Chapter 1. Enterprise Contract for Red Hat Trusted Application Pipeline

The more complex a software supply chain becomes, the more critical it is to employ reliable checks and best practices to guarantee software artifact integrity and source code dependability. Artifacts such as your image containers. This is where Red Hat Enterprise Contract enters your Red Hat Trusted Application Pipeline build and deploy experience.

Enterprise Contract is a policy-driven workflow tool for maintaining software supply chain security by defining and enforcing policies for building and testing container images. For a build system that creates Supply-chain Levels for Software Artifacts (SLSA) provenance attestations, such as Tekton with Tekton Chains and GitHub Actions with the SLSA GitHub Generator, checking the signatures and confirming that the contents of the attestations actually match what is expected is a critical part of verifying and maintaining the integrity of your software supply chain. A secure CI/CD workflow should include artifact verification to detect problems early. It’s the job of Enterprise Contract to validate that a container image is signed and attested by a known and trusted build system.

The general steps for validating a signed and attested container image are as follows:

But what does it mean to sign and attest to the provenance of a software artifact like a container image? Why do it? And how?

Signed software artifacts like container images are at a significantly lower risk of several attack vectors than unsigned artifacts. When a container image is signed, various cryptographic techniques bind the image to a specific entity or organization. The result is a digital signature that verifies the authenticity of the image so that you can trace it back to its creator—that entity or organization—and also verify that the image wasn’t altered or tampered with after it was signed. For more information about software supply chain threats, see Supply chain threats.

Enterprise Contract uses the industry standard Sigstore Cosign as a resource library to validate your container images. With Trusted Artifact Signer, Red Hat’s supported version of the Sigstore framework, you can use your own on-prem instance of Sigstore’s services to sign and attest your container images with the Cosign CLI. For more information about Trusted Artifact Signer, see Red Hat Trusted Artifact Signer.

As for software artifact attestation, it can’t happen without provenance. Provenance is the verifiable information about software artifacts like container images that describes where, when, and how that artifact was produced. The attestation itself is an authenticated statement, in the form of metadata, that proves that an artifact is intact and trustworthy. Enterprise Contract uses that attestation to cryptographically verify that the build was not tampered with, and to check the build against any set of policies, such as SLSA requirements. For more information about SLSA, see About SLSA.

When you push your code from either the RHTAP development namespace to the stage namespace, or from the stage namespace to the production namespace, Enterprise Contract automatically runs its validation checks to make sure your container image was signed and attested by known and trusted build systems. When your image passes the Enterprise Contract check, you can merge your code changes to complete your promotion from one environment to the next. For more information about deploying your application to a different namespace, see Trusted Application Pipeline Software Template. For more inforamtion about where RHTAP saves your deployment manifests, see the RHTAP GitOps repository and its YAML files.