Sign a container image
The following steps can be used to create the resources necessary to sign a container image and store the signature in an Amazon ECR private repository. Notation signs images using the digest.
To sign an image
-
Create an AWS Signer signing profile using the
Notation-OCI-SHA384-ECDSA
signing platform. You can optionally specify a signature validity period using the--signature-validity-period
parameter. This value may be specified usingDAYS
,MONTHS
, orYEARS
. If no validity period is specified, the default value of 135 months is used.aws signer put-signing-profile --profile-name
ecr_signing_profile
--platform-id Notation-OCI-SHA384-ECDSANote
The signing profile name only supports alphanumeric characters and the underscore (
_
). -
Authenticate the Notation client to your default registry. The following example uses the AWS CLI to authenticate the Notation CLI to an Amazon ECR private registry.
aws ecr get-login-password --region
Region
| notation login --username AWS --password-stdin111122223333
.dkr.ecr.Region
.amazonaws.com -
Use the Notation CLI to sign the image, specifying the image using the repository name and the SHA digest. This creates the signature and pushes it to the same Amazon ECR private repository that the image being signed is in.
Note
You can specify the AWS Region that the Notation plugin uses to interact with AWS Signer by assigning a value to the AWS_DEFAULT_REGION environment variable, or by passing the --plugin-config aws-region=${
Region
} argument to the Notation sign command.In the following example, we are signing an image in the
curl
repository with SHA digestsha256:ca78e5f730f9a789ef8c63bb55275ac12dfb9e8099e6EXAMPLE
.notation sign
111122223333
.dkr.ecr.Region
.amazonaws.com/curl@sha256:ca78e5f730f9a789ef8c63bb55275ac12dfb9e8099e6EXAMPLE
--plugin "com.amazonaws.signer.notation.plugin" --id "arn:aws:signer:Region
:111122223333
:/signing-profiles/ecrSigningProfileName
"
Next steps
After you have signed your container image, you can verify the signature locally or during an Amazon EKS deployment and further manage the signature with Amazon ECR.
-
Verify an image during deployment on Amazon EKS or Kubernetes clusters
-
Manage your signature in your Amazon ECR repository in the Amazon Elastic Container Registry User Guide