Prerequisites for signing container images
Before you begin signing, you need to set up an environment that bridges AWS Signer with Amazon ECR. Complete the following steps.
To prepare your signing environment
-
Prepare the AWS CLI
Install and configure the latest version of the AWS CLI. For more information, see Installing or updating the latest version of the AWS CLI in the AWS Command Line Interface User Guide.
-
Prepare Amazon ECR
Have an existing container image stored in an Amazon ECR private repository to sign. For more information, see Pushing an image in the Amazon Elastic Container Registry User Guide.
-
Download the container-signing tools
Two software packages need to be installed in your local environment for you to sign images:
-
The AWS Signer plugin for Notation
-
The open source supply chain security program Notation, developed by the Notary Project
AWS Signer provides an installer, which installs both the AWS Signer plugin for Notation and the Notation client. Separate installers are available for the AWS Signer plugin alone and the combined AWS Signer plugin with the Notation binary.
The installer includes the following.
-
Notation binary and third party license.
-
AWS Signer plugin binary and third party license.
-
Notation license.
-
Trust store and root certificate
. -
GovCloud trust store and root certificate
, for use in the AWS GovCloud (US) Region. -
A configurable trust policy. For information about configuring the trust policy, see Verify an image locally after signing.
The following table provides the installer and related files for each supported operating system and architecture. You can download our latest CHANGELOG
to see the versions of the Notation CLI and plugin included in each installer release. Notation binary and AWS Signer Plugin installer filesPlatform
Architecture
Installer for Notation and AWS Signer plugin
AWS Signer plugin only
Signature file
RPM-based Linux (e.g., Amazon Linux)
x86_64
aws-signer-notation-cli_amd64.rpm aws-signer-notation-cli_amd64.rpm.sig
(installer) notation-aws-signer-plugin.sig
(plugin) arm64
aws-signer-notation-cli_arm64.rpm.sig
(installer) notation-aws-signer-plugin.sig
(plugin) Debian-based Linux
x86_64
aws-signer-notation-cli_amd64.deb.sig
(installer) notation-aws-signer-plugin.sig
(plugin) arm64
aws-signer-notation-cli_arm64.deb.sig
notation-aws-signer-plugin.sig
(plugin) macOS
x86_64
aws-signer-notation-cli_amd64.pkg Included in the files. arm64
Included in the files. Microsoft Windows
x86_64
Validate in Explorer To download the required files to a Linux or MacOS environment, you can use
wget
:$
wgetdownload-link
On a Windows environment, you can use curl:
C:\>
curl -UseBasicParsingdownload-link
-o[filename]
.msi -
-
(Optional) Verify signed packages.
For instructions to complete this step, select the tab for your platform.
-
Install the packages
For instructions to complete this step, select the tab for your platform.
-
Verify the package installation
After downloading and installing the package, to verify the installation was successful, do the following.
-
Verify that the Notation directory structure for your operating system was created.
-
Use the following command to display the Notation client version.
notation version
-
Use the following command to list the installed plugins for the Notation client and verify that you see the
com.amazonaws.signer.notation.plugin
plugin.notation plugin ls
-