Red Hat Summit Red Hat SummitSupportKonsoleEntwicklerDemo startenKontakt

Dieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.

Chapter 4. Creating and verifying task run signatures without any additional authentication

To verify signatures of task runs by using Tekton Chains with any additional authentication, perform the following tasks:

  • Generate an encrypted x509 or cosign key pair and store it as a Kubernetes secret.
  • Configure the Tekton Chains backend storage.
  • Create a task run, sign it, and store the signature and the payload as annotations on the task run itself.
  • Retrieve the signature and payload from the signed task run.
  • Verify the signature of the task run.

Prerequisites

Ensure that you install the following components on the cluster:

  • Red Hat OpenShift Pipelines Operator
  • Tekton Chains
  • Cosign

Procedure

  1. Generate an encrypted x509 or cosign key pair. For more information about creating a key pair and saving it as a secret, see "Secrets for signing data in Tekton Chains".

  2. In the Tekton Chains configuration, disable the Open Container Initiative (OCI) storage, and set the task run storage and format to tekton. In the TektonConfig custom resource set the following values: 

    apiVersion: operator.tekton.dev/v1alpha1
kind: TektonConfig
metadata:
  name: config
spec:
# ...
    chain:
      artifacts.oci.storage: ""
      artifacts.taskrun.format: tekton
      artifacts.taskrun.storage: tekton
# ...

    For more information about configuring Tekton Chains using the TektonConfig custom resource, see "Configuring Tekton Chains".

  3. To restart the Tekton Chains controller to apply the modified configuration, enter the following command: 

    $ oc delete po -n openshift-pipelines -l app=tekton-chains-controller

  4. Create a task run by entering the following command: 

    $ oc create -f https://raw.githubusercontent.com/tektoncd/chains/main/examples/taskruns/task-output-image.yaml
    -f

    Replace the example URI with the URI or file path pointing to your task run.

    Example output

    taskrun.tekton.dev/build-push-run-output-image-qbjvh created

  5. Check the status of the steps by entering the following command. Wait until the process finishes. 

    $ tkn tr describe --last

    Example output

    [...truncated output...]
NAME                            STATUS
∙ create-dir-builtimage-9467f   Completed
∙ git-source-sourcerepo-p2sk8   Completed
∙ build-and-push                Completed
∙ echo                          Completed
∙ image-digest-exporter-xlkn7   Completed

  6. To retrieve the signature from the object stored as base64 encoded annotations, enter the following commands: 

    $ tkn tr describe --last -o jsonpath="{.metadata.annotations.chains\.tekton\.dev/signature-taskrun-$TASKRUN_UID}" | base64 -d > sig
     
    $ export TASKRUN_UID=$(tkn tr describe --last -o  jsonpath='{.metadata.uid}')

  7. To verify the signature using the public key that you created, enter the following command: 

    $ cosign verify-blob-attestation --insecure-ignore-tlog --key path/to/cosign.pub --signature sig --type slsaprovenance --check-claims=false /dev/null
    --insecure-ignore-tlog

    Replace path/to/cosign.pub with the path name of the public key file.

    Example output

    Verified OK

Red Hat logoGithubredditYoutubeTwitter

Lernen

Testen, kaufen und verkaufen

Communitys

Über Red Hat

Wir liefern gehärtete Lösungen, die es Unternehmen leichter machen, plattform- und umgebungsübergreifend zu arbeiten, vom zentralen Rechenzentrum bis zum Netzwerkrand.

Mehr Inklusion in Open Source

Red Hat hat sich verpflichtet, problematische Sprache in unserem Code, unserer Dokumentation und unseren Web-Eigenschaften zu ersetzen. Weitere Einzelheiten finden Sie in Red Hat Blog.

Über Red Hat Dokumentation

Wir helfen Red Hat Benutzern, mit unseren Produkten und Diensten innovativ zu sein und ihre Ziele zu erreichen – mit Inhalten, denen sie vertrauen können. Entdecken Sie unsere neuesten Updates.

Legal Notice

Theme

© 2026 Red HatNach oben