Create a Signer signing profile

Before you can perform signing jobs, you must create a signing profile. A signing profile is unique AWS Signer resource that you can use to perform signing jobs. Signing profiles enable you to sign and verify code artifacts, such as container images and AWS Lambda deployment bundles. Each signing profile designates the signing platform to sign for, a platform ID, and other platform-specific information.

You can create, list, and cancel signing profiles using the Signer console, AWS CLI, or API. Signer manages the code signing certificate and keys associated for only AWS Lambda and Container images workflows. For Internet of Things (IoT) workflows, you can import your own code signing certificate into AWS Certificate Manager.

Console

This section describes the procedures and options for creating a signing profile from the AWS console.

To create a signing profile

Log into the AWS Signer console.
Choose Create signing profile.
On the Create signing profile page, provide a unique Profile name for your signing profile. Valid characters include uppercase A-Z, lowercase a-z, numbers 0-9, and underscore (_).

For Signing platform, choose one of the listed platforms.

API name	Display name
`AWSLambda-SHA384-ECDSA`	AWS Lambda
`Notation-OCI-SHA384-ECDSA`	Notation for container registries

Specify the Signature validity period in months, days, or years. The default value is 135 months (11 years and 6 months).
In the Tags - optional section, you can create a Tag key and a Tag value, then save it with the Add tag button. When you assign tags to your signing profile, you can use tag-based resource policies to manage access to the profile.

You can assign up to 50 tags to a profile.
Choose Create profile.

CLI

This section describes the procedures and options for creating and managing signing profiles using the AWS CLI. A signing profile is a template that defines the following settings for associated signing jobs:

The signing platform that designates the file type to be signed. The following platforms are available in the AWS CLI.

API name	Display name
`AWSIoTDeviceManagement-SHA256-ECDSA`	AWS IoT Device Management SHA256-ECDSA
`AmazonFreeRTOS-Default`	Amazon FreeRTOS SHA256-ECDSA
`AmazonFreeRTOS-TI-CC3220SF`	Amazon FreeRTOS SHA1-RSA CC3220SF-Format
`AWSLambda-SHA384-ECDSA`	AWS Lambda
`Notation-OCI-SHA384-ECDSA`	Notation for container registries

For more information about the configurations and parameters that are contained in signing platforms, see SigningPlatform in the AWS Signer API Reference.

The signature format.
The signature algorithms.
The validity period of signatures. By default, signature validity is set to 135 months (11 years and 3 months), which is the maximum validity supported. The signature validity period is only applicable for AWSLambda-SHA384-ECDSA and Notation-OCI-SHA384-ECDSA signing platforms.

After you create the signing profile, you can delegate control of it using AWS Identity and Access Management (IAM). For more information about managing user permissions in AWS Signer, see Identity and Access Management for AWS Signer.

Signing profiles can be created, inspected, listed, and canceled as shown in the following examples.

put-signing-profile

This command creates and saves an AWS Signer signing profile.

Signatures generated using this platform will expire after the time specified by --signature-validity-period. This value may be specified using DAYS, MONTHS, or YEARS. If no validity period is specified, the default value is 135 months.

In this example, the specified signing platform is AWSLambda-SHA384-ECDSA.
```
$ aws signer put-signing-profile \
     --profile-name my_lambda_signing_profile \
     --platform-id AWSLambda-SHA384-ECDSA \
     --signature-validity-period value=10, type='MONTHS' 
```

get-signing-profile

This command retrieves a signing profile for inspection.


$ aws signer get-signing-profile --profile-name my_lambda_signing_profile

list-signing-profiles

This command lists the signing profiles that you own or control.
```
$ aws signer list-signing-profiles
```

cancel-signing-profile

This command deletes a signing profile.


$ aws signer cancel-signing-profile \
     --profile-name my_lambda_signing_profile \
     --profile-version profile_version \
     --reason "e2e notation testing" \
     --effective-time 1111111111

API

Signing profiles can be created, inspected, listed, and deleted using the following Signer API actions.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Set up

Set up cross-account signing