Red Hat Trusted Artifact Signer

Enables cryptographic signing, verification of software, and provenance metadata.

Try Red Hat Trusted Artifact Signer Contact us
red_hat-trusted_artifact_signer-logo-transparent-background
Overview Getting started

What is Red Hat Trusted Artifact Signer?

Red Hat Trusted Artifact Signer enhances software supply chain security by simplifying cryptographic signing and verification of software artifacts, such as container images, binaries, and documents. Trusted Artifact Signer provides a production-ready deployment of the Sigstore project in Red Hat Trusted Software Supply Chain.

Enterprises adopting it can meet signing-related criteria for achieving Supply Chain Levels for Software Artifacts (SLSA) compliance and have greater confidence in the security and trustworthiness of their software supply chains.

Red Hat Trusted Artifact Signer provides a transparent and secure system for software developers to sign software artifacts, such as binaries and container images. Due to its broad compatibility, integrating its signing and verification features into your existing supply chain is straightforward.

Red Hat Trusted Artifact Signer documentation
sigstore_clients icon.png

Sigstore Clients 

Sigstore Clients are popular Sigstore command-line tools (cosign, gitsign, and rekor-cli) for generating and verifying digital signatures of source code, artifacts, software bills of materials, and container images.
certificate_transparency_icon

Certificate transparency log 

A certificate transparency log is a permanent and immutable ledger or record-keeping system for signing events that is immune to change and remains inaccessible to the public. The log can be queried for making informed decisions on the integrity and authenticity of an artifact, verification of a particular entry, or retrieval of entries.
certificate_authority_icon

Certificate authority

A certificate authority is a free root certification authority that issues short-lived, temporary certificates to an authorized identity and publishes them in a transparency log. It provides the option to use existing self-managed keys maintained in a third-party key management system.

Accelerate application with digital signatures

Ensure authenticity and integrity by increasing trust on artifacts by providing auditable logs, secure signing mechanisms, and user identity verification that enhance the transparency and accountability of the software supply chain. Cryptographic signing provides integrity, non-repudiation and authentication of artifacts.

Reduce complexity by eliminating the need for maintaining a key management system to ensure tamper-free artifacts and containers. We provide identity-based signing through our integration with OpenID Connect (OIDC). This provides easy integration with existing key management systems to authenticate and verify artifacts and containers.

Stay compliant by meeting signing-related criteria for achieving Supply Chain Levels for Software Artifacts (SLSA) standards. Provenance is generated automatically as part of the build process in Red Hat Trusted Application Pipeline, for enterprise contracts integrated with cryptographic signatures to establish a non-repudiable chain of custody, and verify pipeline compliance to industry requirements (SLSA) are met.

trusted_artifact_signer_feature_image

Integratrations

Trusted Artifact Signer is a production-ready deployment of the Sigstore project within an enterprise. Sigstore has witnessed rampant adoption in the open source community. Package managers such as NPM, Python, and Maven are in the process of adopting sigstore for the attestation of all published packages produced within each ecosystem. It has also become the de-facto signing system for containers, having seen Kubernetes standardized on sigstore. Multiple Red Hat products have adopted or are in the process of integrating sigstore, including Podman, Quay, Ansible, Red Hat Advanced Cluster Security (ACS), StoneSoup / HACBS, and Red Hat Trusted Content.

 

Integration icon

Community projects

Sigstore

Sigstore is focused on improving software supply chain security and transparency by enabling easy adoption of cryptographic signing, verification, and provenance of software. It aims to provide a verifiable way to sign, store, and distribute software artifacts using an auditable infrastructure, making it more difficult for attackers to tamper with software. The project was founded by Red Hat in July 2020 and later donated to the Linux Foundation/OpenSSF.

Learn more

Cosign

Cosign provides a simple and secure way to sign and verify container images using cryptographic signatures. It enables developers to sign container images using their own keys or with an OpenID connect identity (by means of fulcio). This then provides a mechanism for verifying those signatures as part of the software supply chain. Cosign is designed to be easy to use and can integrate with existing container image workflows and multiple container registries. It is commonly used in conjunction with fulcio and rekor. However, it also supports full integration with popular Key Management Systems (KMS) like Hashicorp Vault, Google/Azure, and AWS KMS.

Learn more

Fulcio

Fulcio is Sigstore’s public key infrastructure (PKI) service and part of the larger Sigstore initiative. Fulcio provides a publicly auditable, transparent, and secure way to issue and manage digital certificates used for software signing and verification. It is designed to simplify the certificate management process for developers and make it easier to establish trust in the software supply chain, by exchanging certificates for OpenID connect grants. Using Fulcio, a developer can effectively sign an artifact using an OIDC account (Google, Github, Microsoft), and a machine can sign artifacts using a cloud provider’s OIDC infrastructure.

Learn more

Rekor

Rekor provides a transparent and auditable way to store and verify signatures and metadata about software artifacts such as images and provenance information. It leverages the concept of transparency logs to provide a tamper-evident, immutable record of metadata, which can be used to verify the integrity and provenance of software artifacts. Rekor is designed to help improve software supply chain security and enable users to make more informed decisions about the software they use. Rekor can be used on its own, but is commonly deployed along with Fulcio to provide a credible trust root to the OpenID connect signing mechanism.

Learn more

Gitsign

Gitsign provides a way to sign Git commits using cryptographic signatures, enabling developers to verify the authenticity and integrity of the code changes. Gitsign is designed to integrate with existing Git workflows and can be used with any Git hosting provider. By enabling developers to sign their commits, Gitsign helps to improve the security and transparency of the software supply chain.

Learn more

Featured products

trusted profile analyser

Use your software assets with confidence. Curate your trusted content by...

Shield with a checkmark

Consistently code, build, and monitor for a trusted software supply chain...

Trusted Application Platform

Catch vulnerabilities early with a self-serve developer experience imbued...

Featured resources

Trusted software supply chain
Tackling CI/CD Security Anti-Patterns
Getting started with CI/CD Pipeline Security
A blueprint for supply chain security