Red Hat Summit이 콘텐츠는 선택한 언어로 제공되지 않습니다.
Chapter 3. Verifying signed artifacts in an offline environment
In some cases, you need to verify an artifact’s authenticity, but do not have access to the Red Hat Trusted Artifact Signer (RHTAS) service that signed that artifact. In these cases, you can still verify an artifact’s signature by doing an offline verification.
Before you can start doing offline artifact verification, you need access to the RHTAS signing environment, and access to an image registry. In the offline environment, you only need access to the same image registry as the signing environment.
Prerequisites
- Installation of RHTAS running either on the Red Hat OpenShift Container Platform, or on Red Hat Enterprise Linux (RHEL) managed by Ansible.
-
A workstation with the
cosign,tuftool,tar, andsha256sumbinaries installed. -
Initialization of
cosignwith the current signing environment.
Procedure
In the signing environment, do the following steps:
Sign an image by using
cosign:cosign sign IMAGE_NAME:TAG$ cosign sign -y ttl.sh/rhtas/example-image:1hGet the Trust Root URL.
For RHTAS deployments on Red Hat Enterprise Linux:
$ export BASE_HOSTNAME=BASE_HOSTNAME_OF_RHTAS_SERVICE $ export TUF_SERVER_URL=https://tuf.${BASE_HOSTNAME}For RHTAS deployments on Red Hat OpenShift Container Platform:
$ export TUF_SERVER_URL="$(oc get tuf -o jsonpath='{.items[0].status.url}' -n trusted-artifact-signer)"
Create a clone of the Trust Root locally:
$ export TUF_REPOSITORY="${HOME}/repository" $ tuftool clone --allow-root-download --metadata-dir "${TUF_REPOSITORY}" --targets-dir "${TUF_REPOSITORY}/targets" --metadata-url "${TUF_SERVER_URL}" --targets-url "${TUF_SERVER_URL}/targets"Create a compressed archive file of the Trust Root:
$ tar -czvf repository.tar.gz "${TUF_REPOSITORY}" $ sha256sum repository.tar.gzMake note of the checksum output for use later in the offline environment.
Copy the compressed archive file to the offline environment.
ImportantYou must copy the Trust Root compressed archive file every time you update The Update Framework (TUF) metadata files or when you rotate any RHTAS component keys and certificates.
In the offline environment, do the following steps:
- Change directory to where you copied the compressed archive file of the Trust Root.
Verify the checksum by using the checksum value from the signing environment:
$ echo "SHA256_CHECKSUM repository.tar.gz" > checksum.txt $ sha256sum --check checksum.txt || echo "Archive integrity compromised, don't continue with the procedure\!"ImportantOnly continue if the integrity check is successful.
Expand the compressed archive file:
$ tar -xzvf repository.tar.gz
Initialize
cosign:$ cd repository/ $ cosign initialize --mirror=file://$(pwd)/ --root=$(pwd)/1.root.jsonVerify the signed artifacts:
$ export IMAGE="IMAGE_NAME:TAG" $ export SIGNING_EMAIL_ADDR=SIGNING_EMAIL_ADDRESS $ export SIGNING_OIDC_ISSUER=OIDC_ISSUER_URL $ cosign verify --certificate-identity="${SIGNING_EMAIL_ADDR}" --certificate-oidc-issuer="${SIGNING_OIDC_ISSUER}" "${IMAGE}"
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}