Ce contenu n'est pas disponible dans la langue sélectionnée.
Chapter 5. Attesting and validating a container image
Before Enterprise Contract can validate your signed container image, you must first create SLSA provenance and associate it with your container image. Provenance is the verifiable information about software artifacts, including where, when, and how a given software "link" in a supply chain was produced. For more information about Supply-chain Levels for Software Artifacts (SLSA) provenance, see SLSA Provenance.
Prerequisites
- A signed container image.
- Access to the OpenShift web console.
- A working Red Hat Trusted Artifact Signer installation running on OpenShift version 4.13 or later.
-
A workstation with the
cosign
andoc
binary files installed.
Procedure
Create a SLSA provenance
predicate.json
file; for example:echo '{ "builder": { "id": "https://localhost/dummy-id" }, "buildType": "https://localhost/dummy-type", "invocation": {}, "buildConfig": {}, "metadata": { "buildStartedOn": "2023-09-25T16:26:44Z", "buildFinishedOn": "2023-09-25T16:28:59Z", "completeness": { "parameters": false, "environment": false, "materials": false }, "reproducible": false }, "materials": [] } ' > predicate.json
Sign and attest the
predicate.json
file you just created; for example:cosign attest -y --fulcio-url=$FULCIO_URL \ --rekor-url=$REKOR_URL \ --oidc-issuer=$OIDC_ISSUER_URL \ --predicate predicate.json \ --type slsaprovenance $IMAGE
Keycloak opens to automatically authenticate you based on your login when you signed your container image.
Verify the signature and attestation with Enterprise Contract, for example:
ec validate image --image $IMAGE \ --certificate-identity-regexp '.*' \ --certificate-oidc-issuer-regexp '.*' \ --output yaml --show-successes
Be as specific as possible when you run the ec validate image
command so that each signature matches the expected identity
.
Verification
- When Enterprise Contract has validated your container image, a detailed report of all Enterprise Contract verifications and signatures opens.
Additional resources
- For more information about Red Hat Trusted Artifact Signer, and especially about how it works with RHTAP and Enterprise Contract, see Red Hat Trusted Artifact Signer Deployment.
- For more information about SLSA, see slsa.dev.
- For more information about Keycloak, see keycloak.org.
5.1. Verifying JSON and YAML definitions
When you’re considering all of your options for securing your software supply chain, you might choose to apply policies to task or pipeline definitions. For example, maybe you want to use Enterprise Contract to check which tasks are performed in a given pipeline. Perhaps you want to make some pipeline tasks mandatory, allow only certain tasks to be performed, or any other convention you want to enforce before tasks and pipelines run.
Prerequisites
-
You’ve installed the Enterprise Contract CLI. For install instructions, refer to the Installing Enterprise Contract CLI guide. You can find the required files in the
ec-cli
GitHub repository.
Procedure
To verify that an Enterprise Contract JSON or YAML definition is valid, perform the following steps:
-
In the Enterprise Contract CLI, enter the
ec validate input
command.