Red Hat Trusted Artifact Signer With Enterprise Contract: Trustable Container Images
Red Hat News, Thursday, February 1st, 2024
Recently, Red Hat announced the technical preview of Red Hat Trusted Artifact Signer which is a production-ready deployment of the Sigstore project for enterprise use. In this article, we will learn how to use Trusted Artifact Signer when signing, attesting and verifying a container image with cosign and Enterprise Contract (EC).
Before starting, we must deploy Trusted Artifact Signer on our Red Hat OpenShift cluster by following Chapter 1 of the Deployment Guide. Be sure to also run the source ./tas-env-variables.sh script to set up the shell variables (URLs) to the Sigstore services endpoints (Fulcio, Rekor etc).
Once Trusted Artifact Signer is up and running, we no longer need to be logged in to the OpenShift cluster: