Red Hat Summit Red Hat SummitSuporteConsoleDesenvolvedoresComeçar um testeContato

Este conteúdo não está disponível no idioma selecionado.

Chapter 8. Signing container images

You can ensure image authenticity and integrity by signing container images on Red Hat Enterprise Linux. To sign your image, use a sigstore signature and this signing technique is compatible with any OCI compliant container registries. You can use Podman to sign the image before pushing it into a remote registry and configure consumers so that any unsigned image is rejected.

The sigstore signatures eliminate the need for a separate lookaside server because they store the signatures in the container registry. Signing container images helps to prevent supply chain attacks.

8.1. Signing container images with sigstore signatures by using a private key
Copiar o link

To sign container images with sigstore signatures by using a private key on Red Hat Enterprise Linux (RHEL), you can use the Podman tools with a locally managed key pair.

Prerequisites

  • The container-tools meta-package is installed.

Procedure

  1. Generate a sigstore public or private key pair: 

    $ skopeo generate-sigstore-key --output-prefix myKey.private

  2. Add the following content to the /etc/containers/registries.d/default.yaml file: 

    docker:
    <registry>:
        use-sigstore-attachments: true

    By setting the use-sigstore-attachments option, Podman and Skopeo can read and write the container sigstore signatures together with the image and save them in the same repository as the signed image.

    You can edit the system-wide registry configuration in the /etc/containers/registries.d/default.yaml file. You can also edit the registry or repository configuration section in any YAML file in the /etc/containers/registries.d directory.

    All YAML files are read and the filename can be arbitrary. A single scope (default-docker, registry, or namespace) can only exist in one file within the /etc/containers/registries.d/ directory.

  3. Build the container image by using a Containerfile in the current directory: 

    $ podman build -t <registry>/<namespace>/<image>

  4. Sign the image and push it to the registry: 

    $ podman push --sign-by-sigstore-private-key ./myKey.private <registry>/<namespace>/<image>

    The podman push command pushes the <registry>/<namespace>/<image> local image to the remote registry as <registry>/<namespace>/<image>. The --sign-by-sigstore-private-key option adds a sigstore signature by using the myKey.private private key to the <registry>/<namespace>/<image> image. The image and the sigstore signature are uploaded to the remote registry.

    Note

    If you need to sign existing images while moving them across container registries, you can use the skopeo copy command.

    For more details, see podman-push(1) and podman-build(1) man pages on your system.

Verification

  • Pull the image: 

    $ podman pull <registry>/<namespace>/<image>

    You need to run the podman pull command to enforce signature presence as we configured it. If you try to pull images from the configured registry that are unsigned or signed with the wrong keys, the command will fail.

8.2. Signing container images with sigstore signatures by using Fulcio and Rekor
Copiar o link

With the Fulcio and Rekor servers, you can create signatures by using short-term certificates based on an OpenID Connect (OIDC) server authentication, instead of manually managing a private key.

Prerequisites

  • The container-tools meta-package is installed.
  • You have Fulcio (https://<your-fulcio-server>) and Rekor (https://<your-rekor-server>) servers running and configured.
  • Podman is installed.

Procedure

  1. Add the following content to the /etc/containers/registries.conf.d/default.yaml file: 

    docker:
    <registry>:
        use-sigstore-attachments: true

    By setting the use-sigstore-attachments option, Podman and Skopeo can read and write the container sigstore signatures together with the image and save them in the same repository as the signed image.

    You can edit the registry or repository configuration section in any YAML file in the /etc/containers/registries.d/ directory. A single scope (default-docker, registry, or namespace) can only exist in one file within the /etc/containers/registries.d/ directory.

    You can also edit the system-wide registry configuration in the /etc/containers/registries.d/default.yaml file. Please note that all YAML files are read and the filename is arbitrary.

  2. Create the /etc/containers/registries.d/file.yml file: 

    fulcio:
  fulcioURL: "https://<your-fulcio-server>"
  oidcMode: "interactive"
  oidcIssuerURL: "https://<your-OIDC-provider>"
  oidcClientID: "sigstore"
rekorURL: "https://<your-rekor-server>"

    The file.yml is the sigstore signing parameter YAML file used to store options required to create sigstore signatures.

  3. Sign the image and push it to the registry: 

    $ podman push --sign-by-sigstore=file.yml <registry>/<namespace>/<image>

    You can alternatively use the skopeo copy command with similar --sign-by-sigstore options to sign existing images while moving them across container registries.

    Warning

    Note that your submission to public servers includes the public key, the certificate, and signature metadata.

    For more information, see the containers-sigstore-signing-params.yaml, podman-push(1) and container-registries.d man pages on your system.

Verification

  • Pull the image: 

    $ podman pull <registry>/<namespace>/<image>

    You need to run the podman pull command to enforce signature presence as we configured it. If you try to pull images from the configured registry that are unsigned or signed with the wrong keys, the command will fail.

8.3. Signing container images with sigstore signatures with a private key and Rekor
Copiar o link

To ensures image integrity, authenticates provenance to the software supply chain, you can sign container images by using sigstore with a private key and Rekor on Red Hat Enterprise Linux (RHEL). This process involves generating a key pair, signing the image with the private key, and configuring the system to use Rekor for transparency logs.

