Skip to content

securesign/secure-sign-operator

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1,645 Commits
.github
.github
 
 
.tekton
.tekton
 
 
api
api
 
 
ci
ci
 
 
cmd
cmd
 
 
config
config
 
 
docs
docs
 
 
hack
hack
 
 
internal
internal
 
 
pkg/analyzer
pkg/analyzer
 
 
test/e2e
test/e2e
 
 
.custom-gcl.yml
.custom-gcl.yml
 
 
.dockerignore
.dockerignore
 
 
.gitignore
.gitignore
 
 
.golangci.yml
.golangci.yml
 
 
.pr_agent.toml
.pr_agent.toml
 
 
DEVELOPMENT.md
DEVELOPMENT.md
 
 
Dockerfile
Dockerfile
 
 
Dockerfile.coverage
Dockerfile.coverage
 
 
Dockerfile.rhtas-operator.rh
Dockerfile.rhtas-operator.rh
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
OWNERS
OWNERS
 
 
PROJECT
PROJECT
 
 
README.md
README.md
 
 
bundle.Dockerfile
bundle.Dockerfile
 
 
codecov.yml
codecov.yml
 
 
crdify.yaml
crdify.yaml
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
renovate.json
renovate.json
 
 
tas-env-generate.sh
tas-env-generate.sh
 
 
trigger-konflux-builds.txt
trigger-konflux-builds.txt
 
 

Repository files navigation

RHTAS Operator

Red Hat Trusted Artifact Signer (RHTAS) operator deploys a production-ready Sigstore infrastructure on OpenShift and Kubernetes.

Description

Red Hat Trusted Artifact Signer enhances software supply chain security by simplifying cryptographic signing and verification of software artifacts, such as container images, binaries, and documents. It provides a production-ready deployment of the Sigstore project within an enterprise. Enterprises adopting it can meet signing-related criteria for achieving Supply Chain Levels for Software Artifacts (SLSA) compliance and have greater confidence in the security and trustworthiness of their software supply chains.

Installation

  • OpenShift — Install from OperatorHub or via kustomize
  • Kubernetes — Install via kustomize (EKS included)

Getting Started

Once the operator is installed, deploy the signing infrastructure by creating a Securesign CR. You will need an OIDC provider (e.g., Keycloak, Amazon Cognito).

  1. Modify the sample CR for your environment (OIDC issuer, certificate details, external access):
kubectl apply -f config/samples/rhtas_v1alpha1_securesign.yaml -n <operator-namespace>

  1. The operator deploys Fulcio, Rekor, Trillian, CTlog, TUF, and optionally a Timestamp Authority.

  2. Initialize the TUF root of trust:

cosign initialize --mirror=https://tuf.<your-domain>/ --root=https://tuf.<your-domain>/root.json
  1. Sign an image (Fulcio and Rekor URLs are resolved from TUF configuration):
cosign sign -y <image>
  1. Verify signatures:
cosign verify --certificate-identity-regexp ".*@example" \
  --certificate-oidc-issuer-regexp ".*keycloak.*" <image>

Components

Component Description
Fulcio Issues code-signing certificates based on OIDC identity
Rekor Transparency log recording signatures and attestations
Trillian Backend Merkle tree for Rekor and CTlog
CTlog Certificate transparency log for Fulcio certificates
TUF Distributes and rotates cryptographic trust roots
TSA RFC 3161 timestamp authority (optional)

Uninstall

See the uninstall section in the OpenShift or Kubernetes guide.

Development

See DEVELOPMENT.md for building, testing, and contributing.

About

Kubernetes Operator for deploying and managing Sigstore components like Fulcio, Rekor, TSA, and TUF.

Topics

certificate-transparency operator sigstore rekor

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

11 stars

Watchers

2 watching

Forks

24 forks
Report repository

Releases 18

v1.4.1 Latest
Jun 1, 2026
+ 17 releases

Contributors

Languages