Using the Enterprise Contract command line

Installation

Downloading a binary

Visit the releases page, scroll and expand "Assets". Find the appropriate binary for your system, download it and copy it to somewhere in your path.

For example:

$ curl -sLO https://github.com/enterprise-contract/ec-cli/releases/download/snapshot/ec_linux_amd64
$ chmod 755 ec_linux_amd64
$ sudo mv ec_linux_amd64 /usr/local/bin/ec
$ ec version
$ ec --help

Running with docker or podman

If you have docker or podman installed you can also run ec like this:

$ docker pull quay.io/enterprise-contract/ec-cli:snapshot
$ docker run quay.io/enterprise-contract/ec-cli:snapshot

Substitute podman for docker in the above command if you’re using podman. For convenience you could create an alias. For example:

$ alias ec="docker run quay.io/enterprise-contract/ec-cli:snapshot"
$ ec version
$ ec --help
There might be some extra work needed to mount files inside the container, for example, if your public key is in a file, you would need to mount it when running docker.
$ docker run -v ./key.pub:/tmp/key.pub:Z quay.io/enterprise-contract/ec-cli:snapshot validate image ...

Compiling from source

To compile ec from source:

$ git clone git@github.com:enterprise-contract/ec-cli.git
$ cd ec-cli
$ make build
$ sudo cp dist/ec_linux_amd64 /usr/local/bin/ec
$ ec version
$ ec --help

Validating an image

To run ec against a particular container image built by RHTAP, we use the ec validate image command. To see the command options you can use the --help flag, e.g.:

$ ec validate image --help

When validating an image we need to provide three things:

  • The image reference

  • The public key for verifying signatures

  • A policy configuration file which determines what policies are to be applied

For these examples I’m going to use a particular image with a known signing key.

Actually the public key can be provided via the policy configuration, but for these examples we’ll provide it separately using the --public-key flag.

For the sake of more readable examples, let’s create some environment variables and some files for the three pieces of information. For the policy.yaml we’ll download one of the predefined examples.

$ export IMAGE="quay.io/redhat-appstudio/ec-golden-image:latest"

$ echo '-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEZP/0htjhVt2y0ohjgtIIgICOtQtA
naYJRuLprwIv6FDhZ5yFjYUEtsmoNcW7rx2KM6FOXGsCX3BNc7qhHELT+g==
-----END PUBLIC KEY-----' > key.pub

$ wget -q https://github.com/enterprise-contract/config/raw/main/slsa3/policy.yaml

Now we can run the ec like this:

$ ec validate image --image "$IMAGE" --public-key key.pub --policy policy.yaml --ignore-rekor --output yaml

NOTE:The image used in this example was signed and attested without using Rekor. This is why the --ignore-rekor flag is needed. You may not need this if you’re using a different image

Finding the public key

If you’ve run EC at least once using an integration test, as described in Getting started…​, the public key is visible in the logs for the pipeline run.

In the future there should be a better way to find the public key file for the signing secret used by Tekton Chains in the RHTAP build system.

You can now modify the policy.yaml file and re-run the ec validate image command to try different policy configurations. See the configuration docs for more information on the policy.yaml file, or take a look at the examples here.