Red Hat SummitDieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.
Chapter 3. Verifying signed artifacts in an offline environment
In some cases, you need to verify an artifact’s authenticity, but do not have access to the Red Hat Trusted Artifact Signer (RHTAS) service that signed that artifact. In these cases, you can still verify an artifact’s signature by doing an offline verification.
Before you can start doing offline artifact verification, you need access to the RHTAS signing environment, and access to an image registry. In the offline environment, you only need access to the same image registry as the signing environment.
Prerequisites
- Installation of RHTAS running either on the Red Hat OpenShift Container Platform, or on Red Hat Enterprise Linux (RHEL) managed by Ansible.
-
A workstation with the
cosign,tuftool,tar, andsha256sumbinaries installed. -
Initialization of
cosignwith the current signing environment.
Procedure
In the signing environment, do the following steps:
Sign an image by using
cosign:cosign sign IMAGE_NAME:TAG$ cosign sign -y ttl.sh/rhtas/example-image:1hGet the Trust Root URL.
For RHTAS deployments on Red Hat Enterprise Linux:
$ export BASE_HOSTNAME=BASE_HOSTNAME_OF_RHTAS_SERVICE $ export TUF_SERVER_URL=https://tuf.${BASE_HOSTNAME}For RHTAS deployments on Red Hat OpenShift Container Platform:
$ export TUF_SERVER_URL="$(oc get tuf -o jsonpath='{.items[0].status.url}' -n trusted-artifact-signer)"
Create a clone of the Trust Root locally:
$ export TUF_REPOSITORY="${HOME}/repository" $ tuftool clone --allow-root-download --metadata-dir "${TUF_REPOSITORY}" --targets-dir "${TUF_REPOSITORY}/targets" --metadata-url "${TUF_SERVER_URL}" --targets-url "${TUF_SERVER_URL}/targets"Create a compressed archive file of the Trust Root:
$ tar -czvf repository.tar.gz "${TUF_REPOSITORY}" $ sha256sum repository.tar.gz > checksum.txtCopy the compressed archive file and the checksum file to the offline environment.
ImportantYou must copy the Trust Root compressed archive file and the checksum file every time you update The Update Framework (TUF) metadata files or when you rotate any RHTAS component keys and certificates.
In the offline environment, do the following steps:
- Change directory to where you copied the compressed archive file of the Trust Root.
Verify the checksum by using the checksum value from the signing environment:
$ sha256sum --check checksum.txt || echo "Archive integrity compromised, don't continue with the procedure\!"ImportantOnly continue if the integrity check is successful.
Expand the compressed archive file:
$ tar -xzvf repository.tar.gz
Verify the signed artifacts:
$ cd repository/ $ export IMAGE="IMAGE_NAME:TAG" $ export SIGNING_EMAIL_ADDR=SIGNING_EMAIL_ADDRESS $ export SIGNING_OIDC_ISSUER=OIDC_ISSUER_URL $ export TRUSTED_ROOT=$(pwd)/targets/*.trusted_root.json $ cosign verify --certificate-identity="${SIGNING_EMAIL_ADDR}" --certificate-oidc-issuer="${SIGNING_OIDC_ISSUER}" --trusted-root ${TRUSTED_ROOT} "${IMAGE}"Replace IMAGE_NAME:TAG, SIGNING_EMAIL_ADDRESS, and OIDC_ISSUER_URL with your relevant information.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}