이 콘텐츠는 선택한 언어로 제공되지 않습니다.

Chapter 1. Enterprise Contract for Red Hat Trusted Application Pipeline


The more complex a software supply chain becomes, the more critical it is to employ reliable checks and best practices to guarantee software artifact integrity and source code dependability. Artifacts such as your image containers. This is where Red Hat Enterprise Contract enters your Red Hat Trusted Application Pipeline build and deploy experience.

Enterprise Contract is a policy-driven workflow tool for maintaining software supply chain security by defining and enforcing policies for building and testing container images. For a build system that creates Supply-chain Levels for Software Artifacts (SLSA) provenance attestations, such as Tekton with Tekton Chains and GitHub Actions with the SLSA GitHub Generator, checking the signatures and confirming that the contents of the attestations actually match what is expected is a critical part of verifying and maintaining the integrity of your software supply chain. A secure CI/CD workflow should include artifact verification to detect problems early. It’s the job of Enterprise Contract to validate that a container image is signed and attested by a known and trusted build system.

The general steps for validating a signed and attested container image are as follows:

  1. Create or copy a container image with Red Hat Trusted Application Pipeline.
  2. Generate a signing key with Cosign.
  3. Sign the container image with Cosign.
  4. Attest the image with Cosign.
  5. Verify your signed and attested container image with the Enterprise Contract CLI.

But what does it mean to sign and attest to the provenance of a software artifact like a container image? Why do it? And how?

Signed software artifacts like container images are at a significantly lower risk of several attack vectors than unsigned artifacts. When a container image is signed, various cryptographic techniques bind the image to a specific entity or organization. The result is a digital signature that verifies the authenticity of the image so that you can trace it back to its creator—that entity or organization—and also verify that the image wasn’t altered or tampered with after it was signed. For more information about software supply chain threats, see Supply chain threats.

Enterprise Contract uses the industry standard Sigstore Cosign as a resource library to validate your container images. With Red Hat Trusted Artifact Signer, Red Hat’s supported version of the Sigstore framework, you can use your own on-prem instance of Sigstore’s services to sign and attest your container images with the Cosign CLI. For more information about RHTAS, see Red Hat Trusted Artifact Signer.

As for software artifact attestation, it can’t happen without provenance. Provenance is the verifiable information about software artifacts like container images that describes where, when, and how that artifact was produced. The attestation itself is an authenticated statement, in the form of metadata, that proves that an artifact is intact and trustworthy. Enterprise Contract uses that attestation to cryptographically verify that the build was not tampered with, and to check the build against any set of policies, such as SLSA requirements. For more information about SLSA, see About SLSA.

When you push your code from either the RHTAP development namespace to the stage namespace, or from the stage namespace to the production namespace, Enterprise Contract automatically runs its validation checks to make sure your container image was signed and attested by known and trusted build systems. When your image passes the Enterprise Contract check, you can merge your code changes to complete your promotion from one environment to the next. For more information about deploying your application to a different namespace, see Trusted Application Pipeline Software Template. For more inforamtion about where RHTAP saves your deployment manifests, see the RHTAP GitOps repository and its YAML files.

Additional resources

For more information about signing and attesting a container image, see Signing a container image.

Red Hat logoGithubRedditYoutubeTwitter

자세한 정보

평가판, 구매 및 판매

커뮤니티

Red Hat 문서 정보

Red Hat을 사용하는 고객은 신뢰할 수 있는 콘텐츠가 포함된 제품과 서비스를 통해 혁신하고 목표를 달성할 수 있습니다.

보다 포괄적 수용을 위한 오픈 소스 용어 교체

Red Hat은 코드, 문서, 웹 속성에서 문제가 있는 언어를 교체하기 위해 최선을 다하고 있습니다. 자세한 내용은 다음을 참조하세요.Red Hat 블로그.

Red Hat 소개

Red Hat은 기업이 핵심 데이터 센터에서 네트워크 에지에 이르기까지 플랫폼과 환경 전반에서 더 쉽게 작업할 수 있도록 강화된 솔루션을 제공합니다.

© 2024 Red Hat, Inc.