红帽全球峰会此内容没有您所选择的语言版本。
Chapter 2. Red Hat Enterprise Linux
2.1. Installing Trusted Artifact Signer using Ansible
You can install the Red Hat Trusted Artifact Signer (RHTAS) on Red Hat Enterprise Linux by using a Red Hat provided Ansible Playbook. This deployment gives you a basic signing framework with Keycloak as the OpenID Connect (OIDC) provider.
Red Hat recommends not to use Ansible logging in verbose or debugging mode for production environments.
For more information, see the Ansible documentation.
Prerequisites
- Red Hat Enterprise Linux version 9.4 or later.
- A Red Hat user account to access the Red Hat Hybrid Cloud Console.
Procedure
- Log in to the Red Hat Hybrid Cloud Console with your Red Hat credentials.
- From the home page, click the Services drop-down menu, and click Red Hat Ansible Automation Platform.
- From the navigational menu, expand Automation Hub, and click Collections.
- In the search field type rhtas and press enter.
- Click the artifact_signer link on the Red Hat Trusted Artifact Signer tile.
Click the Documentation tab, and follow the steps there to complete the installation of RHTAS on Red Hat Enterprise Linux.
NoteFor a detailed overview of all the configuration parameters, click the tas_single_node link under the Roles section.
2.2. Verify the Trusted Artifact Signer installation
As as systems administrator, you can verify if the deployment of Red Hat Trusted Artifact Signer (RHTAS) running on Red Hat Enterprise Linux was successful.
You can sign a test container image, and verify the authenticity of that signature to validate the deployment of RHTAS in your environment.
There are two ways to sign and three ways to verify build artifacts from your code pipeline. You can sign and verify with cosign and gitsign, but can only verify with Enterprise Contract.
The cosign tool gives you the capability to sign and verify Open Container Initiative (OCI) container images, along with other build artifacts by using Red Hat’s Trusted Artifact Signer (RHTAS) service.
For RHTAS, you must use cosign version 2.2 or later.
Prerequisites
- Installation of RHTAS running on Red Hat Enterprise Linux 9.4 or later managed by Ansible.
-
A workstation with the
podmanbinary installed.
Procedure
Download the
cosignbinary from the local command-line interface (CLI) tool download page to your workstation.NoteThe URL address is the configured node as defined by the
tas_single_node_base_hostnamevariable. An example URL address would be,https://cli-server.example.com, given thetas_single_node_base_hostnamevalue asexample.com.- From the download page, go to the cosign download section, and click the link for your platform.
Open a terminal on your workstation, decompress the binary
.gzfile, and set the execution bit:$ gunzip cosign-amd64.gz $ chmod +x cosign-amd64Move and rename the binary to a location within your
$PATHenvironment:$ sudo mv cosign-amd64 /usr/local/bin/cosign
Configure your shell environment for doing container image signing and verifying.
$ export BASE_HOSTNAME=BASE_HOSTNAME_OF_RHTAS_SERVICE $ export TUF_URL="https://tuf.${BASE_HOSTNAME}" $ export OIDC_ISSUER_URL=OIDC_ISSUER_URL $ export COSIGN_FULCIO_URL="https://fulcio.${BASE_HOSTNAME}" $ export COSIGN_REKOR_URL="https://rekor.${BASE_HOSTNAME}" $ export COSIGN_MIRROR=$TUF_URL $ export COSIGN_ROOT=$TUF_URL/root.json $ export COSIGN_OIDC_CLIENT_ID="trusted-artifact-signer" $ export COSIGN_OIDC_ISSUER=$OIDC_ISSUER_URL $ export COSIGN_CERTIFICATE_OIDC_ISSUER=$OIDC_ISSUER_URL $ export COSIGN_YES="true" $ export SIGSTORE_FULCIO_URL=$COSIGN_FULCIO_URL $ export SIGSTORE_OIDC_ISSUER=$COSIGN_OIDC_ISSUER $ export SIGSTORE_REKOR_URL=$COSIGN_REKOR_URL $ export REKOR_REKOR_SERVER=$COSIGN_REKOR_URLReplace BASE_HOSTNAME_OF_RHTAS_SERVICE with the value of the
tas_single_node_base_hostname`variable, and replace OIDC_ISSUER_URL with your OpenID Connect (OIDC) provider’s URL string.Initialize The Update Framework (TUF) system:
$ cosign initializeSign a test container image.
