Red Hat SummitChapter 3. Verifying signed artifacts in an offline environment
In some cases, you need to verify an artifact’s authenticity, but do not have access to the Red Hat Trusted Artifact Signer (RHTAS) service that signed that artifact. In these cases, you can still verify an artifact’s signature by doing an offline verification.
Before you can start doing offline artifact verification, you need access to the RHTAS signing environment, and access to an image registry. In the offline environment, you only need access to the same image registry as the signing environment.
Prerequisites
- Installation of RHTAS running either on the Red Hat OpenShift Container Platform, or on Red Hat Enterprise Linux (RHEL) managed by Ansible.
-
A workstation with the
cosign,tuftool,tar, andsha256sumbinaries installed. -
Initialization of
cosignwith the current signing environment.
Procedure
In the signing environment, do the following steps:
Sign an image by using
cosign:cosign sign IMAGE_NAME:TAG
cosign sign IMAGE_NAME:TAGCopy to Clipboard Copied! Toggle word wrap Toggle overflow cosign sign -y ttl.sh/rhtas/example-image:1h
$ cosign sign -y ttl.sh/rhtas/example-image:1hCopy to Clipboard Copied! Toggle word wrap Toggle overflow Get the Trust Root URL.
For RHTAS deployments on Red Hat Enterprise Linux:
export BASE_HOSTNAME=BASE_HOSTNAME_OF_RHTAS_SERVICE export TUF_SERVER_URL=https://tuf.${BASE_HOSTNAME}$ export BASE_HOSTNAME=BASE_HOSTNAME_OF_RHTAS_SERVICE $ export TUF_SERVER_URL=https://tuf.${BASE_HOSTNAME}Copy to Clipboard Copied! Toggle word wrap Toggle overflow For RHTAS deployments on Red Hat OpenShift Container Platform:
export TUF_SERVER_URL="$(oc get tuf -o jsonpath='{.items[0].status.url}' -n trusted-artifact-signer)"$ export TUF_SERVER_URL="$(oc get tuf -o jsonpath='{.items[0].status.url}' -n trusted-artifact-signer)"Copy to Clipboard Copied! Toggle word wrap Toggle overflow
Create a clone of the Trust Root locally:
export TUF_REPOSITORY="${HOME}/repository" tuftool clone --allow-root-download --metadata-dir "${TUF_REPOSITORY}" --targets-dir "${TUF_REPOSITORY}/targets" --metadata-url "${TUF_SERVER_URL}" --targets-url "${TUF_SERVER_URL}/targets"$ export TUF_REPOSITORY="${HOME}/repository" $ tuftool clone --allow-root-download --metadata-dir "${TUF_REPOSITORY}" --targets-dir "${TUF_REPOSITORY}/targets" --metadata-url "${TUF_SERVER_URL}" --targets-url "${TUF_SERVER_URL}/targets"Copy to Clipboard Copied! Toggle word wrap Toggle overflow Create a compressed archive file of the Trust Root:
tar -czvf repository.tar.gz "${TUF_REPOSITORY}" sha256sum repository.tar.gz$ tar -czvf repository.tar.gz "${TUF_REPOSITORY}" $ sha256sum repository.tar.gzCopy to Clipboard Copied! Toggle word wrap Toggle overflow Make note of the checksum output for use later in the offline environment.
Copy the compressed archive file to the offline environment.
ImportantYou must copy the Trust Root compressed archive file every time you update The Update Framework (TUF) metadata files or when you rotate any RHTAS component keys and certificates.
In the offline environment, do the following steps:
- Change directory to where you copied the compressed archive file of the Trust Root.
Verify the checksum by using the checksum value from the signing environment:
echo "SHA256_CHECKSUM repository.tar.gz" > checksum.txt sha256sum --check checksum.txt || echo "Archive integrity compromised, don't continue with the procedure\!"
$ echo "SHA256_CHECKSUM repository.tar.gz" > checksum.txt $ sha256sum --check checksum.txt || echo "Archive integrity compromised, don't continue with the procedure\!"Copy to Clipboard Copied! Toggle word wrap Toggle overflow ImportantOnly continue if the integrity check is successful.
Expand the compressed archive file:
tar -xzvf repository.tar.gz
$ tar -xzvf repository.tar.gzCopy to Clipboard Copied! Toggle word wrap Toggle overflow
Initialize
cosign:cd repository/ cosign initialize --mirror=file://$(pwd)/ --root=$(pwd)/1.root.json
$ cd repository/ $ cosign initialize --mirror=file://$(pwd)/ --root=$(pwd)/1.root.jsonCopy to Clipboard Copied! Toggle word wrap Toggle overflow Verify the signed artifacts:
export IMAGE="IMAGE_NAME:TAG" export SIGNING_EMAIL_ADDR=SIGNING_EMAIL_ADDRESS export SIGNING_OIDC_ISSUER=OIDC_ISSUER_URL cosign verify --certificate-identity="${SIGNING_EMAIL_ADDR}" --certificate-oidc-issuer="${SIGNING_OIDC_ISSUER}" "${IMAGE}"$ export IMAGE="IMAGE_NAME:TAG" $ export SIGNING_EMAIL_ADDR=SIGNING_EMAIL_ADDRESS $ export SIGNING_OIDC_ISSUER=OIDC_ISSUER_URL $ cosign verify --certificate-identity="${SIGNING_EMAIL_ADDR}" --certificate-oidc-issuer="${SIGNING_OIDC_ISSUER}" "${IMAGE}"Copy to Clipboard Copied! Toggle word wrap Toggle overflow
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}