Using the Enterprise Contract command line


Downloading a binary

Visit the releases page, scroll and expand "Assets". Find the appropriate binary for your system, download it and copy it to somewhere in your path.

For example:

$ curl -sLO
$ chmod 755 ec_linux_amd64
$ sudo mv ec_linux_amd64 /usr/local/bin/ec
$ ec version
$ ec --help

Running with docker or podman

If you have docker or podman installed you can also run ec like this:

$ docker pull
$ docker run

Substitute podman for docker in the above command if you’re using podman. For convenience you could create an alias. For example:

$ alias ec="docker run"
$ ec version
$ ec --help
There might be some extra work needed to mount files inside the container, for example, if your public key is in a file, you would need to mount it when running docker.
$ docker run -v ./ validate image ...

Compiling from source

To compile ec from source:

$ git clone
$ cd ec-cli
$ make build
$ sudo cp dist/ec_linux_amd64 /usr/local/bin/ec
$ ec version
$ ec --help

Validating an image

To run ec against a particular container image built by RHTAP, we use the ec validate image command. To see the command options you can use the --help flag, e.g.:

$ ec validate image --help

When validating an image we need to provide three things:

  • The image reference

  • The public key for verifying signatures

  • A policy configuration file which determines what policies are to be applied

For these examples I’m going to use a particular image with a known signing key.

Actually the public key can be provided via the policy configuration, but for these examples we’ll provide it separately using the --public-key flag.

For the sake of more readable examples, let’s create some environment variables and some files for the three pieces of information. For the policy.yaml we’ll download one of the predefined examples.

$ export IMAGE=""

$ echo '-----BEGIN PUBLIC KEY-----
-----END PUBLIC KEY-----' >

$ wget -q

Now we can run the ec like this:

$ ec validate image --image "$IMAGE" --public-key --policy policy.yaml --ignore-rekor --output yaml

NOTE:The image used in this example was signed and attested without using Rekor. This is why the --ignore-rekor flag is needed. You may not need this if you’re using a different image

Finding the public key

If you’ve run EC at least once using an integration test, as described in Getting started…​, the public key is visible in the logs for the pipeline run.

In the future there should be a better way to find the public key file for the signing secret used by Tekton Chains in the RHTAP build system.

You can now modify the policy.yaml file and re-run the ec validate image command to try different policy configurations. See the configuration docs for more information on the policy.yaml file, or take a look at the examples here.