Prerequisites

  • The container-tools meta-package is installed.

Procedure

  1. Generate a sigstore public or private key pair: 

    $ skopeo generate-sigstore-key --output-prefix myKey.private

    The public and private keys myKey.pub and myKey.private are generated.

  2. Add the following to the /etc/containers/registries.conf.d/default.yaml file: 

    docker:
    <registry>:
        use-sigstore-attachments: true

    By setting the use-sigstore-attachments option, Podman and Skopeo can read and write the container sigstore signatures together with the image and save them in the same repository as the signed image.

    Note

    You can edit the registry or repository configuration section in any YAML file in the /etc/containers/registries.d/ directory. A single scope (default-docker, registry, or namespace) can only exist in one file within the /etc/containers/registries.d/ directory. You can also edit the system-wide registry configuration in the /etc/containers/registries.d/default.yaml file. Please note that all YAML files are read and the filename is arbitrary.

  3. Build the container image by using a Containerfile in the current directory: 

    $ podman build -t <registry>/<namespace>/<image>

  4. Create the /etc/containers/registries.d/file.yml file: 

    privateKeyFile: "/home/user/sigstore/myKey.private"
privateKeyPassphraseFile: "/mnt/user/sigstore-myKey.private-passphrase"
rekorURL: "https://<your-rekor-server>"

    The file.yml is the sigstore signing parameter YAML file used to store options required to create sigstore signatures.

  5. Sign the image and push it to the registry: 

    $ podman push --sign-by-sigstore=file.yml <registry>/<namespace>/<image>

    You can alternatively use the skopeo copy command with similar --sign-by-sigstore options to sign existing images while moving them across container registries.

    Warning

    Note that your submission for public servers includes data about the public key and metadata about the signature.

Verification

  • Pull the image: 

    $ podman pull <registry>/<namespace>/<image>

    You need to run podman pull command to enforce signature presence as we configured it. If you try to pull images from the configured registry that are unsigned or signed with the wrong keys, the command will fail.

    For more information, see the podman-push(1), podman-build(1), and container-registries.d man pages on your system.

8.4. Signing container images with GPG signatures
Copiar o link

Sign your Red Hat Enterprise Linux container images by using GPG signatures to establish trust and verify software origins. Applying these cryptographic signatures ensures that your images remain unaltered, protecting your infrastructure from deploying compromised applications.

Prerequisites

  • The container-tools meta-package and GPG tool are installed.

  • The lookaside web server is set up and you can publish files on it. You can check the system-wide registries configuration in the /etc/containers/registries.d/default.yaml file. The lookaside-staging option references a file path for signature writing and is typically set on hosts publishing signatures. 

    # cat /etc/containers/registries.d/default.yaml
     
docker:
    <registry>:
        lookaside: https://registry-lookaside.example.com
        lookaside-staging: file:///var/lib/containers/sigstore

Procedure

  1. Generate a GPG key: 

    # gpg --full-gen-key

  2. Export the public key: 

    # gpg --output <path>/key.gpg --armor --export <username@example.com>

  3. Build the container image by using a Containerfile in the current directory: 

    $ podman build -t <registry>/<namespace>/<image>

    Replace <registry>, <namespace>, and <image> with the container image identifiers.

  4. Sign the image and push it to the registry: 

     $  podman push \
    --sign-by <username@example.com> \
    <registry>/<namespace>/<image>
    Note

    If you need to sign existing images while moving them across container registries, you can use the skopeo copy command.

  5. Optional: Display the new image signature: 

    # (cd /var/lib/containers/sigstore/; find . -type f)
./<image>@sha256=<digest>/signature-1

  6. Copy your local signatures to the lookaside web server: 

    # rsync -a /var/lib/containers/sigstore <user@registry-lookaside.example.com>:/registry-lookaside/webroot/sigstore

    The signatures are stored in the location determined by the lookaside-staging option, in this case, /var/lib/containers/sigstore directory.

Verification

  • Pull the image: 

    $ podman pull <registry>/<namespace>/<image>

    You need to run podman pull command to enforce signature presence as we configured it. If you try to pull images from the configured registry that are unsigned or signed with the wrong keys, the command will fail.

    For more information, see the podman-image-trust(1), podman-push(1) and podman-build(1) man pages on your system.

Red Hat logoGithubredditYoutubeTwitter

Aprender

Experimente, compre e venda

Comunidades

Sobre a Red Hat

Fornecemos soluções robustas que facilitam o trabalho das empresas em plataformas e ambientes, desde o data center principal até a borda da rede.

Tornando o open source mais inclusivo

A Red Hat está comprometida em substituir a linguagem problemática em nosso código, documentação e propriedades da web. Para mais detalhes veja o Blog da Red Hat.

Sobre a documentação da Red Hat

Ajudamos os usuários da Red Hat a inovar e atingir seus objetivos com nossos produtos e serviços com conteúdo em que podem confiar. Explore nossas atualizações recentes.

Legal Notice

Theme

© 2026 Red HatVoltar ao topo