Overview: Install Red Hat Trusted Artifact Signer using Google identity provider and Cosign
Organizations are challenged in ensuring that the container image they are deploying is exactly what was produced in development and nothing has changed before it runs in production. Cryptographic signing of container images helps to verify the integrity of the image and makes sure it has not been tampered since its creation. Verification of the image signature also confirms that the expected software creator, whose identity was certified at the moment of signing, published the container image in their possession.
In this exercise, we will use Red Hat Trusted Artifact Signer: a cryptographic signature tool based on the Sigstore project that is deployed on-premise. We will use code signing certificates with short-lived signing keys bound to OpenID Connect identities based on your Google account. This keyless signing approach offers simplicity due to the lack of key management.
Prerequisites:
- Installed instance of OpenShift 4.13 or above.
- Google account to use as the identity provider for this exercise.
In this learning path, you will:
- Learn how to install Red Hat Trusted Artifact Signer on Red Hat OpenShift.
- Deploy Trusted Artifact Signer service.
- Sign and verify a container image using Cosign.
How long will this activity take?
- About 15–20 minutes