Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 2. Red Hat Enterprise Linux

You can install the Red Hat Trusted Artifact Signer (RHTAS) on Red Hat Enterprise Linux by using a Red Hat provided Ansible Playbook. This deployment gives you a basic signing framework with Keycloak as the OpenID Connect (OIDC) provider.

Warning

Red Hat recommends not to use Ansible logging in verbose or debugging mode for production environments.

For more information, see the Ansible documentation.

Prerequisites

  • Red Hat Enterprise Linux version 9.4 or later.
  • A Red Hat user account to access the Red Hat Hybrid Cloud Console.

Procedure

  1. Log in to the Red Hat Hybrid Cloud Console with your Red Hat credentials.
  2. From the home page, click the Services drop-down menu, and click Red Hat Ansible Automation Platform.
  3. From the navigational menu, expand Automation Hub, and click Collections.
  4. In the search field type rhtas and press enter.
  5. Click the artifact_signer link on the Red Hat Trusted Artifact Signer tile.

  6. Click the Documentation tab, and follow the steps there to complete the installation of RHTAS on Red Hat Enterprise Linux.

    Note

    For a detailed overview of all the configuration parameters, click the tas_single_node link under the Roles section.

As as systems administrator, you can verify if the deployment of Red Hat Trusted Artifact Signer (RHTAS) running on Red Hat Enterprise Linux was successful.

You can sign a test container image, and verify the authenticity of that signature to validate the deployment of RHTAS in your environment.

There are two ways to sign and three ways to verify build artifacts from your code pipeline. You can sign and verify with cosign and gitsign, but can only verify with Enterprise Contract.

The cosign tool gives you the capability to sign and verify Open Container Initiative (OCI) container images, along with other build artifacts by using Red Hat Trusted Artifact Signer (RHTAS) service.

Important

Red Hat recommends using cosign version 3.0 or later for RHTAS 1.4 or later deployments.

Prerequisites

  • Installation of RHTAS running on Red Hat Enterprise Linux 9.4 or later managed by Ansible.
  • A workstation with the podman binary installed.

Procedure

  1. Download the cosign binary from the local command-line interface (CLI) tool download page to your workstation.

    Note

    The URL address is the configured node as defined by the tas_single_node_base_hostname variable. An example URL address would be, https://cli-server.example.com, given the tas_single_node_base_hostname value as example.com.

    1. From the download page, go to the cosign download section, and click the link for your platform.

    2. Open a terminal on your workstation, decompress the binary .gz file, and set the execution bit: 

      $ gunzip cosign-amd64.gz
$ chmod +x cosign-amd64

    3. Move and rename the binary to a location within your $PATH environment: 

      $ sudo mv cosign-amd64 /usr/local/bin/cosign

  2. Configure your shell environment for doing container image signing and verifying. 

    $ export BASE_HOSTNAME=BASE_HOSTNAME_OF_RHTAS_SERVICE
$ export TUF_URL="https://tuf-${BASE_HOSTNAME}"
$ export COSIGN_OIDC_CLIENT_ID="trusted-artifact-signer"
$ export COSIGN_YES="true"
$ export ROOT_CHECKSUM=$(curl -s "$TUF_URL/1.root.json" | sha256sum | awk '{print $1}')

    Replace BASE_HOSTNAME_OF_RHTAS_SERVICE with the value of the tas_single_node_base_hostname variable.

  3. Initialize The Update Framework (TUF) system: 

    $ cosign initialize --mirror "$TUF_URL" --root "$TUF_URL/1.root.json" --root-checksum "$ROOT_CHECKSUM"

    Adding the --root-checksum option to the cosign initialize command ensures that the TUF root metadata is valid and has not been tampered with.

  4. Sign a test container image.

    1. Create an empty container image: 

      $ echo "FROM scratch" > ./tmp.Dockerfile
$ podman build . -f ./tmp.Dockerfile -t ttl.sh/rhtas/test-image:1h

    2. Push the empty container image to the ttl.sh ephemeral registry: 

      $ podman push ttl.sh/rhtas/test-image:1h

    3. Sign the container image: 

      $ cosign sign --oidc-client-id trusted-artifact-signer ttl.sh/rhtas/test-image:1h

      A web browser opens allowing you to sign the container image with an email address.

    4. Remove the temporary Docker file: 

      $ rm ./tmp.Dockerfile

  5. Verify a signed container image by using a certificate identity and issuer: 

    $ cosign verify --certificate-identity=SIGNING_EMAIL_ADDR --certificate-oidc-issuer=OIDC_ISSUER_URL IMAGE_NAME:TAG

    Replace OIDC_ISSUER_URL with your OpenID Connect (OIDC) provider’s URL string.

    Replace SIGNING_EMAIL_ADDR with the email address used for signing the container image.

    Replace IMAGE_NAME:TAG with the name and tag of the container image to verify.

    Note

    You can also use regular expressions for the certificate identity and issuer by using the following options to the cosign command, --certificate-identity-regexp and --certificate-oidc-issuer-regexp.

