Red Hat Summit9.4. Verifying container signatures for supply chain security
You can enhance supply chain security by using the sigstore signing methodology.
sigstore support is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.
For more information about the support scope of Red Hat Technology Preview features, see the following link:
9.4.1. Understanding how to use sigstore to verify container signatures
You can configure the container runtime to verify image integrity by using the sigstore signing methodology. Configuring MicroShift container runtimes enables the verification of image integrity. With the sigstore project, developers can digitally sign what they build, creating a safer chain of custody that traces software back to the source. Administrators can then verify signatures and monitor workflows at scale. By using sigstore, you can store signatures in the same registry as the build images.
- For user-specific images, you must update the configuration file to point to the appropriate public key, or disable signature verification for those image sources.
For disconnected or offline configurations, you must embed the public key contents into the operating system image.
9.4.2. Verifying container signatures using sigstore
Verify container signatures for MicroShift by configuring the container runtime to use sigstore. The container signature verification uses the public key from the Red Hat keypair when signing the images. To use sigstore, edit the default /etc/containers/policy.json file that is installed as part of the container runtime package.
You can access Red Hat public keys at the following link:
You must use the release key 3 for verifying MicroShift container signatures.
Prerequisites
- You have admin access to the MicroShift host.
- You installed MicroShift.
Procedure
Download the relevant public key and save it as
/etc/containers/RedHat_ReleaseKey3.pubby running the following command:$ sudo curl -sL https://access.redhat.com/security/data/63405576.txt -o /etc/containers/RedHat_ReleaseKey3.pubTo configure the container runtime to verify images from Red Hat sources, edit the
/etc/containers/policy.jsonfile to contain the following configuration:Example policy JSON file
{ "default": [ { "type": "reject" } ], "transports": { "docker": { "quay.io/openshift-release-dev": [{ "type": "sigstoreSigned", "keyPath": "/etc/containers/RedHat_ReleaseKey3.pub", "signedIdentity": { "type": "matchRepoDigestOrExact" } }], "registry.redhat.io": [{ "type": "sigstoreSigned", "keyPath": "/etc/containers/RedHat_ReleaseKey3.pub", "signedIdentity": { "type": "matchRepoDigestOrExact" } }] } } }Configure Red Hat remote registries to use sigstore attachments when pulling images to the local storage, by editing the
/etc/containers/registries.d/registry.redhat.io.yamlfile to contain the following configuration:$ cat /etc/containers/registries.d/registry.redhat.io.yaml docker: registry.redhat.io: use-sigstore-attachments: trueConfigure Red Hat remote registries to use sigstore attachments when pulling images to the local storage, by editing the
/etc/containers/registries.d/registry.quay.io.yamlfile to contain the following configuration:$ cat /etc/containers/registries.d/quay.io.yaml docker: quay.io/openshift-release-dev: use-sigstore-attachments: true- Create user-specific registry configuration files if your use case requires signature verification for those image sources. You can use the example here to start with and add your own requirements.
Next steps
- If you are using a mirror registry, enable sigstore attachments.
- Otherwise, proceed to wiping the local container storage clean.
9.4.2.1. Enabling sigstore attachments for mirror registries
If you are using mirror registries you must apply additional configuration to enable sigstore attachments and mirroring by digest.
Prerequisites
- You have admin access to the MicroShift host.
- You completed the steps in "Verifying container signatures using sigstore."
Procedure
Enable sigstore attachments by creating the
/etc/containers/registries.d/mirror.registry.local.yamlfile.$ cat /etc/containers/registries.d/<mirror.registry.local.yaml>1 docker: mirror.registry.local: use-sigstore-attachments: true- 1
- Name the
<mirror.registry.local.yaml>file after your mirror registry URL.
Enable mirroring by digest by creating the
/etc/containers/registries.conf.d/999-microshift-mirror.confwith the following contents:$ cat /etc/containers/registries.conf.d/999-microshift-mirror.conf [[registry]] prefix = "quay.io/openshift-release-dev" location = "mirror.registry.local" mirror-by-digest-only = true [[registry]] prefix = "registry.redhat.io" location = "mirror.registry.local" mirror-by-digest-only = true
Next steps
- Wipe the local container storage clean.
9.4.2.2. Wiping local container storage clean
When you apply the configuration to an existing system, you must wipe the local container storage clean. Cleaning the container storage ensures that container images with signatures are properly downloaded.
Prerequisites
- You have administrator access to the MicroShift host.
- You enabled sigstore on your mirror registries.
Procedure
Stop the CRI-O container runtime service and MicroShift by running the following command:
$ sudo systemctl stop crio microshiftWipe the CRI-O container runtime storage clean by running the following command:
$ sudo crio wipe --forceRestart the CRI-O container runtime service and MicroShift by running the following command:
$ sudo systemctl start crio microshift
Verification
Verify that all pods are running in a healthy state by entering the following command:
$ oc get pods -AExample output
NAMESPACE NAME READY STATUS RESTARTS AGE
default i-06166fbb376f14a8bus-west-2computeinternal-debug-qtwcr 1/1 Running 0 46m
kube-system csi-snapshot-controller-5c6586d546-lprv4 1/1 Running 0 51m
openshift-dns dns-default-45jl7 2/2 Running 0 50m
openshift-dns node-resolver-7wmzf 1/1 Running 0 51m
openshift-ingress router-default-78b86fbf9d-qvj9s 1/1 Running 0 51m
openshift-ovn-kubernetes ovnkube-master-5rfhh 4/4 Running 0 51m
openshift-ovn-kubernetes ovnkube-node-gcnt6 1/1 Running 0 51m
openshift-service-ca service-ca-bf5b7c9f8-pn6rk 1/1 Running 0 51m
openshift-storage topolvm-controller-549f7fbdd5-7vrmv 5/5 Running 0 51m
openshift-storage topolvm-node-rht2m 3/3 Running 0 50mThis example output shows a basic MicroShift installation. If you installed optional RPMs, the status of pods running those services is also expected in your output.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}