Before you begin signing, you need to set up an environment that bridges AWS Signer with Amazon ECR. Complete the following steps.
To prepare your signing environment
-
Prepare the AWS CLI
Install and configure the latest version of the AWS CLI. For more information, see Installing or updating the latest version of the AWS CLI in the AWS Command Line Interface User Guide.
-
Prepare Amazon ECR
Have an existing container image stored in an Amazon ECR private repository to sign. For more information, see Pushing an image in the Amazon Elastic Container Registry User Guide.
-
Download the container-signing tools
Two software packages need to be installed in your local environment for you to sign images:
-
The open source supply chain security program Notation, developed by the Notary Project
-
The AWS Signer plugin for Notation. You can either use our plugin binary, or our open source library.
The AWS Signer installer installs both the Notation client and the AWS Signer plugin for Notation. Separate binaries are available to install only the AWS Signer plugin.
The installer includes the following.
-
Notation binary and third party license.
-
AWS Signer plugin binary and third party license.
-
Notation license.
-
Trust store set up with AWS Signer's Notation signing root certificate
. -
GovCloud trust store and root certificate
, for use in the AWS GovCloud (US) Region. -
A configurable trust policy. For information about configuring the trust policy, see Locally verify an image after signing.
The following table provides the installer and related files for each supported operating system and architecture. You can download our latest CHANGELOG
to see the versions of the Notation CLI and plugin included in each installer release. Notation binary and AWS Signer Plugin installer files Platform
Architecture
Installer for Notation and AWS Signer plugin
AWS Signer plugin binary only
Signature file
RPM-based Linux (e.g., Amazon Linux)
x86_64
aws-signer-notation-cli_amd64.rpm aws-signer-notation-cli_amd64.rpm.sig
(installer) notation-aws-signer-plugin.sig
(plugin) arm64
aws-signer-notation-cli_arm64.rpm.sig
(installer) notation-aws-signer-plugin.sig
(plugin) Debian-based Linux
x86_64
aws-signer-notation-cli_amd64.deb.sig
(installer) notation-aws-signer-plugin.sig
(plugin) arm64
aws-signer-notation-cli_arm64.deb.sig
notation-aws-signer-plugin.sig
(plugin) macOS
x86_64
aws-signer-notation-cli_amd64.pkg Included in the files. arm64
Included in the files. Microsoft Windows
x86_64
Validate in Explorer -
-
(Optional) Verify signed packages.
For instructions to complete this step, select the tab for your platform.
-
Download the public key.
$
wget https://d2hvyiie56hcat.cloudfront.net/linux/public.key -
Import the public key into your keyring. If you're using the unzip the AWS Signer plugin, first unzip downloaded file and then run command against the binary file within the zip file.
$
gpg --import public.key gpg: key A3B52DA65461CF90: public key "AWS Signer Notation" imported gpg: Total number processed: 1 gpg: imported: 1Make a note of the key value, as you need it in the next step. In the preceding example, the key value is
A3B52DA65461CF90
. -
Verify the fingerprint by running the following command, replacing key-value with the value from the preceding step:
$
gpg --fingerprint key-value pub rsa3072 2023-04-24 [SC] E84A F8A2 A9B5 2F1F 4435 AE71 A3B5 2DA6 5461 CF90 uid [ unknown] AWS Signer NotationThe fingerprint string should be
E84A F8A2 A9B5 2F1F 4435 AE71 A3B5 2DA6 5461 CF90
.If the fingerprint string doesn't match, don't run the installer. Contact Amazon Web Services.
After you have verified the fingerprint, you can use it to verify the signature of the AWS Signer Notation package.
-
Download the package signature file using wget. To determine the correct signature file, see the preceding table.
$
wget signature-file-link -
To verify the signature, run gpg --verify:
$
gpg --verify sig-filename downloaded-filename gpg: Signature made Mon May 22 16:16:34 2023 PDT gpg: using RSA key A3B52DA65461CF90 gpg: Good signature from "AWS Signer Notation" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: E84A F8A2 A9B5 2F1F 4435 AE71 A3B5 2DA6 5461 CF90If the output includes the phrase BAD signature, check whether you performed the procedure correctly. If you continue to get this response, contact Amazon Web Services and avoid using the downloaded file.
Note the warning about trust. A key is trusted only if you or someone who you trust has signed it. This doesn't mean that the signature is invalid, only that you have not verified the public key.
-
Install the packages
For instructions to complete this step, select the tab for your platform.
If you downloaded an RPM package on a Linux server, change to the directory containing the package and enter the following:
$
sudo rpm -Ufilename
-
Verify the package installation
After downloading and installing the package, to verify the installation was successful, do the following.
-
Verify that the Notation directory structure for your operating system was created.
-
Use the following command to display the Notation client version.
notation version
-
Use the following command to list the installed plugins for the Notation client and verify that you see the
com.amazonaws.signer.notation.plugin
plugin.notation plugin ls
-
Required AWS Identity and Access Management permissions to sign and verify a container image
To sign and verify an image present in Amazon Elastic Container Registry, you need an AWS Identity and Access Management policy that allows Notation to interact with Amazon ECR and Signer.
The following is an example of a user managed policy that allows Notation to interact with Amazon ECR and Signer:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid":"ManageRepositoryContents",
"Effect":"Allow",
"Action":[
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"ecr:CompleteLayerUpload",
"ecr:DescribeRepositories",
"ecr:UploadLayerPart",
"ecr:InitiateLayerUpload",
"ecr:BatchCheckLayerAvailability",
"ecr:PutImage"
],
"Resource":"arn:aws:ecr:us-east-1:111122223333:repository/my-repo
"
},
{
"Sid":"GetAuthorizationToken",
"Effect":"Allow",
"Action":[
"ecr:GetAuthorizationToken"
],
"Resource":"*"
},
{
"Sid": "SignAndRevocationCheck",
"Effect": "Allow",
"Action": [
"signer:PutSigningProfile",
"signer:SignPayload",
"signer:GetRevocationStatus"
],
"Resource": "*"
}
}