Red Hat Summit Red Hat SummitSupportConsoleDéveloppeursCommencer un essaiContact

Ce contenu n'est pas disponible dans la langue sélectionnée.

Chapter 4. Creating and verifying task run signatures without any additional authentication

To verify signatures of task runs by using Tekton Chains with any additional authentication, perform the following tasks:

  • Generate an encrypted x509 or cosign key pair and store it as a Kubernetes secret.
  • Configure the Tekton Chains backend storage.
  • Create a task run, sign it, and store the signature and the payload as annotations on the task run itself.
  • Retrieve the signature and payload from the signed task run.
  • Verify the signature of the task run.

Prerequisites

Ensure that you install the following components on the cluster:

  • Red Hat OpenShift Pipelines Operator
  • Tekton Chains
  • Cosign

Procedure

  1. Generate an encrypted x509 or cosign key pair. For more information about creating a key pair and saving it as a secret, see "Secrets for signing data in Tekton Chains".

  2. In the Tekton Chains configuration, disable the Open Container Initiative (OCI) storage, and set the task run storage and format to tekton. In the TektonConfig custom resource set the following values: 

    apiVersion: operator.tekton.dev/v1alpha1
kind: TektonConfig
metadata:
  name: config
spec:
# ...
    chain:
      artifacts.oci.storage: ""
      artifacts.taskrun.format: tekton
      artifacts.taskrun.storage: tekton
# ...

    For more information about configuring Tekton Chains using the TektonConfig custom resource, see "Configuring Tekton Chains".

  3. To restart the Tekton Chains controller to apply the modified configuration, enter the following command: 

    $ oc delete po -n openshift-pipelines -l app=tekton-chains-controller

  4. Create a task run by entering the following command: 

    $ oc create -f https://raw.githubusercontent.com/tektoncd/chains/main/examples/taskruns/task-output-image.yaml
    -f

    Replace the example URI with the URI or file path pointing to your task run.

    Example output

    taskrun.tekton.dev/build-push-run-output-image-qbjvh created

  5. Check the status of the steps by entering the following command. Wait until the process finishes. 

    $ tkn tr describe --last

    Example output

    [...truncated output...]
NAME                            STATUS
∙ create-dir-builtimage-9467f   Completed
∙ git-source-sourcerepo-p2sk8   Completed
∙ build-and-push                Completed
∙ echo                          Completed
∙ image-digest-exporter-xlkn7   Completed

  6. To retrieve the signature from the object stored as base64 encoded annotations, enter the following commands: 

    $ tkn tr describe --last -o jsonpath="{.metadata.annotations.chains\.tekton\.dev/signature-taskrun-$TASKRUN_UID}" | base64 -d > sig
     
    $ export TASKRUN_UID=$(tkn tr describe --last -o  jsonpath='{.metadata.uid}')

  7. To verify the signature using the public key that you created, enter the following command: 

    $ cosign verify-blob-attestation --insecure-ignore-tlog --key path/to/cosign.pub --signature sig --type slsaprovenance --check-claims=false /dev/null
    --insecure-ignore-tlog

    Replace path/to/cosign.pub with the path name of the public key file.

    Example output

    Verified OK

Red Hat logoGithubredditYoutubeTwitter

Apprendre

Essayez, achetez et vendez

Communautés

À propos de Red Hat

Nous proposons des solutions renforcées qui facilitent le travail des entreprises sur plusieurs plates-formes et environnements, du centre de données central à la périphérie du réseau.

Rendre l’open source plus inclusif

Red Hat s'engage à remplacer le langage problématique dans notre code, notre documentation et nos propriétés Web. Pour plus de détails, consultez le Blog Red Hat.

À propos de la documentation Red Hat

Nous aidons les utilisateurs de Red Hat à innover et à atteindre leurs objectifs grâce à nos produits et services avec un contenu auquel ils peuvent faire confiance. Découvrez nos récentes mises à jour.

Legal Notice

Theme

© 2026 Red HatRetour au début