AWS has released AWS Signer Container Image Signing (AWS Signer) to provide native AWS support for signing and verifying container images in registries such as Amazon Elastic Container Registry (Amazon ECR). AWS Signer manages code signing certificates, public and private keys, and provides lifecycle management tooling.
Additional features include cross-account signing, signature validity duration, and profile lifecycle management. Cross-account signing allows for signing profiles to be created and managed in restricted accounts reducing the number of individuals with those permissions. Permission can be granted to other accounts as needed to sign artifacts. AWS CloudTrail can be used to provide audit logs of activities within both accounts.
Signature validity periods can be used to create self-expiring profiles. When creating a signing profile, a validity period can be specified; if no validity period is provided a default value of 135 months (the maximum value) is used.
aws signer put-signing-profile \
--profile-name my_conatiner_signing_profile \
--platform-id Notation-OCI-SHA384-ECDSA \
--signature-validity-period value=10, type='MONTHS'
Profiles can also be canceled or revoked. Canceled profiles are unable to be used to generate new signatures. Revoking the signing profile will invalidate any signatures created after the revocation occurs. This differs from revoking the signature which will cause validation to fail when attempting to deploy a container signed with that signature. Note that revocation is irreversible. The following example shows using the Java SDK to revoke a signature:
package com.examples;
import com.amazonaws.auth.profile.ProfileCredentialsProvider;
import com.amazonaws.services.signer.AWSSigner;
import com.amazonaws.services.signer.AWSSignerClient;
import com.amazonaws.services.signer.model.RevokeSignatureRequest;
public class RevokeSignature {
public static void main(String[] s) {
String credentialsProfile = "default";
String signingJobId = "jobID";
String revokeReason = "Reason for revocation";
// Create a client.
final AWSSigner client = AWSSignerClient.builder()
.withRegion("region")
.withCredentials(new ProfileCredentialsProvider(credentialsProfile))
.build();
// Revoke a signing job
client.revokeSignature(new RevokeSignatureRequest()
.withJobId(signingJobId)
.withReason(revokeReason));
}
}
AWS Signer is integrated with Notation, an open-source Cloud Native Computing Foundation (CNCF) Notary project. As described on the Notation GitHub page, Notation can be viewed as providing "similar security to checking git commit signatures, although the signatures are generic and can be used for additional purposes". Notation makes use of Open Containers Initiative (OCI) distribution features to store signatures and artifacts in the registry with their associated images.
AWS Signer also integrates with AWS Lambda. This allows for workflows where certified code packages can be generated that can be verified by AWS Lambda. The workflow requires the creation of source and destination S3 buckets. AWS Signer can then be used to pull code packages from the source bucket, sign them, and deposit them into the destination bucket.
More details about AWS Signer can be found in the release blog post. At the time of writing, AWS Signer can be used with AWS Lambda, Amazon FreeRTOS, AWS IoT Device Management, Amazon ECR, Amazon EKS, AWS Certificate Manager, and CloudTrail. A list of supported regions is available within the AWS documentation.