Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 4. Verifying Red Hat signatures

You can use Red Hat Trusted Artifact Signer (RHTAS) to verify the authenticity of Red Hat’s products, and artificial intelligence (AI) generated Granite models.

Prerequisites

  • Installation of RHTAS running on Red Hat Enterprise Linux or Red Hat OpenShift Container Platform.
  • Access to the Red Hat’s Customer Portal for downloading product signing keys.
  • A workstation with the cosign binary installed, version 2.2 or later.

Procedure

  1. Download Red Hat’s product signing keys from the Customer Portal for the products you want to verify. This downloads a text file containing Red Hat’s public key signature.

  2. Open a terminal on your workstation. Download the Rekor public key, and create a new rekor.pem file: 

    $ curl https://REKOR_HOSTNAME/api/v1/log/publicKey > rekor.pem

  3. Create a new cosign public key from the Red Hat product signing key: 

    $ cat 63405576.txt > cosign.pub

  4. Configure your shell environment for cosign to use the new Rekor public key: 

    $ export SIGSTORE_REKOR_PUBLIC_KEY=rekor.pem

  5. Verify a Red Hat signed image by using the cosign public key: 

    cosign verify --key cosign.pub IMAGE_NAME:TAG
     
    $ cosign verify --key cosign.pub registry.redhat.io/rhelai1/granite-3.1-8b-starter-v1:latest
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2026 Red HatBack to top