  6. Download the rekor-cli binary from the local command-line interface (CLI) tool download page to your workstation.

    1. Open a web browser, and go to the CLI server web page.

      Note

      The URL address is the configured node as defined by the tas_single_node_base_hostname variable. An example URL address would be, https://cli-server.example.com, given that the value of tas_single_node_base_hostname is example.com.

    2. From the download page, go to the rekor-cli download section, and click the link for your platform.

    3. Open a terminal on your workstation, decompress the binary .gz file, and set the execution bit: 

      $ gunzip rekor-cli-amd64.gz
$ chmod +x rekor-cli-amd64

    4. Move and rename the binary to a location within your $PATH environment: 

      $ sudo mv rekor-cli-amd64 /usr/local/bin/rekor-cli

  7. Query the transparency log by using the Rekor command-line interface.

    1. Set the REKOR_URL environment variable to the URL for the Rekor service: 
    $ export REKOR_URL="https://rekor.${BASE_HOSTNAME}"

    1. Search based on the log index: 

      $ rekor-cli get --log-index 0 --rekor_server $REKOR_URL --format json | jq

    2. Search for an email address to get the universal unique identifier (UUID): 

      $ rekor-cli search --email SIGNING_EMAIL_ADDR --rekor_server $REKOR_URL --format json | jq

      Replace SIGNING_EMAIL_ADDR with the email address used for signing the container image.

      This command returns the UUID for use with the next step.

    3. Use the UUID to get the transaction details: 

      $ rekor-cli get --uuid UUID --rekor_server $REKOR_URL --format json | jq

      Replace UUID with the value returned from the previous search command.

The gitsign tool gives you the ability to sign and verify Git repository commits by using Red Hat Trusted Artifact Signer (RHTAS) service.

Prerequisites

  • Installation of RHTAS running on Red Hat Enterprise Linux 9.4 or later managed by Ansible.

  • A workstation with the git, and cosign binaries installed.

    • Red Hat recommends using cosign version 3.0 or later.
  • A locally cloned Git repository.

Procedure

  1. Download the gitsign binary from the local command-line interface (CLI) tool download page to your workstation.

    Note

    The URL address is the configured node as defined by the tas_single_node_base_hostname variable. An example URL address would be, https://cli-server.example.com, given the tas_single_node_base_hostname value as example.com.

    1. From the download page, go to the gitsign download section, and click the link for your platform.

    2. Open a terminal on your workstation, decompress the .gz file, and set the execution bit: 

      $ gunzip gitsign-amd64.gz
$ chmod +x gitsign-amd64

    3. Move and rename the binary to a location within your $PATH environment: 

      $ sudo mv gitsign-amd64 /usr/local/bin/gitsign

  2. Configure your shell environment for doing commit signing and verifying. 

    $ export BASE_HOSTNAME=BASE_HOSTNAME_OF_RHTAS_SERVICE
$ export TUF_URL="https://tuf-${BASE_HOSTNAME}"
$ export COSIGN_OIDC_CLIENT_ID="trusted-artifact-signer"
$ export COSIGN_YES="true"
$ export ROOT_CHECKSUM=$(curl -s "$TUF_URL/1.root.json" | sha256sum | awk '{print $1}')

    Replace BASE_HOSTNAME_OF_RHTAS_SERVICE with the value of the tas_single_node_base_hostname variable.

  3. Change directory (cd) to the local Git repository directory.

  4. Configure the local repository configuration to sign your commits by using the RHTAS service: 

    git config --local commit.gpgsign true
git config --local tag.gpgsign true
git config --local gpg.x509.program gitsign
git config --local gpg.format x509
git config --local gitsign.clientID trusted-artifact-signer

  5. Make a commit to the local repository: 

    $ git commit --allow-empty -S -m "Test of a signed commit"

    A web browser opens allowing you to sign the commit with an email address.

  6. Initialize The Update Framework (TUF) system: 

    $ gitsign initialize --mirror "$TUF_URL" --root "$TUF_URL/root.json"

  7. Verify the commit: 

    $ gitsign verify --certificate-identity=SIGNING_EMAIL_ADDR --certificate-oidc-issuer=OIDC_ISSUER_URL HEAD

    Replace SIGNING_EMAIL_ADDR with the email address used for signing the commit.

    Replace OIDC_ISSUER_URL with your OpenID Connect (OIDC) provider’s URL string.

Conforma, formally known as Enterprise Contract (EC), is a tool for maintaining the security of software supply chains, and you can use it to define and enforce policies for container images. You can use the ec binary to verify the attestation and signature of container images that use Red Hat’s Trusted Artifact Signer (RHTAS) signing framework.

Prerequisites

  • Installation of RHTAS running on Red Hat Enterprise Linux 9.4 or later managed by Ansible.

  • A workstation with the cosign, and podman binaries installed.

    • Red Hat recommends using cosign version 3.0 or later.

