman build -t <registry>/<namespace>/<image>

  4. Sign the image and push it to the registry: 

    $ podman push --sign-by-sigstore-private-key ./myKey.private <registry>/<namespace>/<image>

    The podman push command pushes the <registry>/<namespace>/<image> local image to the remote registry as <registry>/<namespace>/<image>. The --sign-by-sigstore-private-key option adds a sigstore signature by using the myKey.private private key to the <registry>/<namespace>/<image> image. The image and the sigstore signature are uploaded to the remote registry.

    Note

    If you need to sign existing images while moving them across container registries, you can use the skopeo copy command.

    For more details, see podman-push(1) and podman-build(1) man pages on your system.

Verification

  • Pull the image: 

    $ podman pull <registry>/<namespace>/<image>

    You need to run the podman pull command to enforce signature presence as we configured it. If you try to pull images from the configured registry that are unsigned or signed with the wrong keys, the command will fail.

With the Fulcio and Rekor servers, you can create signatures by using short-term certificates based on an OpenID Connect (OIDC) server authentication, instead of manually managing a private key.

Prerequisites

  • The container-tools meta-package is installed.
  • You have Fulcio (https://<your-fulcio-server>) and Rekor (https://<your-rekor-server>) servers running and configured.
  • Podman is installed.

Procedure

  1. Add the following content to the /etc/containers/registries.conf.d/default.yaml file: 

    docker:
    <registry>:
        use-sigstore-attachments: true

    By setting the use-sigstore-attachments option, Podman and Skopeo can read and write the container sigstore signatures together with the image and save them in the same repository as the signed image.

    You can edit the registry or repository configuration section in any YAML file in the /etc/containers/registries.d/ directory. A single scope (default-docker, registry, or namespace) can only exist in one file within the /etc/containers/registries.d/ directory.

    You can also edit the system-wide registry configuration in the /etc/containers/registries.d/default.yaml file. Please note that all YAML files are read and the filename is arbitrary.

  2. Create the /etc/containers/registries.d/file.yml file: 

    fulcio:
  fulcioURL: "https://<your-fulcio-server>"
  oidcMode: "interactive"
  oidcIssuerURL: "https://<your-OIDC-provider>"
  oidcClientID: "sigstore"
rekorURL: "https://<your-rekor-server>"

    The file.yml is the sigstore signing parameter YAML file used to store options required to create sigstore signatures.

  3. Sign the image and push it to the registry: 

    $ podman push --sign-by-sigstore=file.yml <registry>/<namespace>/<image>

    You can alternatively use the skopeo copy command with similar --sign-by-sigstore options to sign existing images while moving them across container registries.

    Warning

    Note that your submission to public servers includes the public key, the certificate, and signature metadata.

    For more information, see the containers-sigstore-signing-params.yaml, podman-push(1) and container-registries.d man pages on your system.

Verification

  • Pull the image: 

    $ podman pull <registry>/<namespace>/<image>

    You need to run the podman pull command to enforce signature presence as we configured it. If you try to pull images from the configured registry that are unsigned or signed with the wrong keys, the command will fail.

To ensures image integrity, authenticates provenance to the software supply chain, you can sign container images by using sigstore with a private key and Rekor on Red Hat Enterprise Linux (RHEL). This process involves generating a key pair, signing the image with the private key, and configuring the system to use Rekor for transparency logs.

Prerequisites

  • The container-tools meta-package is installed.

Procedure

  1. Generate a sigstore public or private key pair: 

    $ skopeo generate-sigstore-key --output-prefix myKey.private

    The public and private keys myKey.pub and myKey.private are generated.

  2. Add the following to the /etc/containers/registries.conf.d/default.yaml file: 

    docker:
    <registry>:
        use-sigstore-attachments: true

    By setting the use-sigstore-attachments option, Podman and Skopeo can read and write the container sigstore signatures together with the image and save them in the same repository as the signed image.

    Note

    You can edit the registry or repository configuration section in any YAML file in the /etc/containers/registries.d/ directory. A single scope (default-docker, registry, or namespace) can only exist in one file within the /etc/containers/registries.d/ directory. You can also edit the system-wide registry configuration in the /etc/containers/registries.d/default.yaml file. Please note that all YAML files are read and the filename is arbitrary.