Create an empty container image:
$ echo "FROM scratch" > ./tmp.Dockerfile $ podman build . -f ./tmp.Dockerfile -t ttl.sh/rhtas/test-image:1hPush the empty container image to the
ttl.shephemeral registry:$ podman push ttl.sh/rhtas/test-image:1hSign the container image:
cosign sign -y IMAGE_NAME:TAG$ cosign sign -y ttl.sh/rhtas/test-image:1hA web browser opens allowing you to sign the container image with an email address.
Remove the temporary Docker file:
$ rm ./tmp.Dockerfile
Verify a signed container image by using a certificate identity and issuer:
cosign verify --certificate-identity=SIGNING_EMAIL_ADDR IMAGE_NAME:TAG$ cosign verify --certificate-identity=jdoe@redhat.com ttl.sh/rhtas/test-image:1hNoteYou can also use regular expressions for the certificate identity and issuer by using the following options to the
cosigncommand,--certificate-identity-regexpand--certificate-oidc-issuer-regexp.Download the
rekor-clibinary from the local command-line interface (CLI) tool download page to your workstation.Open a web browser, and go to the CLI server web page.
NoteThe URL address is the configured node as defined by the
tas_single_node_base_hostnamevariable. An example URL address would be,https://cli-server.example.com, given that the value oftas_single_node_base_hostnameisexample.com.- From the download page, go to the rekor-cli download section, and click the link for your platform.
Open a terminal on your workstation, decompress the binary
.gzfile, and set the execution bit:$ gunzip rekor-cli-amd64.gz $ chmod +x rekor-cli-amd64Move and rename the binary to a location within your
$PATHenvironment:$ sudo mv rekor-cli-amd64 /usr/local/bin/rekor-cli
Query the transparency log by using the Rekor command-line interface.
Search based on the log index:
$ rekor-cli get --log-index 0 --rekor_server $COSIGN_REKOR_URL --format json | jqSearch for an email address to get the universal unique identifier (UUID):
rekor-cli search --email SIGNING_EMAIL_ADDR --rekor_server $COSIGN_REKOR_URL --format json | jq$ rekor-cli search --email jdoe@redhat.com --rekor_server $COSIGN_REKOR_URL --format json | jqThis command returns the UUID for use with the next step.
Use the UUID to get the transaction details:
rekor-cli get --uuid UUID --rekor_server $COSIGN_REKOR_URL --format json | jq$ rekor-cli get --uuid 24296fb24b8ad77a71b9c1374e207537bafdd75b4f591dcee10f3f697f150d7cc5d0b725eea641e7 --rekor_server $COSIGN_REKOR_URL --format json | jq
The gitsign tool gives you the ability to sign and verify Git repository commits by using Red Hat’s Trusted Artifact Signer (RHTAS) service.
Prerequisites
- Installation of RHTAS running on Red Hat Enterprise Linux 9.4 or later managed by Ansible.
A workstation with the
git, andcosignbinaries installed.-
You must use
cosignversion 2.2 or later.
-
You must use
- A locally cloned Git repository.
Procedure
Download the
gitsignbinary from the local command-line interface (CLI) tool download page to your workstation.NoteThe URL address is the configured node as defined by the
tas_single_node_base_hostnamevariable. An example URL address would be,https://cli-server.example.com, given thetas_single_node_base_hostnamevalue asexample.com.- From the download page, go to the gitsign download section, and click the link for your platform.
Open a terminal on your workstation, decompress the .gz file, and set the execution bit:
$ gunzip gitsign-amd64.gz $ chmod +x gitsign-amd64Move and rename the binary to a location within your
$PATHenvironment:$ sudo mv gitsign-amd64 /usr/local/bin/gitsign
Configure your shell environment for doing commit signing and verifying.
