Using the Enterprise Contract command line
Visit the releases page, scroll and expand "Assets". Find the appropriate binary for your system, download it and copy it to somewhere in your path.
$ curl -sLO https://github.com/enterprise-contract/ec-cli/releases/download/snapshot/ec_linux_amd64 $ chmod 755 ec_linux_amd64 $ sudo mv ec_linux_amd64 /usr/local/bin/ec $ ec version $ ec --help
If you have docker or podman installed you can also run ec like this:
$ docker pull quay.io/enterprise-contract/ec-cli:snapshot $ docker run quay.io/enterprise-contract/ec-cli:snapshot
docker in the above command if you’re using podman.
For convenience you could create an alias. For example:
$ alias ec="docker run quay.io/enterprise-contract/ec-cli:snapshot" $ ec version $ ec --help
|There might be some extra work needed to mount files inside the container, for example, if your public key is in a file, you would need to mount it when running docker.|
$ docker run -v ./key.pub:/tmp/key.pub:Z quay.io/enterprise-contract/ec-cli:snapshot validate image ...
To run ec against a particular container image built by RHTAP, we use the
ec validate image command. To see the command options you can use the
--help flag, e.g.:
$ ec validate image --help
When validating an image we need to provide three things:
The image reference
The public key for verifying signatures
A policy configuration file which determines what policies are to be applied
For these examples I’m going to use a particular image with a known signing key.
Actually the public key can be provided via the policy configuration, but
for these examples we’ll provide it separately using the
For the sake of more readable examples, let’s create some environment variables
and some files for the three pieces of information. For the
download one of the predefined examples.
$ export IMAGE="quay.io/redhat-appstudio/ec-golden-image:latest" $ echo '-----BEGIN PUBLIC KEY----- MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEZP/0htjhVt2y0ohjgtIIgICOtQtA naYJRuLprwIv6FDhZ5yFjYUEtsmoNcW7rx2KM6FOXGsCX3BNc7qhHELT+g== -----END PUBLIC KEY-----' > key.pub $ wget -q https://github.com/enterprise-contract/config/raw/main/slsa3/policy.yaml
Now we can run the ec like this:
$ ec validate image --image "$IMAGE" --public-key key.pub --policy policy.yaml --ignore-rekor --output yaml
NOTE:The image used in this example was signed and attested without using Rekor. This is why the
--ignore-rekor flag is needed. You may not need this if you’re using a different image
If you’ve run EC at least once using an integration test, as described in Getting started…, the public key is visible in the logs for the pipeline run.
|In the future there should be a better way to find the public key file for the signing secret used by Tekton Chains in the RHTAP build system.|
You can now modify the
policy.yaml file and re-run the
ec validate image
command to try different policy configurations. See
the configuration docs for more information on the
policy.yaml file, or take a look at the examples
See also the how-to on reproducing the Enterprise Contract output from an RHTAP integration test.