Page
Sign and verify container image using Red Hat Trusted Artifact Signer
Now that you’ve installed the Trusted Artifact Signer and deployed its services, this next lesson will walk you through signing and verifying a container image.
In this lesson, you will
- Configure your shell environment with the service endpoints for Trusted Artifact Signer.
- Sign a container image.
- Verify the signature of the container image.
Configure your environment and verify the container image
To sign and verify a container image using your Google account, follow these steps:
- Switch to the namespace where you created the Trusted Artifact Signer instance using:
oc project <namespace> - Configure your shell environment with the service endpoints for Trusted Artifact Signer.
Info alert: The OIDC issuer is set to accounts.google.com
export TUF_URL=$(oc get tuf -o jsonpath='{.items[0].status.url}') export OIDC_ISSUER_URL=https://accounts.google.com export COSIGN_FULCIO_URL=$(oc get fulcio -o jsonpath='{.items[0].status.url}') export COSIGN_REKOR_URL=$(oc get rekor -o jsonpath='{.items[0].status.url}') export COSIGN_MIRROR=$TUF_URL export COSIGN_ROOT=$TUF_URL/root.json export COSIGN_OIDC_ISSUER=$OIDC_ISSUER_URL export COSIGN_CERTIFICATE_OIDC_ISSUER=$OIDC_ISSUER_URL export COSIGN_YES="true" export SIGSTORE_FULCIO_URL=$COSIGN_FULCIO_URL export SIGSTORE_OIDC_ISSUER=$COSIGN_OIDC_ISSUER export SIGSTORE_REKOR_URL=$COSIGN_REKOR_URL export REKOR_REKOR_SERVER=$COSIGN_REKOR_URL - Initialize the TUF Root:
cosign initialize - Sign the container image, where
my-google-secretcontains the secret for your client id from the Google Console:cosign sign -y $IMAGE --oidc-client-secret-file=./my-google-secret --oidc-client-id=313xxx-xxx.apps.googleusercontent.com - Verify the signature for the container image:
cosign verify --certificate-identity=veshanka@redhat.com $IMAGE
Great. You've configured your environment. Ready to move on to the Developer's Guide to setting supply chain security e-book??
