Install Red Hat Trusted Artifact Signer using Google identity provider and Cosign

Learning path | 4 resources | 20 mins | Published on March 27, 2024

Learn how to install the Red Hat Trusted Artifact Signer using Google identity provider. Once installed, explore how to sign and verify a container image using Cosign.

  1. Overview: Install Red Hat Trusted Artifact Signer using Google identity provider and Cosign
  2. Install and deploy Red Hat Trusted Artifact Signer Page | 15 mins
  3. Sign and verify container image using Red Hat Trusted Artifact Signer Page | 5 mins
  4. A developer’s guide to setting supply chain security in DevSecOps E-books

Page

Sign and verify container image using Red Hat Trusted Artifact Signer

March 27, 2024
Veda Shankar
Related topics:
CI/CDDeveloper ToolsDevSecOpsSecurity
Related products:
Red Hat OpenShiftRed Hat Trusted Artifact SignerRed Hat Trusted Software Supply Chain
Red Hat Trusted Software Supply Chain

Now that you’ve installed the Trusted Artifact Signer and deployed its services, this next lesson will walk you through signing and verifying a container image.

In this lesson, you will

  • Configure your shell environment with the service endpoints for Trusted Artifact Signer.
  • Sign a container image. 
  • Verify the signature of the container image.

Configure your environment and verify the container image

To sign and verify a container image using your Google account, follow these steps:

  1. Switch to the namespace where you created the Trusted Artifact Signer instance using:

    oc project <namespace>

  2. Configure your shell environment with the service endpoints for Trusted Artifact Signer.

    Info alert: The OIDC issuer is set to accounts.google.com

    export TUF_URL=$(oc get tuf -o jsonpath='{.items[0].status.url}')
                        export OIDC_ISSUER_URL=https://accounts.google.com
                        export COSIGN_FULCIO_URL=$(oc get fulcio -o jsonpath='{.items[0].status.url}')
                        export COSIGN_REKOR_URL=$(oc get rekor -o jsonpath='{.items[0].status.url}')
                        export COSIGN_MIRROR=$TUF_URL
                        export COSIGN_ROOT=$TUF_URL/root.json
                        export COSIGN_OIDC_ISSUER=$OIDC_ISSUER_URL
                        export COSIGN_CERTIFICATE_OIDC_ISSUER=$OIDC_ISSUER_URL
                        export COSIGN_YES="true"
                        export SIGSTORE_FULCIO_URL=$COSIGN_FULCIO_URL
                        export SIGSTORE_OIDC_ISSUER=$COSIGN_OIDC_ISSUER
                        export SIGSTORE_REKOR_URL=$COSIGN_REKOR_URL
                        export REKOR_REKOR_SERVER=$COSIGN_REKOR_URL

  3. Initialize the TUF Root:

    cosign initialize

  4. Sign the container image, where my-google-secret contains the secret for your client ID from the Google Console:

    Info alert: Make sure that the my-google-secret file contains just the secret string corresponding to your client ID

    cosign sign -y $IMAGE --oidc-client-secret-file=./my-google-secret  --oidc-client-id=313xxx-xxx.apps.googleusercontent.com

  5. Verify the signature for the container image:

    cosign verify --certificate-identity=veshanka@redhat.com $IMAGE

Great. You've configured your environment. Ready to move on to the Developer's Guide to setting supply chain security e-book??

Previous resource
Install and deploy Red Hat Trusted Artifact Signer
Next resource
A developer’s guide to setting supply chain security in DevSecOps