Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Release Notes

Red Hat Trusted Artifact Signer 1.2

Release notes for Red Hat's Trusted Artifact Signer 1.2.2

Red Hat Trusted Documentation Team

Abstract

Welcome to Red Hat Trusted Artifact Signer's official release notes for version 1.2.2!
The release notes describes new features, enhancements, known issues, bug fixes, and deprecation implemented for the Red Hat Trusted Artifact Signer 1.2.2 software release.

Chapter 1. Introduction
Copy link

Red Hat’s Trusted Artifact Signer (RHTAS) service enhances software supply chain security by simplifying cryptographic signing and verifying of software artifacts, such as container images, binaries, and Git commits. Trusted Artifact Signer provides a production ready deployment of the SecureSign community project.

The Trusted Artifact Signer software Release Notes documents new features and enhancements, bug fixes, and known issues for the latest version, 1.2.1. We add the newest items to the top in each chapter, as we build upon the official release notes over the lifecycle of the major, and minor releases.

New for this release
  • Deploying RHTAS on Red Hat Enterprise Linux 9.4 or later by using Ansible is fully supported by Red Hat for production workloads, and is no longer a Technical Preview feature.
  • The ability to monitor, and manage the RHTAS containers with Cockpit.
  • Enterprise Contract (EC) improvements and new features.

Chapter 2. New features and enhancements
Copy link

A list of all major enhancements, and new features introduced in this release of Red Hat Trusted Artifact Signer (RHTAS).

The features and enhancements added by this release are:

Ability to add OIDC providers for Ansible deployments of RHTAS
With this release, you can configure OpenID Connect (OIDC) providers under the tas_single_node_fulcio.fulcio_config section of the RHTAS Ansible Playbook. Update the playbook by adding your OIDC provider URL to the oidc_issuers variable, save your changes, and then re-run the playbook. You can have many OIDC providers defined in the oidc_issuers variable.
Monitoring for RHTAS containers
With this release, you can monitor and manage the RHTAS containers with the Cockpit web interface. This gives users a web-based user interface to simplify container management, and improves maintainability.
Expose passphrase variables for RHTAS components

When the Ansible collection creates a passphrase, they are easily guessable, and therefore a security risk. With this release, we expose the passphrase variables for each RHTAS component. This allows users to configure the passphrase as they see fit in the RHTAS Ansible Playbook. 

tas_single_node_fulcio:
  ca_passphrase: TODO
  ct_log_prefix: TODO
tas_single_node_rekor:
  ca_passphrase: TODO
tas_single_node_tsa:
  signer_passphrase: TODO
  ca_passphrase: TODO
tas_single_node_ctlog_ca_passphrase: TODO
Copy to Clipboard Toggle word wrap

Replace each TODO with your passphrase, and run the playbook.

Producing a warning or violation dynamically for policy checks
With this release of Enterprise Contract (EC), a single policy check can be either a warning or a violation based on logic defined in the policy check. You can select the warning or violation based on dynamic criteria, such as an effective date, or other runtime logic.
Improvements to the validation output
With this release, we added more details to the output of the ec validate image command for better auditing. The output shows the Git SHA or image digest when resolving a non-permanent reference, such as a tag or Git branch, if defined in the policy source for Enterprise Contract (EC). With this additional information you can see exactly which policies and policy data used during the validation.
Support for running Enterprise Contract commands without a timeout
With this release, you can specify the --timeout 0 on Enterprise Contract (EC) commands to override the default timeout of 5 minutes. This is helpful in Continuous Integration and Continuous Deployment (CI/CD) environments where they manage their own task timeouts.
Support for policy exceptions for specific components
In earlier versions of Enterprise Contract (EC), any policy exception was applied to all components being evaluated. With this release, you can specify which component a particular policy exception applies to. This gives you more fine-grained control when applying policy exceptions.

Chapter 3. Bug fixes
Copy link

In this release of Red Hat Trusted Artifact Signer (RHTAS), we fixed the following bugs. In addition to these fixes, we list the descriptions of previously known issues found in earlier versions that we fixed.

