Red Hat SummitThis documentation is for a release that is no longer maintained
See documentation for the latest supported version.이 콘텐츠는 선택한 언어로 제공되지 않습니다.
Chapter 5. Attesting and validating a container image
Before Enterprise Contract can validate your signed container image, you must first create SLSA provenance and associate it with your container image. Provenance is the verifiable information about software artifacts, including where, when, and how a given software "link" in a supply chain was produced. For more information about Supply-chain Levels for Software Artifacts (SLSA) provenance, see SLSA Provenance.
Prerequisites
- A signed container image.
- Access to the OpenShift web console.
- A working Red Hat Trusted Artifact Signer installation running on OpenShift version 4.13 or later.
-
A workstation with the
cosignandocbinary files installed.
Procedure
Create a SLSA provenance
predicate.jsonfile; for example:Copy to Clipboard Copied! Toggle word wrap Toggle overflow Sign and attest the
predicate.jsonfile you just created; for example:cosign attest -y --fulcio-url=$FULCIO_URL \ --rekor-url=$REKOR_URL \ --oidc-issuer=$OIDC_ISSUER_URL \ --predicate predicate.json \ --type slsaprovenance $IMAGE
cosign attest -y --fulcio-url=$FULCIO_URL \ --rekor-url=$REKOR_URL \ --oidc-issuer=$OIDC_ISSUER_URL \ --predicate predicate.json \ --type slsaprovenance $IMAGECopy to Clipboard Copied! Toggle word wrap Toggle overflow Keycloak opens to automatically authenticate you based on your login when you signed your container image.
Verify the signature and attestation with Enterprise Contract, for example:
ec validate image --image $IMAGE \ --certificate-identity-regexp '.*' \ --certificate-oidc-issuer-regexp '.*' \ --output yaml --show-successes
ec validate image --image $IMAGE \ --certificate-identity-regexp '.*' \ --certificate-oidc-issuer-regexp '.*' \ --output yaml --show-successesCopy to Clipboard Copied! Toggle word wrap Toggle overflow
Be as specific as possible when you run the ec validate image command so that each signature matches the expected identity.
Verification
- When Enterprise Contract has validated your container image, a detailed report of all Enterprise Contract verifications and signatures opens.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}