Red Hat Trusted Artifact Signer

Enables cryptographic signing, verification of software and provenance metadata

Red Hat Trusted Artifact Signer enhances software supply chain security by simplifying cryptographic signing and verifying of software artifacts, such as container images, binaries and documents. Trusted Artifact Signer provides a production ready deployment of the Sigstore project in Red Hat Trusted Software Supply Chain.

Enterprises adopting it can meet signing-related criteria for achieving Supply Chain Levels for Software Artifacts (SLSA) compliance and have greater confidence in the security and trustworthiness of their software supply chains.

Sigstore Clients

 

Sigstore Clients 

Popular Sigstore command line tools (cosign, gitsign & rekor-cli) for generating and verifying digital signatures of source code, artifacts, software bills of materials, and container images.

Certificate authority

 

Certificate transparency log 

A permanent and immutable ledger or record-keeping system for signing events that is immune to change and remains inaccessible to the public. The log can be queried for making informed decisions on the integrity and authenticity of an artifact, verification of a particular entry, or retrieval of entries.

Certificate authority

 

Certificate authority

A free root certification authority that issues short-lived, temporary certificates to an authorized identity and publishes them in a transparency log. It provides the option to use existing self-managed keys maintained in a third party key management system.

Accelerate application delivery to let organizations innovate faster by allowing developers to use digital signatures on every step of the CI/CD workflow and deliver tamper-free artifacts across the software supply chain.  Provides a simplified user experience for creating and validating digital signatures on artifacts across hybrid cloud environments.

 

Extended Overview Section
Ensure authenticity and integrity

Ensure authenticity and integrity by increasing trust on artifacts by providing auditable logs, secure signing mechanisms, and user identity verification that enhance the transparency and accountability of the software supply chain. Cryptographic signing provides integrity, non-repudiation and authentication of artifacts.

 

Reduce complexity

Reduce complexity by eliminating the need for maintaining a key management system to ensure tamper-free artifacts and containers. We provide identity-based signing through our integration with OpenID Connect (OIDC). This provides easy integration with existing key management systems to authenticate and verify artifacts and containers.

 

Stay compliant.

Stay compliant: by meeting signing-related criteria for achieving Supply Chain Levels for Software Artifacts (SLSA) standards. Provenance is generated automatically as part of the build process in Red Hat Trusted Application Pipeline, for enterprise contracts integrated with cryptographic signatures to establish a non-repudiable chain of custody, and verify pipeline compliance to industry requirements (SLSA) are met.

Integrations

Trusted Artifact Signer is a production ready deployment of the Sigstore project within an enterprise. Sigstore has witnessed rampant adoption in the open source community. Package managers such as NPM, Python and Maven are in the process of adopting sigstore for the attestation of all published packages produced within each ecosystem. It has also become the de-facto signing system for containers, having seen Kubernetes standardized on sigstore. Multiple Red Hat products have adopted or are in the process of integrating sigstore (including Podman, Quay, Ansible, Red Hat Advanced Cluster Security (ACS), StoneSoup / HACBS, Red Hat Trusted Content.

Integration

Community projects

 

Sigstore

Sigstore is  focused on improving software supply chain security and transparency by enabling easy adoption of cryptographic signing, verification and provenance of software. It aims to provide a verifiable way to sign, store, and distribute software artifacts using an auditable infrastructure, making it more difficult for attackers to tamper with software. The project was founded by Red Hat in July 2020 and later donated to the Linux Foundation / OpenSSF.

Cosign

Cosign provides a simple and secure way to sign and verify container images using cryptographic signatures. It enables developers to sign container images using their own keys or with an OpenID connect identity (by means of fulcio). This then provides a mechanism for verifying those signatures as part of the software supply chain. Cosign is designed to be easy to use and can integrate with existing container image workflows and multiple container registries. It is commonly used in conjunction with fulcio and rekor, however it also supports full integration with popular Key Management Systems (KMS) like Hashicorp Vault, Google / Azure and AWS KMS.

Fulcio

Fulcio is Sigstore’s public key infrastructure (PKI) service and part of the larger sigstore initiative. Fulcio provides a publicly auditable, transparent, and secure way to issue and manage digital certificates used for software signing and verification. It is designed to simplify the certificate management process for developers and make it easier to establish trust in the software supply chain, by exchanging certificates for OpenID connect grants. Using fulcio, a developer can effectively sign an artifact using an OIDC account (Google, Github, Microsoft) and a machine can sign artifacts using a cloud provider’s OIDC infrastructure.

Rekor

Rekor provides a transparent and auditable way to store and verify signatures and metadata about software artifacts such as images  and provenance information. It leverages the concept of transparency logs to provide a tamper-evident, immutable record of metadata, which can be used to verify the integrity and provenance of software artifacts. Rekor is designed to help improve software supply chain security and enable users to make more informed decisions about the software they use. Rekor can be used on its own, but is commonly deployed along with Fulcio to provide a credible trust root to the OpenID connect signing mechanism.

Gitsign

Gitsign provides a way to sign Git commits using cryptographic signatures, enabling developers to verify the authenticity and integrity of the code changes. Gitsign is designed to integrate with existing Git workflows and can be used with any Git hosting provider. By enabling developers to sign their commits, Gitsign helps to improve the security and transparency of the software supply chain.

 

Latest articles

 hero image
Jun 17, 2024

Protect apps with Red Hat build of Keycloak and Active Directory Federation Services

Torbjorn Dahlen

Learn how to set up Red Hat build of Keycloak as an Identity Broker on...

2020 Authentication Author Keycloak
May 23, 2024

How to install and migrate to Red Hat build of Keycloak

Pablo Castelo +1

This article guides you through migrating from Red Hat single sign-on to Red...

Supply Chain Security? Hey, I’m a developer—why should I care?

Supply Chain Security? Hey, I’m a developer—why should I care?

Featured image for Red Hat Trusted Software Supply Chain.
Apr 18, 2024

Red Hat Trusted Software Supply Chain is now available

Markus Nagel

Discover how Red Hat Trusted Software Supply Chain makes it easier to create,...