In November 2023, we announced the Tech Preview of Red Hat Trusted Artifact Signer, outlining the need for a production-ready deployment of the Sigstore project, its benefits and core use cases in the software supply chain.
Red Hat Trusted Artifact Signer introduces keyless signing and verification, binding the signature origin to a verifiable OIDC Authentication identity instead of a long-lived key pair that needs to be managed, distributed and revoked/renewed. This significantly reduces management overhead and simplifies the usage of a signing and verification infrastructure throughout your Software Supply Chain.
Today, we are excited to announce the Tech Preview 2 of Red Hat Trusted Artifact Signer that has seen a lot of enhancements since that first Tech Preview release, based on your feedback! We want to say thank you for your feedback via rhtas-support@redhat.com , which directly helps us shape the priorities on the way to GA (general availability) of Red Hat Trusted Artifact Signer.
To name just a few highlights:
- We are now using an Operator-based installation
- You can now easily configure your own OIDC provider (with documentation for Keycloak and Google available, more to come)
- Enterprise Contract (EC) binaries have been included - to verify build provenance, SLSA compliance and much, much more.
Installation
The biggest change is undoubtedly the introduction of an Operator-based install procedure.
The first Tech Preview was based on a Helm Chart Installation, supported by install scripts. This procedure has been simplified by providing an Operator, available from Red Hat Operator Hub.
As you might expect, the Operator-based installation is straightforward and takes care of all the components required to run Red Hat Trusted Artifact Signer.
OIDC Authentication Provider
The install script used for the first tech preview of Red Hat Trusted Artifact Signer (and the corresponding Helm Charts) included the installation of a Keycloak instance - changing that to a different OIDC provider required some modification of the Chart and its values files.
Taking into account that many of you will already have OIDC providers deployed, the operator install does not automatically install Keycloak alongside the Red Hat Trusted Artifact Signer components.
If you prefer to continue using the default Keycloak setup that was part of the first tech preview, you can leverage this simple install guide (based on the Red Hat SSO Operator) after cloning (or downloading) https://github.com/securesign/sigstore-ocp/tree/release-1.0.gamma
oc apply --kustomize keycloak/operator/base
oc get keycloaks -A
# wait for this command to succeed (it won’t show any “keycloaks”
# but if it doesn’t generate an error, it means the Keycloak CRDs
# have successfully been registered)
oc apply --kustomize keycloak/resources/base
# wait for keycloak-system pods to be running before proceeding
This will install the default Keycloak instance with test user “jdoe@redhat.com” and password “secure” that was used in the first tech preview release.
There is also documentation on how to use Google as your OIDC provider, with more providers to come. [Oh, by the way - you can use more than one authentication provider and use different providers with the same Trusted Artifact Signer instance, based on your use case - it’s all outlined in the documentation]
Using Enterprise Contract
Enterprise Contract enables users (typically via pipelines) to securely verify supply chain artifacts, and enforce policies about how they were built and tested, in a manageable, scalable, and declarative way.
Enterprise Contract and Red Hat Trusted Artifact Signer have always been close friends, since both cater to securing the software supply chain and Enterprise Contract can leverage all the advantages of a keyless signing and verification infrastructure. With the release of the second tech preview of Red Hat Trusted Artifact Signer, the Enterprise Contract ec binary is now shipped with the Red Hat Trusted Artifact Signer installation and an example is provided on how to verify SLSA provenance of a container image using Enterprise Contract.
You can download the ec binary (for your workstation, or to include it in your software delivery toolchain of choice) via the Red Hat OpenShift UI:
In this example from the Red Hat Trusted Artifact Signer deployment guide, you can see how to verify the provenance attestation linked to a container image (in other words - who has built this image, was the build pipeline in accordance with common/required standards, and much much more):
Validating the image and attestations associated with it:
ec validate image --image quay.io/mnagel/backstage-test:latest \
--certificate-identity-regexp 'jdoe@redhat.com' \
--certificate-oidc-issuer-regexp 'keycloak-keycloak-system' \
--rekor-url $REKOR_REKOR_SERVER \
--output yaml --show-successes --info
In addition to these basic checks, Enterprise Contract enables your pipelines to apply policies to validation results, either from the current kubernetes context or inline - for further information, make sure to check the “ec validate image” command line options and some further examples of policies.
Note: This is only an example - in real life, the attestation should come from the build system itself (e.g. via Tekton Chains) and should not be an arbitrary hand-crafted provenance file. However, this example shows how an attestation is signed and attached to an image and verified via Enterprise Contract, allowing for verification and application of policies.
To provide us with additional feedback, please contact rhtas-support@redhat.com