$ export BASE_HOSTNAME=BASE_HOSTNAME_OF_RHTAS_SERVICE $ export TUF_URL="https://tuf.${BASE_HOSTNAME}" $ export OIDC_ISSUER_URL=OIDC_ISSUER_URL $ export COSIGN_FULCIO_URL="https://fulcio.${BASE_HOSTNAME}" $ export COSIGN_REKOR_URL="https://rekor.${BASE_HOSTNAME}" $ export COSIGN_MIRROR=$TUF_URL $ export COSIGN_ROOT=$TUF_URL/root.json $ export COSIGN_OIDC_CLIENT_ID="trusted-artifact-signer" $ export COSIGN_OIDC_ISSUER=$OIDC_ISSUER_URL $ export COSIGN_CERTIFICATE_OIDC_ISSUER=$OIDC_ISSUER_URL $ export COSIGN_YES="true" $ export SIGSTORE_FULCIO_URL=$COSIGN_FULCIO_URL $ export SIGSTORE_OIDC_ISSUER=$COSIGN_OIDC_ISSUER $ export SIGSTORE_REKOR_URL=$COSIGN_REKOR_URL $ export REKOR_REKOR_SERVER=$COSIGN_REKOR_URLReplace BASE_HOSTNAME_OF_RHTAS_SERVICE with the value of the
tas_single_node_base_hostname`variable, and replace OIDC_ISSUER_URL with your OpenID Connect (OIDC) provider’s URL string.-
Change directory (
cd) to the local Git repository directory. Configure the local repository configuration to sign your commits by using the RHTAS service:
$ git config --local commit.gpgsign true $ git config --local tag.gpgsign true $ git config --local gpg.x509.program gitsign $ git config --local gpg.format x509 $ git config --local gitsign.fulcio $SIGSTORE_FULCIO_URL $ git config --local gitsign.rekor $SIGSTORE_REKOR_URL $ git config --local gitsign.issuer $SIGSTORE_OIDC_ISSUER $ git config --local gitsign.clientID trusted-artifact-signerMake a commit to the local repository:
$ git commit --allow-empty -S -m "Test of a signed commit"A web browser opens allowing you to sign the commit with an email address.
Initialize The Update Framework (TUF) system:
$ cosign initializeVerify the commit:
gitsign verify --certificate-identity=SIGNING_EMAIL --certificate-oidc-issuer=$SIGSTORE_OIDC_ISSUER HEAD$ gitsign verify --certificate-identity=jdoe@redhat.com --certificate-oidc-issuer=$SIGSTORE_OIDC_ISSUER HEAD
Conforma, formally known as Enterprise Contract (EC), is a tool for maintaining the security of software supply chains, and you can use it to define and enforce policies for container images. You can use the ec binary to verify the attestation and signature of container images that use Red Hat’s Trusted Artifact Signer (RHTAS) signing framework.
Prerequisites
- Installation of RHTAS running on Red Hat Enterprise Linux 9.4 or later managed by Ansible.
A workstation with the
cosign, andpodmanbinaries installed.-
You must use
cosignversion 2.2 or later.
-
You must use
Procedure
Download the
ecbinary from the local command-line interface (CLI) tool download page to your workstation.NoteThe URL address is the configured node as defined by the
tas_single_node_base_hostnamevariable. An example URL address would be,https://cli-server.example.com, given thetas_single_node_base_hostnamevalue asexample.com.- From the download page, go to the ec download section, and click the link for your platform.
Open a terminal on your workstation, decompress the binary .gz file, and set the execution bit:
$ gunzip ec-amd64.gz $ chmod +x ec-amd64Move and rename the binary to a location within your
$PATHenvironment:$ sudo mv ec-amd64 /usr/local/bin/ec
Configure your shell environment for doing container image signing and verifying.
