Revocation of a signature becomes necessary when the signing certificate is compromised in some way, for example, if the secret key is publicly disclosed. Revoking the signature of an AWS Lambda deployment package invalidates it, causing it to fail Lambda signature checks in all Regions of the same partition. Revoking the signature of a container image causes validation to fail if you attempt to deploy the image.
Note
Revocation is an irreversible action and is recommended only for critical scenarios. Revocation checks are valid for six months beyond the expiry of a signature. Expired signatures will fail on expiry checks instead.
You
can revoke individual signatures either by using the RevokeSignature
API or by
selecting a signing job in the AWS Signer console.
You can revoke a signing profile by using the RevokeSigningProfile
API or by
selecting and revoking a signing profile in the AWS Signer console. Once revoked, a
signing profile can no longer be used for creating new signing
jobs.
Revocation for a signing profile requires an effective start time in the past. The start time cannot be in the future. The effective start time can be changed to an earlier date and time by repeating the revocation, but cannot be revised to a later date and time.