Securing the software supply chain is paramount in today’s digital world. As more organizations adopt practices like keyless signing to verify the integrity of their software artifacts, the need for robust monitoring against the systems that maintain the software supply chain infrastructure is essential. One such system when signing and verifying content where monitoring can be applied is within the transparency log. While logs are tamper-evident, they are not tamper-proof, making a monitoring solution essential for an immutable and append-only record. This is where the Rekor Monitor comes in, providing an easy-to-use solution for verifying log consistency within a Red Hat Trusted Artifact Signer deployment.
Red Hat Trusted Artifact Signer offers a keyless solution for signing and verifying software artifacts, making it a crucial element within Red Hat’s Trusted Software Supply Chain portfolio. By integrating Rekor-monitor, we can extend the principles of supply chain security by actively verifying the integrity of the private Rekor logs. This powerful combination of a verifiable log and continuous monitoring creates a robust audit trail, ensuring that the software supply chain remains secure, transparent, and compliant.
Rekor-monitor functionality
Rekor-monitor, also known as Rekor Log Monitor, is a tool that continuously checks the integrity of Rekor transparency logs. It is designed to run periodically at a specified interval to verify that the Rekor transparency log remains append-only and immutable. For easy observability, the monitor also exposes Prometheus based metrics, which can be used by monitoring systems to create dashboards and set up alerts based on key metrics. For example, you could configure an alert to notify you immediately if a consistency check fails, indicating a potential compromise of the log.
Enabling Rekor-monitor in Red Hat Trusted Artifact Signer
Rekor-monitor is not enabled within a default deployment of Red Hat Trusted Artifact Signer, but it can be easily included as part of the installation. To enable the Rekor Monitor, simply modify the Securesign custom resource. Using the OpenShift web console, utilize the following steps:
- Navigate to the Operators section and click on Installed Operators.
- From the project drop-down box, select the namespace where Red Hat Trusted Artifact Signer is installed.
- Click on the Red Hat Trusted Artifact Signer operator.
- Navigate to the Securesign tab, and then click the Create Securesign button.
- On the Create Securesign page, select the YAML view to edit the configuration and add the
tlogsection as shown below.
None
spec:
rekor:
...
monitoring:
tlog:
enabled: true
interval: 1mBy setting spec.rekor.monitoring.tlog.enabled to true, the Rekor-monitor component will be deployed. You can also specify the frequency for which the consistency checks are performed using the interval field, as shown above with 1m (1 minute) as the value. This configuration verifies that your Rekor instance is continuously monitored, providing an additional layer of security and integrity verification for your software supply chain.
Note: The example above only shows the tlog section. Ensure that all other required fields for the Securesign custom resource are also populated according to your deployment needs.
Demo
A step-by-step walkthrough of enabling and using Rekor Monitor can be found here.
This monitoring capability will soon also be available for CTlog (certificate transparency log) in RHTAS in upcoming releases.
In summary, supply chain compromises like the most recent npm package incident highlight the critical need for layered defenses beyond strong authentication. Tools like Red Hat Trusted Artifact Signer enable organizations to detect tampering early, build immutable and auditable records, and validate provenance—in turn fostering trust and compliance across the pipeline. By signing, verifying, validating provenance, and tracking artifacts—while continuously monitoring logs—teams can proactively safeguard systems, quickly identify compromised dependencies, and maintain a strong security posture even when no CVEs have been assigned to these malicious packages (because not every vulnerability gets a CVE). Integrating Rekor Monitor with Red Hat Trusted Artifact Signer further ensures continuous verification of transparency log integrity and artifact provenance.
关于作者
Firas Ghanmi is a Software Engineer at Red Hat, specializing in cloud-native application development and contributing to the evolution of the Red Hat Trusted Artifact Signer.