$ export BASE_HOSTNAME=BASE_HOSTNAME_OF_RHTAS_SERVICE $ export TUF_URL="https://tuf.${BASE_HOSTNAME}" $ export OIDC_ISSUER_URL=OIDC_ISSUER_URL $ export COSIGN_FULCIO_URL="https://fulcio.${BASE_HOSTNAME}" $ export COSIGN_REKOR_URL="https://rekor.${BASE_HOSTNAME}" $ export COSIGN_MIRROR=$TUF_URL $ export COSIGN_ROOT=$TUF_URL/root.json $ export COSIGN_OIDC_CLIENT_ID="trusted-artifact-signer" $ export COSIGN_OIDC_ISSUER=$OIDC_ISSUER_URL $ export COSIGN_CERTIFICATE_OIDC_ISSUER=$OIDC_ISSUER_URL $ export COSIGN_YES="true" $ export SIGSTORE_FULCIO_URL=$COSIGN_FULCIO_URL $ export SIGSTORE_OIDC_ISSUER=$COSIGN_OIDC_ISSUER $ export SIGSTORE_REKOR_URL=$COSIGN_REKOR_URL $ export REKOR_REKOR_SERVER=$COSIGN_REKOR_URLReplace BASE_HOSTNAME_OF_RHTAS_SERVICE with the value of the
tas_single_node_base_hostname`variable, and replace OIDC_ISSUER_URL with your OpenID Connect (OIDC) provider’s URL string.Initialize The Update Framework (TUF) system:
$ cosign initializeSign a test container image.
Create an empty container image:
$ echo "FROM scratch" > ./tmp.Dockerfile $ podman build . -f ./tmp.Dockerfile -t ttl.sh/rhtas/test-image:1hPush the empty container image to the
ttl.shephemeral registry:$ podman push ttl.sh/rhtas/test-image:1hSign the container image:
cosign sign -y IMAGE_NAME:TAG$ cosign sign -y ttl.sh/rhtas/test-image:1hA web browser opens allowing you to sign the container image with an email address.
Remove the temporary Docker file:
$ rm ./tmp.Dockerfile
Create a
predicate.jsonfile:{ "builder": { "id": "https://localhost/dummy-id" }, "buildType": "https://example.com/tekton-pipeline", "invocation": {}, "buildConfig": {}, "metadata": { "completeness": { "parameters": false, "environment": false, "materials": false }, "reproducible": false }, "materials": [] }Refer to the SLSA provenance predicate specifications for more information about the schema layout.
Associate the
predicate.jsonfile with the container image:cosign attest -y --predicate ./predicate.json --type slsaprovenance IMAGE_NAME:TAG$ cosign attest -y --predicate ./predicate.json --type slsaprovenance ttl.sh/rhtas/test-image:1hVerify that the container image has at least one attestation and signature:
cosign tree IMAGE_NAME:TAG$ cosign tree ttl.sh/rhtas/test-image:1h 📦 Supply Chain Security Related artifacts for an image: ttl.sh/rhtas/test-image@sha256:7de5fa822a9d1e507c36565ee0cf50c08faa64505461c844a3ce3944d23efa35 └── 💾 Attestations for an image tag: ttl.sh/rhtas/test-image:sha256-7de5fa822a9d1e507c36565ee0cf50c08faa64505461c844a3ce3944d23efa35.att └── 🍒 sha256:40d94d96a6d3ab3d94b429881e1b470ae9a3cac55a3ec874051bdecd9da06c2e └── 🔐 Signatures for an image tag: ttl.sh/rhtas/test-image:sha256-7de5fa822a9d1e507c36565ee0cf50c08faa64505461c844a3ce3944d23efa35.sig └── 🍒 sha256:f32171250715d4538aec33adc40fac2343f5092631d4fc2457e2116a489387b7Verify the container image by using Conforma:
ec validate image --image IMAGE_NAME:TAG --certificate-identity-regexp 'SIGNER_EMAIL_ADDR' --certificate-oidc-issuer-regexp 'keycloak-system' --output yaml --show-successes$ ec validate image --image ttl.sh/rhtas/test-image:1h --certificate-identity-regexp 'jdoe@example.com' --certificate-oidc-issuer-regexp 'keycloak-system' --output yaml --show-successes success: true successes: - metadata: code: builtin.attestation.signature_check msg: Pass - metadata: code: builtin.attestation.syntax_check msg: Pass - metadata: code: builtin.image.signature_check msg: Pass ec-version: v0.1.2427-499ef12 effective-time: "2024-01-21T19:57:51.338191Z" key: "" policy: {} success: trueEnterprise Contract generates a pass-fail report with details on any security violations. When you add the
--infoflag, the report includes more details and possible solutions for any violations found.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}