Create a Signer signing profile - AWS Signer

Create a Signer signing profile

Before you can perform signing jobs, you must create a signing profile. A signing profile is unique AWS Signer resource that you can use to perform signing jobs. Signing profiles enable you to sign and verify code artifacts, such as container images and AWS Lambda deployment bundles. Each signing profile designates the signing platform to sign for, a platform ID, and other platform-specific information.

You can create, list, and cancel signing profiles using the Signer console, AWS CLI, or API. Signer manages the code signing certificate and keys associated for only AWS Lambda and Container images workflows. For Internet of Things (IoT) workflows, you can import your own code signing certificate into AWS Certificate Manager.

Console

This section describes the procedures and options for creating a signing profile from the AWS console.

To create a signing profile

  1. Log into the AWS Signer console.

  2. Choose Create signing profile.

  3. On the Create signing profile page, provide a unique Profile name for your signing profile. Valid characters include uppercase A-Z, lowercase a-z, numbers 0-9, and underscore (_).

  4. For Signing platform, choose one of the listed platforms.

    API name Display name

    AWSLambda-SHA384-ECDSA

    		 AWS Lambda

    Notation-OCI-SHA384-ECDSA

    Notation for container registries

  5. Specify the Signature validity period in months, days, or years. The default value is 135 months (11 years and 6 months).

  6. In the Tags - optional section, you can create a Tag key and a Tag value, then save it with the Add tag button. When you assign tags to your signing profile, you can use tag-based resource policies to manage access to the profile.

    You can assign up to 50 tags to a profile.

  7. Choose Create profile.

CLI

This section describes the procedures and options for creating and managing signing profiles using the AWS CLI. A signing profile is a template that defines the following settings for associated signing jobs:

  • The signing platform that designates the file type to be signed. The following platforms are available in the AWS CLI.

    API name Display name

    AWSIoTDeviceManagement-SHA256-ECDSA

    AWS IoT Device Management SHA256-ECDSA

    AmazonFreeRTOS-Default

    Amazon FreeRTOS SHA256-ECDSA

    AmazonFreeRTOS-TI-CC3220SF

    Amazon FreeRTOS SHA1-RSA CC3220SF-Format

    AWSLambda-SHA384-ECDSA

    AWS Lambda

    Notation-OCI-SHA384-ECDSA

    Notation for container registries

    For more information about the configurations and parameters that are contained in signing platforms, see SigningPlatform in the AWS Signer API Reference.

  • The signature format.

  • The signature algorithms.

  • The validity period of signatures. By default, signature validity is set to 135 months (11 years and 3 months), which is the maximum validity supported. The signature validity period is only applicable for AWSLambda-SHA384-ECDSA and Notation-OCI-SHA384-ECDSA signing platforms.

After you create the signing profile, you can delegate control of it using AWS Identity and Access Management (IAM). For more information about managing user permissions in AWS Signer, see Identity and Access Management for AWS Signer.

Signing profiles can be created, inspected, listed, and canceled as shown in the following examples.

  • put-signing-profile

    This command creates and saves an AWS Signer signing profile.

    Signatures generated using this platform will expire after the time specified by --signature-validity-period. This value may be specified using DAYS, MONTHS, or YEARS. If no validity period is specified, the default value is 135 months.

    In this example, the specified signing platform is AWSLambda-SHA384-ECDSA.

    $ aws signer put-signing-profile \
     --profile-name my_lambda_signing_profile \
     --platform-id AWSLambda-SHA384-ECDSA \
     --signature-validity-period value=10, type='MONTHS'

  • get-signing-profile

    This command retrieves a signing profile for inspection.

    $ aws signer get-signing-profile --profile-name my_lambda_signing_profile

  • list-signing-profiles

    This command lists the signing profiles that you own or control.

    $ aws signer list-signing-profiles

  • cancel-signing-profile

    This command deletes a signing profile.

    $ aws signer cancel-signing-profile \
     --profile-name my_lambda_signing_profile \
     --profile-version profile_version \
     --reason "e2e notation testing" \
     --effective-time 1111111111
API

Signing profiles can be created, inspected, listed, and deleted using the following Signer API actions.