In this learning exercise, we'll set up the ability to sign and verify commits with Red Hat Trusted Artifact Signer on OpenShift. For added convenience, we'll use GitHub as an OIDC provider, allowing you to incorporate a secure workflow using tools you're already familiar with. To facilitate the installation, we'll also use a script to install Red Hat SSO (Keycloak), which will later be federating the authentication to GitHub. By the end of this exercise, you'll be able to sign and verify the integrity and authenticity of software artifacts reliably across different environments within OpenShift, using GitHub as an identity provider.
The goal of this learning exercise is to explain how to set up Red Hat Trusted Artifact Signer (RHTAS) with GitHub as a federated OIDC provider. To achieve this, we'll leverage Red Hat SSO's ability to federate authentication to a third party provider (GitHub). Such a workflow enables you to use tools that you are already using to fortify your CI/CD pipelines with keyless signing.
Build here. Go anywhere.
We serve the builders. The problem solvers who create careers with code.
Join us if you’re a developer, software engineer, web designer, front-end designer, UX designer, computer scientist, architect, tester, product manager, project manager or team lead.