Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 5. Attesting and validating a container image

Before Enterprise Contract can validate your signed container image, you must first create SLSA provenance and associate it with your container image. Provenance is the verifiable information about software artifacts, including where, when, and how a given software "link" in a supply chain was produced. For more information about Supply-chain Levels for Software Artifacts (SLSA) provenance, see SLSA Provenance.

Prerequisites

  • A signed container image.
  • Access to the OpenShift web console.
  • A working Red Hat Trusted Artifact Signer installation running on OpenShift version 4.13 or later.
  • A workstation with the cosign and oc binary files installed.

Procedure

  1. Create a SLSA provenance predicate.json file; for example: 

    echo '{
 "builder": {
   "id": "https://localhost/dummy-id"
 },
 "buildType": "https://localhost/dummy-type",
 "invocation": {},
 "buildConfig": {},
 "metadata": {
   "buildStartedOn": "2023-09-25T16:26:44Z",
   "buildFinishedOn": "2023-09-25T16:28:59Z",
   "completeness": {
     "parameters": false,
     "environment": false,
     "materials": false
   },
   "reproducible": false
 },
 "materials": []
}
' > predicate.json
    Copy to Clipboard Toggle word wrap

  2. Sign and attest the predicate.json file you just created; for example: 

    cosign attest -y --fulcio-url=$FULCIO_URL \
   --rekor-url=$REKOR_URL \
   --oidc-issuer=$OIDC_ISSUER_URL \
   --predicate predicate.json \
   --type slsaprovenance $IMAGE
    Copy to Clipboard Toggle word wrap

    Keycloak opens to automatically authenticate you based on your login when you signed your container image.

  3. Verify the signature and attestation with Enterprise Contract, for example: 

    ec validate image --image $IMAGE \
   --certificate-identity-regexp '.*' \
   --certificate-oidc-issuer-regexp '.*' \
   --output yaml --show-successes
    Copy to Clipboard Toggle word wrap
Important

Be as specific as possible when you run the ec validate image command so that each signature matches the expected identity.

Verification

  • When Enterprise Contract has validated your container image, a detailed report of all Enterprise Contract verifications and signatures opens.
Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat