Merge pull request #94078 from agantony/ROX29351-rhacs-docs-main

[RHACS] [Docs] ROX-29351: Adding documentation for keyless verification

Author: agantony

modules/common-attributes.adoc

@@ -34,6 +34,7 @@ endif::[]
 :rh-storage-first: Red{nbsp}Hat OpenShift Container Storage
 :rh-storage: OpenShift Container Storage
 :rh-rhacm-first: Red{nbsp}Hat Advanced Cluster Management (RHACM)
+:rh-rhtas-first: Red{nbsp}Hat Trusted Artifact Signer (RHTAS)
 :rh-rhacs-first: Red{nbsp}Hat Advanced Cluster Security for Kubernetes (RHACS)
 :rh-rhacscs-first: Red{nbsp}Hat Advanced Cluster Security Cloud Service (RHACS Cloud Service)
 :rh-rhacm: RHACM

modules/configure-signature-integration.adoc

@@ -0,0 +1,110 @@
+// Module included in the following assemblies:
+//
+// * operating/verify-image-signatures.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="securing-container-images-by-using-signature-integration_{context}"]
+= Securing container images by using signature integration
+
+By creating a signature integration, you can ensure that a trusted source signs the container image. 
+
+When you create a signature integration, you can use the following verification methods:
+
+* Cosign public keys
+* Cosign certificates
+
+You can also enhance signature verification by enabling transparency log validation. 
+The transparency log records the signature in a public log and provides cryptographic proof of its inclusion. 
+You can strengthen verification by adding traceability and increasing trust when you use public keys or certificates.
+
+[IMPORTANT]
+====
+You must configure at least one trusted signer. To configure a trusted signer, you must specify a Cosign public encryption key or a Cosign certificate chain. You can combine multiple image signers in a single signature integration.
+====
+
+.Prerequisites
+
+* You have a Cosign public key which is encoded in Privacy Enhanced Mail (PEM) format.
++ 
+For more information about Cosign public keys, see link:https://docs.sigstore.dev/cosign/signing/overview/[Overview] (Sigstore documentation).
+
+* You have the certificate identity and issuer.
+* Optional: You have a certificate and chain which is encoded in PEM format. 
++
+For more information about Cosign certificates, see link:https://docs.sigstore.dev/cosign/verifying/verify/[Verifying Signatures] (Sigstore documentation).
+
+.Procedure
+
+. In the {product-title-short} portal, click *Platform Configuration* -> *Integrations*.
+. Scroll down to the *Signature Integrations* section, and then click *Signature*.
+. To create a new signature integration, click *New integration*.
+. Enter a name for the integration.
+. To add a new public key, complete the following steps:
++
+[NOTE]
+====
+** If you add a public key, you do not need to create a new certificate verification.
+** You can add one or more public keys.
+====
+.. Expand *Cosign public Keys*, and then click *Add new public key*.
+.. Enter a name for the key. 
+.. Enter a value for the key which is encoded in PEM format.
+. To add a new certificate verification, complete the following steps:
++
+[IMPORTANT]
+====
+** When you create a signature integration, you must add a new certificate verification if you want to use keyless verification for the image signature by using {rh-rhtas-first}.
+** You can add one or more certificate verifications.
+====
+.. Expand *Cosign certificates*, and then click *Add new certificate verification*.
+.. Enter the certificate OIDC issuer that Cosign specifies. You must use regular expressions in RE2 syntax for matching.
++
+For more information, go to the GitHub repository at `google/re2`, open the `Wiki` section, and then select the `Syntax` page.
+.. Enter the certificate identity that Cosign specifies. You must use regular expressions in RE2 syntax for matching.
++
+For more information, go to the GitHub repository at `google/re2`, open the `Wiki` section, and then select the `Syntax` page.
+.. Enter the trusted certificate root which is encoded in PEM format to verify the certificates. If you do not specify the certificate root, the public Fulcio roots are used automatically for verification.  
++
+For more information, see link:https://docs.sigstore.dev/certificate_authority/overview/[Fulcio] (Sigstore documentation).
+.. Enter the trusted signer intermediate certificate authority to verify the certificates. If you do not specify the certificate authority, the certificate chain is used automatically for verification.
+.. Optional: Select the *Enable certificate transparency log validation* checkbox to validate the proof of inclusion into the certificate transparency log.
++
+Enter the public key that you want to use to validate the proof of inclusion into the certificate transparency log.
+If you do not specify the public key, the key of the public Sigstore instance is used automatically for validation.
+. To configure the transparency log, complete the following steps:
++
+[NOTE]
+====
+When you create a signature integration, you can enable the validation of transparency logs in the following situations:
+
+** When the signatures contain short-lived certificates that Fulcio issues.
+** When you want to use keyless verification of the signatures.
+** To verify the signatures, when you use a public key.
+====
+.. Select the *Enable transparency log validation* checkbox to validate the inclusion of the signature in a transparency log.
++
+Enter the URL where the Rekor transparency log is available. If you do not specify the URL, the public Rekor instance of Sigstore is used automatically for validation.
++
+[NOTE]
+====
+The Rekor URL is required for online confirmation of the inclusion into the transparency log.
+====
+.. Optional: Select the *Validate in offline mode* checkbox to force the offline validation of the signature proof of inclusion into the transparency log.
++
+[NOTE]
+====
+You can force the offline validation of the signature proof of inclusion into the transparency log only if you have enabled the validation of the transparency log.
+====
++
+Enter the public key to validate the signature proof of inclusion into the Rekor transparency log.
+If you do not specify the public key, the key of the public Sigstore instance is used automatically for validation.
+. Click *Save*.
+
+.Verification
+
+. In the {product-title-short} portal, click *Platform Configuration* -> *Integrations*.
+. Scroll down to the *Signature Integrations* section, and then click *Signature*.
+. Verify that the creation of the signature integration was successful.
+. Optional: Choose the appropriate method to manage the signature integration that you have created:
+** To delete the signature integration, click the overflow menu {kebab} and then select *Delete Integration*.
+** To edit the signature integration, click the overflow menu {kebab} and then select *Edit Integration*.