  3. Build the container image by using a Containerfile in the current directory: 

    $ podman build -t <registry>/<namespace>/<image>

  4. Create the /etc/containers/registries.d/file.yml file: 

    privateKeyFile: "/home/user/sigstore/myKey.private"
privateKeyPassphraseFile: "/mnt/user/sigstore-myKey.private-passphrase"
rekorURL: "https://<your-rekor-server>"

    The file.yml is the sigstore signing parameter YAML file used to store options required to create sigstore signatures.

  5. Sign the image and push it to the registry: 

    $ podman push --sign-by-sigstore=file.yml <registry>/<namespace>/<image>

    You can alternatively use the skopeo copy command with similar --sign-by-sigstore options to sign existing images while moving them across container registries.

    Warning

    Note that your submission for public servers includes data about the public key and metadata about the signature.

Verification

  • Pull the image: 

    $ podman pull <registry>/<namespace>/<image>

    You need to run podman pull command to enforce signature presence as we configured it. If you try to pull images from the configured registry that are unsigned or signed with the wrong keys, the command will fail.

    For more information, see the podman-push(1), podman-build(1), and container-registries.d man pages on your system.

8.4. Signing container images with GPG signatures
Link kopieren

Sign your Red Hat Enterprise Linux container images by using GPG signatures to establish trust and verify software origins. Applying these cryptographic signatures ensures that your images remain unaltered, protecting your infrastructure from deploying compromised applications.

Prerequisites

  • The container-tools meta-package and GPG tool are installed.

  • The lookaside web server is set up and you can publish files on it. You can check the system-wide registries configuration in the /etc/containers/registries.d/default.yaml file. The lookaside-staging option references a file path for signature writing and is typically set on hosts publishing signatures. 

    # cat /etc/containers/registries.d/default.yaml
     
docker:
    <registry>:
        lookaside: https://registry-lookaside.example.com
        lookaside-staging: file:///var/lib/containers/sigstore

Procedure

  1. Generate a GPG key: 

    # gpg --full-gen-key

  2. Export the public key: 

    # gpg --output <path>/key.gpg --armor --export <username@example.com>

  3. Build the container image by using a Containerfile in the current directory: 

    $ podman build -t <registry>/<namespace>/<image>

    Replace <registry>, <namespace>, and <image> with the container image identifiers.

  4. Sign the image and push it to the registry: 

     $  podman push \
    --sign-by <username@example.com> \
    <registry>/<namespace>/<image>
    Note

    If you need to sign existing images while moving them across container registries, you can use the skopeo copy command.

  5. Optional: Display the new image signature: 

    # (cd /var/lib/containers/sigstore/; find . -type f)
./<image>@sha256=<digest>/signature-1

  6. Copy your local signatures to the lookaside web server: 

    # rsync -a /var/lib/containers/sigstore <user@registry-lookaside.example.com>:/registry-lookaside/webroot/sigstore

    The signatures are stored in the location determined by the lookaside-staging option, in this case, /var/lib/containers/sigstore directory.

Verification

  • Pull the image: 

    $ podman pull <registry>/<namespace>/<image>

    You need to run podman pull command to enforce signature presence as we configured it. If you try to pull images from the configured registry that are unsigned or signed with the wrong keys, the command will fail.

    For more information, see the podman-image-trust(1), podman-push(1) and podman-build(1) man pages on your system.

Red Hat logoGithubredditYoutubeTwitter

Lernen

Testen, kaufen und verkaufen

Communitys

Über Red Hat

Wir liefern gehärtete Lösungen, die es Unternehmen leichter machen, plattform- und umgebungsübergreifend zu arbeiten, vom zentralen Rechenzentrum bis zum Netzwerkrand.

Mehr Inklusion in Open Source

Red Hat hat sich verpflichtet, problematische Sprache in unserem Code, unserer Dokumentation und unseren Web-Eigenschaften zu ersetzen. Weitere Einzelheiten finden Sie in Red Hat Blog.

Über Red Hat Dokumentation

Wir helfen Red Hat Benutzern, mit unseren Produkten und Diensten innovativ zu sein und ihre Ziele zu erreichen – mit Inhalten, denen sie vertrauen können. Entdecken Sie unsere neuesten Updates.

Legal Notice

Theme

© 2026 Red HatNach oben