Procedure

  1. Download the ec binary from the local command-line interface (CLI) tool download page to your workstation.

    Note

    The URL address is the configured node as defined by the tas_single_node_base_hostname variable. An example URL address would be, https://cli-server.example.com, given the tas_single_node_base_hostname value as example.com.

    1. From the download page, go to the ec download section, and click the link for your platform.

    2. Open a terminal on your workstation, decompress the binary .gz file, and set the execution bit: 

      $ gunzip ec-amd64.gz
$ chmod +x ec-amd64

    3. Move and rename the binary to a location within your $PATH environment: 

      $ sudo mv ec-amd64 /usr/local/bin/ec

  2. Configure your shell environment for doing container image signing and verifying. 

    $ export BASE_HOSTNAME=BASE_HOSTNAME_OF_RHTAS_SERVICE
$ export TUF_URL="https://tuf-${BASE_HOSTNAME}"
$ export COSIGN_OIDC_CLIENT_ID="trusted-artifact-signer"
$ export COSIGN_YES="true"
$ export ROOT_CHECKSUM=$(curl -s "$TUF_URL/1.root.json" | sha256sum | awk '{print $1}')

    Replace BASE_HOSTNAME_OF_RHTAS_SERVICE with the value of the tas_single_node_base_hostname variable.

  3. Initialize The Update Framework (TUF) system: 

    $ cosign initialize --mirror "$TUF_URL" --root "$TUF_URL/1.root.json" --root-checksum "$ROOT_CHECKSUM"

  4. Sign a test container image.

    1. Create an empty container image: 

      $ echo "FROM scratch" > ./tmp.Dockerfile
$ podman build . -f ./tmp.Dockerfile -t ttl.sh/rhtas/test-image:1h

    2. Push the empty container image to the ttl.sh ephemeral registry: 

      $ podman push ttl.sh/rhtas/test-image:1h

    3. Sign the container image: 

      $ cosign sign ttl.sh/rhtas/test-image:1h

      A web browser opens allowing you to sign the container image with an email address.

    4. Remove the temporary Docker file: 

      $ rm ./tmp.Dockerfile

  5. Create a predicate.json file: 

    {
  "builder": {
    "id": "https://localhost/dummy-id"
  },
  "buildType": "https://example.com/tekton-pipeline",
  "invocation": {},
  "buildConfig": {},
  "metadata": {
    "completeness": {
      "parameters": false,
      "environment": false,
      "materials": false
    },
    "reproducible": false
  },
  "materials": []
}

    Refer to the SLSA provenance predicate specifications for more information about the schema layout.

  6. Associate the predicate.json file with the container image: 

    cosign attest -y --predicate ./predicate.json --type slsaprovenance IMAGE_NAME:TAG
     
    $ cosign attest -y --predicate ./predicate.json --type slsaprovenance ttl.sh/rhtas/test-image:1h

  7. Verify that the container image has at least one attestation and signature: 

    cosign tree IMAGE_NAME:TAG
     
    $ cosign tree ttl.sh/rhtas/test-image:1h

📦 Supply Chain Security Related artifacts for an image: ttl.sh/rhtas/test-image@sha256:7de5fa822a9d1e507c36565ee0cf50c08faa64505461c844a3ce3944d23efa35
└── 💾 Attestations for an image tag: ttl.sh/rhtas/test-image:sha256-7de5fa822a9d1e507c36565ee0cf50c08faa64505461c844a3ce3944d23efa35.att
   └── 🍒 sha256:40d94d96a6d3ab3d94b429881e1b470ae9a3cac55a3ec874051bdecd9da06c2e
└── 🔐 Signatures for an image tag: ttl.sh/rhtas/test-image:sha256-7de5fa822a9d1e507c36565ee0cf50c08faa64505461c844a3ce3944d23efa35.sig
   └── 🍒 sha256:f32171250715d4538aec33adc40fac2343f5092631d4fc2457e2116a489387b7

  8. Verify the container image by using Conforma: 

    ec validate image --image IMAGE_NAME:TAG --certificate-identity-regexp 'SIGNER_EMAIL_ADDR' --certificate-oidc-issuer-regexp 'keycloak-system' --output yaml --show-successes
     
    $ ec validate image --image ttl.sh/rhtas/test-image:1h --certificate-identity-regexp 'jdoe@example.com' --certificate-oidc-issuer-regexp 'keycloak-system' --output yaml --show-successes

success: true
successes:
  - metadata:
      code: builtin.attestation.signature_check
    msg: Pass
  - metadata:
      code: builtin.attestation.syntax_check
    msg: Pass
  - metadata:
      code: builtin.image.signature_check
    msg: Pass
ec-version: v0.1.2427-499ef12
effective-time: "2024-01-21T19:57:51.338191Z"
key: ""
policy: {}
success: true

    Conforma generates a pass-fail report with details on any security violations. When you add the --info flag, the report includes more details and possible solutions for any violations found.

Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Legal Notice

Theme

© 2026 Red HatBack to top