Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 3. Verifying signed artifacts in an offline environment

In some cases, you need to verify an artifact’s authenticity, but do not have access to the Red Hat Trusted Artifact Signer (RHTAS) service that signed that artifact. In these cases, you can still verify an artifact’s signature by doing an offline verification.

Before you can start doing offline artifact verification, you need access to the RHTAS signing environment, and access to an image registry. In the offline environment, you only need access to the same image registry as the signing environment.

Prerequisites

  • Installation of RHTAS running either on the Red Hat OpenShift Container Platform, or on Red Hat Enterprise Linux (RHEL) managed by Ansible.
  • A workstation with the cosign, tuftool, tar, and sha256sum binaries installed.
  • Initialization of cosign with the current signing environment.

Procedure

  1. In the signing environment, do the following steps:

    1. Sign an image by using cosign: 

      cosign sign IMAGE_NAME:TAG
       
      $ cosign sign -y ttl.sh/rhtas/example-image:1h

    2. Get the Trust Root URL.

      1. For RHTAS deployments on Red Hat Enterprise Linux: 

        $ export BASE_HOSTNAME=BASE_HOSTNAME_OF_RHTAS_SERVICE
$ export TUF_SERVER_URL=https://tuf.${BASE_HOSTNAME}

      2. For RHTAS deployments on Red Hat OpenShift Container Platform: 

        $ export TUF_SERVER_URL="$(oc get tuf -o jsonpath='{.items[0].status.url}' -n trusted-artifact-signer)"

    3. Create a clone of the Trust Root locally: 

      $ export TUF_REPOSITORY="${HOME}/repository"
$ tuftool clone --allow-root-download --metadata-dir "${TUF_REPOSITORY}" --targets-dir "${TUF_REPOSITORY}/targets" --metadata-url "${TUF_SERVER_URL}" --targets-url "${TUF_SERVER_URL}/targets"

    4. Create a compressed archive file of the Trust Root: 

      $ tar -czvf repository.tar.gz "${TUF_REPOSITORY}"
$ sha256sum repository.tar.gz

      Make note of the checksum output for use later in the offline environment.

    5. Copy the compressed archive file to the offline environment.

      Important

      You must copy the Trust Root compressed archive file every time you update The Update Framework (TUF) metadata files or when you rotate any RHTAS component keys and certificates.

  2. In the offline environment, do the following steps:

    1. Change directory to where you copied the compressed archive file of the Trust Root.

    2. Verify the checksum by using the checksum value from the signing environment: 

      $ echo "SHA256_CHECKSUM repository.tar.gz" > checksum.txt
$ sha256sum --check checksum.txt || echo "Archive integrity compromised, don't continue with the procedure\!"
      Important

      Only continue if the integrity check is successful.

    3. Expand the compressed archive file: 

      $ tar -xzvf repository.tar.gz

  3. Initialize cosign: 

    $ cd repository/
$ cosign initialize --mirror=file://$(pwd)/ --root=$(pwd)/1.root.json

  4. Verify the signed artifacts: 

    $ export IMAGE="IMAGE_NAME:TAG"
$ export SIGNING_EMAIL_ADDR=SIGNING_EMAIL_ADDRESS
$ export SIGNING_OIDC_ISSUER=OIDC_ISSUER_URL
$ cosign verify --certificate-identity="${SIGNING_EMAIL_ADDR}" --certificate-oidc-issuer="${SIGNING_OIDC_ISSUER}" "${IMAGE}"
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2026 Red HatBack to top