Signing an image stored in an Amazon ECR private repository - Amazon ECR
ConsiderationsPrerequisitesConfigure authentication for the Notary clientSigning an imageNext steps
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Signing an image stored in an Amazon ECR private repository

Amazon ECR integrates with Amazon Signer to provide a way for you to sign your container images. You can store both your container images and the signatures in your private repositories.

Considerations

The following should be considered when using Amazon ECR image signing.

  • Signatures stored in your repository count against the service quota for the maximum number of images per repository. For more information, see Amazon ECR service quotas.

  • When using Amazon ECR lifecycle policies, any action by a rule to expire or delete an OCI image index will result in Amazon ECR deleting any signatures referenced by that image index within 24 hours.

Prerequisites

Before you begin, The following prerequisites must be met.

Configure authentication for the Notary client

Before you can create a signature using the Notation CLI, you must configure the client so it can authenticate to Amazon ECR. If you have Docker installed on the same host where you install the Notation client, then Notation will reuse the same authentication method you use for the Docker client. The Docker login and logout commands will allow the Notation sign and verify commands to use those same credentials, and you don’t have to separately authenticate Notation. For more information on configuring your Notation client for authentication, see Authenticate with OCI-compliant registries in the Notary Project documentation

If you are not using Docker or another tool that uses Docker credentials, then we recommend using the Amazon ECR Docker Credential Helper as your credential store. For more information on how to install and configure the Amazon ECR Credential Helper, see Amazon ECR Docker Credential Helper.

Signing an image

The following steps can be used to create the resources necessary to sign a container image and store the signature in an Amazon ECR private repository. Notation signs images using the digest.

To sign an image

  1. Create an Amazon Signer signing profile using the Notation-OCI-SHA384-ECDSA signing platform. You can optionally specify a signature validity period using the --signature-validity-period parameter. This value may be specified using DAYS, MONTHS, or YEARS. If no validity period is specified, the default value of 135 months is used.

    aws signer put-signing-profile --profile-name ecr_signing_profile --platform-id Notation-OCI-SHA384-ECDSA
    Note

    The signing profile name only supports alphanumeric characters and the underscore (_).

  2. Authenticate the Notation client to your default registry. The following example uses the Amazon CLI to authenticate the Notation CLI to an Amazon ECR private registry.

    aws ecr get-login-password --region region | notation login --username AWS --password-stdin 111122223333.dkr.ecr.region.amazonaws.com

  3. Use the Notation CLI to sign the image, specifying the image using the repository name and the SHA digest. This creates the signature and pushes it to the same Amazon ECR private repository that the image being signed is in.

    In the following example, we are signing an image in the curl repository with SHA digest sha256:ca78e5f730f9a789ef8c63bb55275ac12dfb9e8099e6EXAMPLE.

    notation sign 111122223333.dkr.ecr.region.amazonaws.com/curl@sha256:ca78e5f730f9a789ef8c63bb55275ac12dfb9e8099e6EXAMPLE --plugin "com.amazonaws.signer.notation.plugin" --id "arn:aws:signer:region:111122223333:/signing-profiles/ecrSigningProfileName"

Next steps

After you sign your container image, you can verify the signature locally. For instructions about verifying an image, see Verify an image locally after signing in the Amazon Signer Developer Guide