Red Hat Summit Red Hat SummitSupportoConsoleSviluppatoriInizia una provaContatti

Questo contenuto non è disponibile nella lingua selezionata.

Chapter 4. Creating and verifying task run signatures without any additional authentication

To verify signatures of task runs by using Tekton Chains with any additional authentication, perform the following tasks:

  • Generate an encrypted x509 or cosign key pair and store it as a Kubernetes secret.
  • Configure the Tekton Chains backend storage.
  • Create a task run, sign it, and store the signature and the payload as annotations on the task run itself.
  • Retrieve the signature and payload from the signed task run.
  • Verify the signature of the task run.

Prerequisites

Ensure that you install the following components on the cluster:

  • Red Hat OpenShift Pipelines Operator
  • Tekton Chains
  • Cosign

Procedure

  1. Generate an encrypted x509 or cosign key pair. For more information about creating a key pair and saving it as a secret, see "Secrets for signing data in Tekton Chains".

  2. In the Tekton Chains configuration, disable the Open Container Initiative (OCI) storage, and set the task run storage and format to tekton. In the TektonConfig custom resource set the following values: 

    apiVersion: operator.tekton.dev/v1alpha1
kind: TektonConfig
metadata:
  name: config
spec:
# ...
    chain:
      artifacts.oci.storage: ""
      artifacts.taskrun.format: tekton
      artifacts.taskrun.storage: tekton
# ...

    For more information about configuring Tekton Chains using the TektonConfig custom resource, see "Configuring Tekton Chains".

  3. To restart the Tekton Chains controller to apply the modified configuration, enter the following command: 

    $ oc delete po -n openshift-pipelines -l app=tekton-chains-controller

  4. Create a task run by entering the following command: 

    $ oc create -f https://raw.githubusercontent.com/tektoncd/chains/main/examples/taskruns/task-output-image.yaml
    -f

    Replace the example URI with the URI or file path pointing to your task run.

    Example output

    taskrun.tekton.dev/build-push-run-output-image-qbjvh created

  5. Check the status of the steps by entering the following command. Wait until the process finishes. 

    $ tkn tr describe --last

    Example output

    [...truncated output...]
NAME                            STATUS
∙ create-dir-builtimage-9467f   Completed
∙ git-source-sourcerepo-p2sk8   Completed
∙ build-and-push                Completed
∙ echo                          Completed
∙ image-digest-exporter-xlkn7   Completed

  6. To retrieve the signature from the object stored as base64 encoded annotations, enter the following commands: 

    $ tkn tr describe --last -o jsonpath="{.metadata.annotations.chains\.tekton\.dev/signature-taskrun-$TASKRUN_UID}" | base64 -d > sig
     
    $ export TASKRUN_UID=$(tkn tr describe --last -o  jsonpath='{.metadata.uid}')

  7. To verify the signature using the public key that you created, enter the following command: 

    $ cosign verify-blob-attestation --insecure-ignore-tlog --key path/to/cosign.pub --signature sig --type slsaprovenance --check-claims=false /dev/null
    --insecure-ignore-tlog

    Replace path/to/cosign.pub with the path name of the public key file.

    Example output

    Verified OK

Red Hat logoGithubredditYoutubeTwitter

Formazione

Prova, acquista e vendi

Community

Informazioni su Red Hat

Forniamo soluzioni consolidate che rendono più semplice per le aziende lavorare su piattaforme e ambienti diversi, dal datacenter centrale all'edge della rete.

Rendiamo l’open source più inclusivo

Red Hat si impegna a sostituire il linguaggio problematico nel codice, nella documentazione e nelle proprietà web. Per maggiori dettagli, visita il Blog di Red Hat.

Informazioni sulla documentazione di Red Hat

Aiutiamo gli utenti Red Hat a innovarsi e raggiungere i propri obiettivi con i nostri prodotti e servizi grazie a contenuti di cui possono fidarsi. Esplora i nostri ultimi aggiornamenti.

Legal Notice

Theme

© 2026 Red HatTorna in cima