Install Red Hat Trusted Artifact Signer using Google identity provider and Cosign

Organizations are challenged in ensuring that the container image they are deploying is exactly what was produced in development and nothing has changed before it runs in production. Cryptographic signing of container images helps to verify the integrity of the image and makes sure it has not been tampered since its creation. Verification of the image signature also confirms that the expected software creator, whose identity was certified at the moment of signing, published the container image in their possession.

In this exercise, we will use Red Hat Trusted Artifact Signer: a cryptographic signature tool based on the Sigstore project that is deployed on-premise. We will use code signing certificates with short-lived signing keys bound to OpenID Connect identities based on your Google account. This keyless signing approach offers simplicity due to the lack of key management.

Prerequisites:

Installed instance of OpenShift 4.13 or above.
Google account to use as the identity provider for this exercise.

In this learning path, you will:

Learn how to install Red Hat Trusted Artifact Signer on Red Hat OpenShift.
Deploy Trusted Artifact Signer service.
Sign and verify a container image using Cosign.

How long will this activity take?

About 15–20 minutes

Report a website issue

Linux

Java runtimes & frameworks

Kubernetes

Integration & App Connectivity

Automation

Developer tools

Developer Sandbox for Red Hat OpenShift

Programming Languages & Frameworks

System Design & Architecture

Developer Productivity

Secure Development & Architectures

Platform Engineering

Automated Data Processing

Start exploring in the Developer Sandbox for free

Interactive Lessons and Learning Paths

Developer Sandbox Activities

E-Books

Tutorials

Cheat Sheets

API Catalog

Red Hat Learning

Tech Talks

Deep Dives

Red Hat Summit 2024