Organizations looking to better understand the lineage of their software artifacts have begun to adopt signing as a way to improve their security posture. By applying digital signatures to software artifacts, trust can be established to verify that assets have not been substituted or tampered with through the software development and delivery process.
Red Hat Trusted Artifact Signer, a key component of Red Hat’s Trusted Software Supply Chain portfolio, provides a suite of tools that supports signing and verifying assets from first commit to deployment. Since Trusted Artifact Signer was first released, it has been available as a Day-2 operator on Red Hat OpenShift. With the release of version 1.2, you can now also deploy the entire Trusted Artifact Signer suite onto a Red Hat Enterprise Linux (RHEL) machine, providing another option for where to run the service.
Additional options without sacrificing functionality
An installation of Trusted Artifact Signer within an RHEL environment will feel familiar to those who have previously deployed the service on OpenShift. Linux containers continue to be the primary delivery vehicle and it relies on the same content source, enabling a consistent experience wherever the service is deployed.
One of the goals associated with the design and implementation of Trusted Artifact Signer on RHEL was to include the same core components and to remain as feature-compatible as possible with the existing OpenShift-based deployment. This includes:
- The entire suite of Trusted Artifact Signer based services, including Fulcio, Rekor, TUF, and a Timestamp Authority
- The ability to expose each of the services using a set of provided TLS certificates
- The ability to utilize external instances of MySQL and/or Redis
You can also now use Cockpit to monitor the deployment of Trusted Artifact Signer on RHEL. Once enabled, the management of container instances can all be governed within a single console using tooling that is familiar with most RHEL administrators.
Simplified installation and configuration using Red Hat Ansible Automation Platform
Ansible Automation Platform is the underlying engine behind the installation and configuration of Trusted Artifact Signer on RHEL. The new redhat.artifact_signer Ansible Content Collection is available for download directly from Red Hat Automation Hub and includes the capabilities to facilitate the entire installation. A wide set of options are available to customize the deployment to suit any operating environment, whether it be in the public cloud, or in an on-premise datacenter. There is also tight integration with Ansible Automation Platform, simplifying how automation teams incorporate the collection within their own workflows.
Installation of Trusted Artifact Signer on RHEL can be completed in three easy steps:
- Create a playbook and include the redhat.artifact_signer Ansible Content Collection
- Customize the Ansible variables to tune the configuration
- Run the playbook to install Trusted Artifact Signer on a RHEL instance
Once the automation completes, you can get started immediately signing and verifying content of your own. All of the command line-based tools, including cosign, gitsign, ec (Enterprise Contract), and more are available and can be downloaded directly from the platform.
Interested in learning more? Explore the following resources:
关于作者
Andrew Block is a Distinguished Architect at Red Hat, specializing in cloud technologies, enterprise integration and automation.
