Chapter 3. New features and enhancements

A list of all major enhancements, and new features introduced in this release of Red Hat Trusted Artifact Signer (RHTAS).

The features and enhancements added by this release are:

Rekor Transparency Log monitoring: In this release, we introduced the Rekor Transparency Log monitor for RHTAS. This feature monitors the Transparency Log periodically to verify the integrity of the log. It ensures the log is verifiable, consistent worldwide, append-only, and addressing the earlier lack of active verification over time. With this update, RHTAS runs the Rekor Transparency Log monitor alongside deployments, acting as an agent to continuously validate the transparency log. This provides stronger assurances to end users and increases trust in the security pipeline for the software supply chain.

Added a new configuration option for Fulcio: In this update, you can now configure the new option ciIssuerMetadata for Fulcio. This new option enables the creation of custom templates for X.509 v3 extensions in certificates generated by Fulcio for Continuous Integration (CI) providers. Before this update, hard-coded default values in X.509 v3 extensions could result in incorrect metadata, such as generic Git URIs appearing for private Git instances. With the addition of the ciIssuerMetadata setting, you can map OpenID Connect (OIDC) token claims to specific certificate extensions, ensuring the right environment-specific metadata. It also allows for the inclusion of additional user-defined information, such as user_login and user_email, in the certificate.

Enterprise Contract renamed to Conforma: With this update of RHTAS, the Red Hat product name, Enterprise Contract is deprecated, and has been renamed to Conforma. All Red Hat built container images, and documentation has been updated to use the new name. For more information about this name change, you can view the community post.

Conforma supports the OPA policy engine: With this release of RHTAS, we updated Conforma to support Open Policy Agent (OPA) version 1.0 and later. This includes the handling of breaking changes in Rego syntax. As a result, Conforma now supports OPA with proper handling of syntax transitions, ensuring continued policy evaluation capabilities while benefiting from security improvements and new features.

New configuration option for adding a Rekor public key for ec.sigstore.* functions: In this release, users can now customize the Rekor public keys by incorporating the rekor_public_key parameter in the ec.sigstore.verify_image and ec.sigstore.verify_attestation functions. This improvement facilitates more adaptable verification workflows with RHTAS deployments, as it resolves conflicts that arose when verifying various types of signatures within the same policy evaluation using the earlier environment variable approach. Policy authors can now verify signatures from different Rekor instances within the same policy execution, preserving backward compatibility.

Conforma hitting Quay rate limits: With this update, we implemented active rate limiting mitigation strategies, and a retry mechanism to prevent 429 Too Many Requests errors when accessing Quay.io registries. This enhancement addresses the disruptive rate limiting issues that can occur in build systems, improving the reliability when accessing container registries, and reducing incidents of rate limiting errors that can cause verification failures.