Download size limitation for artifacts
We removed a download size limit on Open Container Initiative (OCI) fetches for artifacts larger than 10 MB. This limitation was causing artifacts to become truncated, leading to an error when accessing larger Software Bill of Materials (SBOM) documents.
Rekor unable to write attestations to storage
Rekor writes the attestation to the /tmp/ directory, and then tries to move the attestation to a persistent volume claim (PVC). The moving of the attestation file is really a "rename" operation within the code base. The "rename" operation only works for locations within the same mount point, but was failing when moving between mount points. With this release, we fixed this issue so Rekor can correctly write attestations to the PVC.
Fulcio service crash when configured with the Kubernetes OIDC issuer
A missing required certificate was causing the Fulcio service to crash with a unrecoverable error when configured with the Kubernetes OpenID Connect (OIDC) issuer, for example, https://kubernetes.default.svc. This missing certificate was preventing the Fulcio service from running, and servicing signing requests. With this release, we fixed the issue by mounting the Kubernetes API server certificate to /var/run/fulcio/ca.crt, and the Fulcio service starts successfully when configuring the Kubernetes OIDC issuer.
Two Rekor log entries from one signature
When configuring Rekor and Certificate Transparency log with the same tree identifier in Trillian this causes two Rekor log entries for one signature. To fix this issue, configure Rekor and Certificate Transparency log with unique tree identifier.
Health probe for Trillian not working properly
A wrongly-formatted container command was not sending health probes to the trillian-mysql pod. This was generating error messages with the "unhealthy" or "improper" tags, even though the pod was healthy. With this release, we fixed the format of the container command, and the health probe reports the correct status.
Deploying RHTAS on Red Hat Enterprise Linux was creating anonymous volumes
The Rekor manifests did not have defined volumes. This created anonymous volumes with random names, making them hard to know who they belonged to. With this release, we fixed the Rekor manifests by adding proper volume mounting. We name the volumes as follows: redis-backfill-storage and rekor-redis-storage.

Chapter 4. Known issues
Copy link

A list of unresolved known issues found in this release, and earlier releases of RHTAS:

An Operator Lifecycle Manager catalog incident causes the RHTAS Operator version mismatch on Red Hat OpenShift 4.15 clusters
An incident involving the Operator Lifecycle Manager (OLM) catalog has caused Red Hat OpenShift to incorrectly update the RHTAS Operator from version 1.2.1 to version 1.3.2. This is happening on the stable channel for Red Hat OpenShift 4.15 clusters when auto-update is enabled. This mismatch effects Red Hat OpenShift 4.15 clusters by locking them on version RHTAS 1.3.2 when they should not be. To resolve this issue, do a full backup of your RHTAS data, upgrade the Red Hat OpenShift cluster to at least version 4.18, and then manually update the RHTAS Operator to version 1.2.2, or you can remain on the 1.3.x stable channel, if required. Next, restore your data. If you did a backup on RHTAS 1.3.2, then you must restore your data to the same version. The backup and restore process is not cross-version compatible. Upgrading the underlying Red Hat OpenShift cluster ensures platform compatibility with the RHTAS Operator versioning requirements, thereby resolving the OLM routing conflict and enabling future security patches and functional updates moving forward.
Cosign fails verification of signed timestamps after rotating the TSA certification chain

The current version of cosign expects only one single Timestamp Authority (TSA) certificate chain. When rotating the TSA certificate chain, you give the whole TSA certificate chain to The Update Framework (TUF) as an individual target. During the rotation process, setting the new TSA certificate chain as the new TUF target, and expiring the old TSA certificate chain gives the following error message.

main.go:74: error during command execution: unable to load TSA certificates: TSA certificate chain must contain exactly one leaf certificate

Currently, there is no workaround for this issue.

For information about rotating the TSA signer key and certificate chain see our procedure for Red Hat OpenShift Container Platform, or Red Hat Enterprise Linux.

The ownerReferences are lost when restoring Trusted Artifact Signer to a different OpenShift cluster
When restoring the RHTAS data to a new Red Hat OpenShift cluster, the ownerReferences for components are lost. This happens because the Securesign UUID changes when restoring on a new cluster, and the ownerReferences for each component gets deleted since they are no longer valid. To workaound this issue, run the provided script after the Securesign resource is restored. This script recreates the ownerReferences with the new Securesign UUID.
Specifying a PVC name for the TUF repository fails the initialization process

When specifying a persistent volume claim (PVC) name in The Update Framework (TUF) resource causes the RHTAS operator to fail the initialization of the TUF repository. For example: 

spec:
...
  tuf:
    ...
      pvc:
        name: tuf-pvc-example-name
...
Copy to Clipboard Toggle word wrap

To workaround this issue, do not specify a PVC name in the TUF resource. This allows the RHTAS operator to automatically create the PVC, names it tuf, and properly initializes the TUF repository.

