문의하기

As a follow-up to my introduction of simple signing, I’m excited to announce that Red Hat is now serving signatures for Red Hat Container Catalog Images!

In May, Red Hat announced the Container Health Index, providing an aggregate safety rating for container images in our public registry. As part of our commitment to delivering trusted content, we are now serving signed images. This means that customers can now configure a Red Hat Enterprise Linux host to cryptographically verify that images have come from Red Hat when they are pulled onto the system. This is a significant step in advancing the security of container hosts, providing assurance of provenance and integrity and enabling non-repudiation. Non-repudiation simply means that the signer cannot deny their signature—a key security principle for digital transactions.

The configuration can be performed in a single command, demonstrated in this 60-second video.

http://www.youtube.com/watch?v=863Pn5m1Xks&rel=0

Atomic CLI “trust” manages the trusted registries for a host system. Here’s the command from the video:

# atomic trust add \
--pubkeys /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release \
--sigstore https://access.redhat.com/webassets/docker/content/sigstore \
registry.access.redhat.com

Let’s look at each argument of the command:

  1. This command is adding a new trust rule to the system.
  2. The trusted public key is the same key used for RPMs. It’s critical that this key is indeed Red Hat’s public key so we’re using the installed key. This key can be verified with rpm --verify redhat-release-atomic-host.
  3. The signature server, or “sigstore”, is the web server that contains the signatures. Tools like docker daemon will find the signatures using the image name and digest hash.
  4. Trust is associated with the registry.access.redhat.com registry. Once you execute this command all images from this registry will require a signature.

The demonstration uses docker-latest, version 1.13, while an issue in docker version 1.12 is being resolved. To try this out, be sure to enable signature verification in the docker daemon. Signatures are only being applied to Red Hat's images at this time. Certified partner images in registry.connect.redhat.com are not signed at this time.

See Red Hat Enterprise Linux Atomic Host documentation and the Container Image Signing Integration Guide for more information, including how to use the atomic CLI to manage registry trust, signing images and options for distributing signatures.


Red Hat logoLinkedInYouTubeFacebookTwitter

제품

체험, 구매 & 영업

커뮤니케이션

Red Hat 소개

Red Hat은 Linux, 클라우드, 컨테이너, 쿠버네티스 등을 포함한 글로벌 엔터프라이즈 오픈소스 솔루션 공급업체입니다. Red Hat은 코어 데이터센터에서 네트워크 엣지에 이르기까지 다양한 플랫폼과 환경에서 기업의 업무 편의성을 높여 주는 강화된 기능의 솔루션을 제공합니다.

Red Hat Shares 뉴스레터를 구독하세요

지금 신청하기

언어 선택