Red Hat Trusted Artifact Signer
Enables cryptographic signing, verification of software and provenance metadata
Red Hat Trusted Artifact Signer enhances software supply chain security by simplifying cryptographic signing and verifying of software artifacts, such as container images, binaries and documents. Trusted Artifact Signer provides a production ready deployment of the Sigstore project in Red Hat Trusted Software Supply Chain.
Enterprises adopting it can meet signing-related criteria for achieving Supply Chain Levels for Software Artifacts (SLSA) compliance and have greater confidence in the security and trustworthiness of their software supply chains.
Red Hat Trusted Artifact Signer is generally available now
Sigstore Clients
Popular Sigstore command line tools (cosign, gitsign & rekor-cli) for generating and verifying digital signatures of source code, artifacts, software bills of materials, and container images.
Certificate transparency log
A permanent and immutable ledger or record-keeping system for signing events that is immune to change and remains inaccessible to the public. The log can be queried for making informed decisions on the integrity and authenticity of an artifact, verification of a particular entry, or retrieval of entries.
Certificate authority
A free root certification authority that issues short-lived, temporary certificates to an authorized identity and publishes them in a transparency log. It provides the option to use existing self-managed keys maintained in a third party key management system.
Accelerate application delivery to let organizations innovate faster by allowing developers to use digital signatures on every step of the CI/CD workflow and deliver tamper-free artifacts across the software supply chain. Provides a simplified user experience for creating and validating digital signatures on artifacts across hybrid cloud environments.
Ensure authenticity and integrity by increasing trust on artifacts by providing auditable logs, secure signing mechanisms, and user identity verification that enhance the transparency and accountability of the software supply chain. Cryptographic signing provides integrity, non-repudiation and authentication of artifacts.
Reduce complexity by eliminating the need for maintaining a key management system to ensure tamper-free artifacts and containers. We provide identity-based signing through our integration with OpenID Connect (OIDC). This provides easy integration with existing key management systems to authenticate and verify artifacts and containers.
Stay compliant: by meeting signing-related criteria for achieving Supply Chain Levels for Software Artifacts (SLSA) standards. Provenance is generated automatically as part of the build process in Red Hat Trusted Application Pipeline, for enterprise contracts integrated with cryptographic signatures to establish a non-repudiable chain of custody, and verify pipeline compliance to industry requirements (SLSA) are met.
Integrations
Trusted Artifact Signer is a production ready deployment of the Sigstore project within an enterprise. Sigstore has witnessed rampant adoption in the open source community. Package managers such as NPM, Python and Maven are in the process of adopting sigstore for the attestation of all published packages produced within each ecosystem. It has also become the de-facto signing system for containers, having seen Kubernetes standardized on sigstore. Multiple Red Hat products have adopted or are in the process of integrating sigstore (including Podman, Quay, Ansible, Red Hat Advanced Cluster Security (ACS), StoneSoup / HACBS, Red Hat Trusted Content.
Community projects
Sigstore
Sigstore is focused on improving software supply chain security and transparency by enabling easy adoption of cryptographic signing, verification and provenance of software. It aims to provide a verifiable way to sign, store, and distribute software artifacts using an auditable infrastructure, making it more difficult for attackers to tamper with software. The project was founded by Red Hat in July 2020 and later donated to the Linux Foundation / OpenSSF.
Cosign
Cosign provides a simple and secure way to sign and verify container images using cryptographic signatures. It enables developers to sign container images using their own keys or with an OpenID connect identity (by means of fulcio). This then provides a mechanism for verifying those signatures as part of the software supply chain. Cosign is designed to be easy to use and can integrate with existing container image workflows and multiple container registries. It is commonly used in conjunction with fulcio and rekor, however it also supports full integration with popular Key Management Systems (KMS) like Hashicorp Vault, Google / Azure and AWS KMS.
Fulcio
Fulcio is Sigstore’s public key infrastructure (PKI) service and part of the larger sigstore initiative. Fulcio provides a publicly auditable, transparent, and secure way to issue and manage digital certificates used for software signing and verification. It is designed to simplify the certificate management process for developers and make it easier to establish trust in the software supply chain, by exchanging certificates for OpenID connect grants. Using fulcio, a developer can effectively sign an artifact using an OIDC account (Google, Github, Microsoft) and a machine can sign artifacts using a cloud provider’s OIDC infrastructure.
Rekor
Rekor provides a transparent and auditable way to store and verify signatures and metadata about software artifacts such as images and provenance information. It leverages the concept of transparency logs to provide a tamper-evident, immutable record of metadata, which can be used to verify the integrity and provenance of software artifacts. Rekor is designed to help improve software supply chain security and enable users to make more informed decisions about the software they use. Rekor can be used on its own, but is commonly deployed along with Fulcio to provide a credible trust root to the OpenID connect signing mechanism.
Gitsign
Gitsign provides a way to sign Git commits using cryptographic signatures, enabling developers to verify the authenticity and integrity of the code changes. Gitsign is designed to integrate with existing Git workflows and can be used with any Git hosting provider. By enabling developers to sign their commits, Gitsign helps to improve the security and transparency of the software supply chain.
Featured products
Red Hat Trusted Profile analyzer
Track source code provenance and attestations for actionable insights as code is written to avoid the rework and complexity of fixing issues in production.
Red Hat Trusted Software Supply Chain
Consistently code, build, and monitor for a trusted software supply chain across any environment, for faster time to value with automated security guardrails. Try out this service preview.
Red Hat Trusted Application Pipeline
Catch vulnerabilities early with security-focused golden paths and integrated checks that verify pipeline compliance is met and prevent costly fines/penalties.
Red Hat Developer Hub
An enterprise-grade, open developer platform for building developer portals,
containing a supported and opinionated framework.
Featured resources
Red Hat Trusted Software Supply Chain
White paper: Tackling CI/CD Security Anti-Patterns
Analyst brief: Getting started with CI/CD Pipeline Security
A blueprint for supply chain security
Latest articles
Supply Chain Security? Hey, I’m a developer—why should I care?
Apr 18, 2024
Red Hat Trusted Software Supply Chain is now available
Discover how Red Hat Trusted Software Supply Chain makes it easier to create,...
Apr 15, 2024
Red Hat build of Keycloak high availability: A simplified approach
Explore a highly available (or fault tolerant) Keycloak solution that you can...
Apr 01, 2024
Secure JBoss EAP apps with Microsoft Entra ID & OpenID Connect
Learn how to secure a simple JBoss EAP 8.0 web application with Microsoft...