modules/securing-container-images-by-using-signature-integration.adoc

@@ -0,0 +1,43 @@
+// Module included in the following assemblies:
+//
+// * operating/verify-image-signatures.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="verifying-image-signatures-to-ensure-image-integrity_{context}"]
+= Verifying image signatures to ensure image integrity
+
+To verify image integrity, you must check that a trusted source signed the image.
+If you have enabled transparency log validation for your signature integration, you must also confirm that the scan includes a valid transparency log bundle. 
+
+For multi-architecture images, you must sign both the index and architecture-specific digests to avoid runtime resolution issues.
+
+.Prerequisites
+
+* You have created a signature integration.
++
+For more information about how to create a signature integration, see "Securing container Images by using signature integration". 
+
+.Procedure
+
+* To scan an image signature by using the `roxctl` CLI, run the following command:
++
+[source,terminal]
+----
+$ roxctl image scan \
+--image=<registry>/<repository>/<image>@<digest> \
+--force-insecure-skip-tls-verify
+----
++
+where:
++
+--
+`<registry>`:: Specifies the container image registry. For example, `quay.io`.
+`<repository>`:: Specifies the repository of the container image. For example, `quay`.
+`<image>`:: Specifies the name of the container image that you want to scan. For example, `busybox`.
+`<digest>`:: Specifies the digest of the container image. For example, `sha256:92f3298bf80a1ba949140d77987f5de081f010337880cd771f7e7fc928f8c74d`.
+--
++
+Verify that the output includes the signature. 
+If transparency log validation is enabled for your signature integration, verify that the output includes the Rekor bundle with the proof of inclusion into the transparency log. 
++
+If certificate verification is enabled for your signature integration, verify that the output includes the certificate verification data.

modules/verifying-image-signatures-to-ensure-image-integrity.adoc

@@ -13,18 +13,30 @@ You can also enforce the policy by using the {product-title-short} admission con
 
 [NOTE]
 ====
-* {product-title-short} only supports Cosign signatures and Cosign Public Keys/Certificates verification. For more information about Cosign, see link:https://docs.sigstore.dev/cosign/overview[Cosign overview].
-* For Cosign signature verification, {product-title-short} does not support communication with the transparency log link:https://docs.sigstore.dev/logging/overview/[Rekor].
+* {product-title-short} supports Cosign signature verification by using Cosign public keys, Cosign certificates, or both.
++
+For more information about Cosign, see link:https://docs.sigstore.dev/cosign/signing/overview/[Overview] (Sigstore documentation).
+* For Cosign signature verification, {product-title-short} supports communication with the transparency log. 
++
+For more information, see link:https://docs.sigstore.dev/logging/overview/[Rekor] (Sigstore documentation).
+* For Cosign signature verification, you can use keyless verification with {product-title-short}. If you want to host the key infrastructure yourself, you can do this by using {rh-rhtas-first}.
 * You must configure signature integration with at least 1 Cosign verification method for signature verification.
 * For all deployed and watched images:
 ** {product-title-short} fetches and verifies the signatures every 4 hours.
 ** {product-title-short} verifies the signatures whenever you change or update your signature integration verification data.
 ====
 
-//Configuring signature integration
-include::modules/configure-signature-integration.adoc[leveloffset=+1]
+//Securing container images by using signature integration
+include::modules/securing-container-images-by-using-signature-integration.adoc[leveloffset=+1]
 
-//Using signature verification
+//Verifying image signatures to ensure image integrity
+include::modules/verifying-image-signatures-to-ensure-image-integrity.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+.Additional resources
+* xref:../operating/verify-image-signatures.adoc#securing-container-images-by-using-signature-integration_verify-image-signatures[Securing container images by using signature integration]
+
+//Using signature verification in a policy
 include::modules/use-signature-verification.adoc[leveloffset=+1]
 
 [role="_additional-resources"]