Rekor Search UI does not show records after upgrade

After upgrading the RHTAS operator to the latest version (1.0.1), the existing Rekor data is not found when searching by email address. The backfill-redis CronJob, which ensures that Rekor Search UI can query the transparency log only runs once per day, at midnight. To workaround this issue, you can trigger the backfill-redis job manually, instead of waiting until midnight.

To trigger the backfill-redis job from the command-line interface, run the following command: 

$ oc create job --from=cronjob/backfill-redis backfill-redis -n trusted-artifact-signer
Copy to Clipboard Toggle word wrap

Doing this adds the missing data back to the Rekor Search UI.

The Trusted Artifact Signer Operator does not apply configuration changes

We found a potential issue with the RHTAS Operator logic that can cause an unexpected state when redeploying. This inconsistent state can happen if removing configurations from RHTAS resources and the Operator tries to redeploy those resources. To workaround this potential issue, you can delete the specific resource, and then re-create that resource by using the previous instance’s configuration, such as keys, and persistent volumes. The RHTAS resources are: Securesign, Fulcio, The Update Framework (TUF), Rekor, Certificate Transparency (CT) log, or Trillian.

For example, to delete the Securesign resource: 

$ oc delete Securesign securesing-sample
Copy to Clipboard Toggle word wrap

For example, to re-create the Securesign resource from a configuration file: 

$ oc create -f ./securesign-sample.yaml
Copy to Clipboard Toggle word wrap
Operator does not update the component status after doing a restore to a different OpenShift cluster

When restoring the RHTAS signer data from a backup to a new OpenShift cluster, the component status links do not update as expected. Currently, you have to manually delete the securesign-sample-trillian-db-tls resource, and manually update the component status links. The RHTAS operator will automatically re-create an updated securesign-sample-trillian-db-tls resource, after it has been removed.

After the backup procedure starts, and the secrets restored, delete the securesign-sample-trillian-db-tls resource: 

$ oc delete secret securesign-sample-trillian-db-tls
Copy to Clipboard Toggle word wrap

Once all the pods start, then update the status files for Securesign, and TimestampAuthority: 

$ oc edit --subresource=status Securesign securesign-sample
$ oc edit --subresource=status TimestampAuthority securesign-sample
Copy to Clipboard Toggle word wrap
Trusted Artifact Signer requires cosign 2.2 or later
Because of recent changes to how we generate The Update Framework (TUF) repository, and making use of different checksum algorithms, we require the use of cosign version 2.2 or later. With this release of RHTAS, you can download cosign version 2.4 for use with Trusted Artifact Signer.

The following tables list Red Hat’s Trusted Artifact Signer (RHTAS) software components and their corresponding version numbers for the 1.2.1 release.

Expand
Table A.1. Binaries
BinaryVersion

cosign

2.4.3

gitsign

0.12.0

rekor-cli

1.3.9

ec

0.6

createtree

1.7.1

updatetree

1.7.1

tuftool

0.12.0

tuffer

0.19.0

fetch-tsa-certs

1.2.4

Expand
Table A.2. Trillian
ComponentVersion

logserver

1.7.1

logsigner

1.7.1

database

1.7.1

redis

1.7.1

Expand
Table A.3. Rekor
ComponentVersion

rekor-server

1.3.9

backfill-redis

1.3.9

rekor-search-ui

1.3.9

Expand
Table A.4. Fulcio
ComponentVersion

fulcio-server

1.6.6

Expand
Table A.5. Certificate Transparency
ComponentVersion

certificate-transparency-go

1.3.1

Expand
Table A.6. Timestamp Authority
ComponentVersion

timestamp-authority

1.2.4

Legal Notice
Copy link

Copyright © Red Hat.
Except as otherwise noted below, the text of and illustrations in this documentation are licensed by Red Hat under the Creative Commons Attribution–Share Alike 3.0 Unported license . If you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, the Red Hat logo, JBoss, Hibernate, and RHCE are trademarks or registered trademarks of Red Hat, LLC. or its subsidiaries in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
XFS is a trademark or registered trademark of Hewlett Packard Enterprise Development LP or its subsidiaries in the United States and other countries.
The OpenStack® Word Mark and OpenStack logo are trademarks or registered trademarks of the Linux Foundation, used under license.
All other trademarks are the property of their respective owners.
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2026 Red HatBack to top