How to Integrate with RHTAS for Image Signature Validation

Learn how to integrate Red Hat Trusted Artifact Signer (RHTAS) with Sysdig Secure to verify and enforce trusted container image signatures.

Overview

The Red Hat Trusted Artifact Signer (RHTAS) provides an enterprise-grade, Red Hat-supported implementation of the Sigstore project for securely signing and verifying container images and other software artifacts.
When integrated with Kubernetes or OpenShift admission control, RHTAS enables organizations to enforce signature verification policies that ensure only trusted and verifiable images are admitted to clusters.

RHTAS includes the full Sigstore stack:

  • Fulcio: issues short-lived, OIDC-based signing certificates.
  • Rekor: records immutable transparency logs of signing events.
  • TUF: distributes and manages trust roots for verification.

Together, these components create a verifiable chain of trust that prevents tampering, strengthens supply chain integrity, and simplifies compliance for signed artifacts.

For more information, see the Red Hat Trusted Artifact Signer.

Purpose of Admission Control Integration

Integrating RHTAS with Sysdig allows Kubernetes and OpenShift administrators to enforce admission-time verification of container images.
This ensures that only signatures issued by your RHTAS instance and by your organization’s trusted identities are accepted.

During deployment, Sysdig verifies each image against the configured RHTAS trust root and OIDC identity to ensure that:

  • Only verified images signed through RHTAS are admitted to the cluster.
  • Supply chain integrity is maintained from build to production.
  • Tampering and substitution attacks are blocked before execution.
  • Compliance frameworks (for example, SLSA or NIST 800-204D) are supported through transparent verification and logging.

Benefits

CapabilityDescription
Policy-driven enforcementIntegrates with Sysdig Admission Control to automatically reject unsigned or invalid images.
Identity-based verificationUses Fulcio-issued short-lived certificates tied to developer or system OIDC identities.
Immutable transparency logsRekor maintains tamper-evident logs for all signing events.
Consistent trust modelApplies the same RHTAS trust root across build, registry, and runtime environments.
Operational simplicityRed Hat manages and supports the Sigstore components, reducing PKI complexity.

Summary

Integrating RHTAS with Sysdig Cluster Shield extends software supply chain trust directly into Kubernetes and OpenShift admission control.
This ensures that only authentic, verifiable container images signed by your RHTAS instance are deployed. It strengthens runtime security and maintains a provable chain of custody from build to production.

Configuration

Cluster Shield

To enable verification against your RHTAS instance, configure Sysdig Cluster Shield with your RHTAS trust root details.
Cluster Shield performs runtime verification using the TUF root and checksum you provide.

You need the following from your RHTAS deployment:

  1. RHTAS hostname (for example: rhtas.apps.acme-cluster.example.com)
  2. TUF root file URL (for example: https://tuf.rhtas.apps.acme-cluster.example.com/root.json)
  3. TUF root checksum (SHA-256 or SHA-512 format)

Using the Sysdig Shield Helm chart, configure the following parameters:

features:
  supply_chain:
    enabled: true
    image_signature:
      cosign:
        mirror: https://tuf.rhtas.apps.acme-cluster.example.com
        # Optional: only override if your root differs from the default RHTAS location
        root: https://tuf.rhtas.apps.acme-cluster.example.com/example/root.json
        root_checksum: sha256:8d31cb9e6b5f89c224e621e1eac5e4d3bcd20a02e31d69394f0f8b62f88e743c

Policy Configuration

All trust and identity settings for signature verification are defined in the Sysdig backend Image Signature Validation Policy.

To validate signatures created by RHTAS, configure your policy using the OIDC Provider mechanism:

  1. Set the OIDC Issuer to match your RHTAS Fulcio issuer endpoint (for example, https://keycloak.rhtas.apps.acme-cluster.example.com/realms/trusted-artifacts).
  2. Define the Certificate Identity corresponding to the signing user, service account, or build system (regex supported).
  3. Optionally provide a Certificate Chain in PEM format to override the default TUF-rooted trust chain used by Cluster Shield.

Example

FieldExample ValueDescription
OIDC Issuer^https://keycloak.rhtas.apps.acme-cluster.example.com/realms/trusted-artifacts$OIDC issuer used by your RHTAS Fulcio instance.
Certificate Identity^system:serviceaccount:ci-pipeline:signer$Identity pattern for the signer.
Certificate Chain (optional)PEM-encoded chain of intermediate and root certs.Used to override the default trust chain if required.

Example Certificate Chain in PEM Format

-----BEGIN CERTIFICATE-----
MIIGczCCBJegAwIBAgIQDk... (Server Certificate)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIF7jCCA9mgAwIBAgIQ... (Intermediate Certificate)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIF7jCCA9mgAwIBAgIQ... (Root Certificate)
-----END CERTIFICATE-----

Example Use Cases

  • Enforce all workloads running in production are signed by your internal RHTAS instance.
  • Prevent deployment of unsigned or third-party images.
  • Support compliance frameworks requiring verifiable software provenance and signing attestations.

See Also