Notation is an open source tool developed by the Notary Project, which supports signing and verifying container images and other artifacts. The AWS Signer Notation plugin, allows users of Notation (notation CLI and notation-go) to sign and verify artifacts (such as container images) using AWS Signer. AWS Signer is a fully managed code-signing service to ensure the trust and integrity of your code. AWS Signer manages the code-signing certificates, secures private keys, and manages key rotation without requiring users to take any action.
The plugin is compliant with the Notary Project specification. It uses the AWS Signer SignPayload API for signing, and GetRevocationStatus API for signature verification.
To use AWS Signer Notation plugin:
- Notation CLI - Please refer AWS Signer documentation for guidance on signing and verifying OCI artifacts.
- notation-go library - You can use this plugin as library with notation-go, eliminating the need for invoking plugin executable. Please refer the provided examples on how to use plugin as library with notation-go.
- Install go. For more information, refer go documentation.
- The plugin uses go modules for dependency management. For more information, refer go modules.
- Run
make buildto build the AWS Signer Notation plugin. - Upon completion of the build process, the plugin executable will be created at
build/bin/notation-com.amazonaws.signer.notation.plugin.
Now you can use this plugin executable with notation CLI by using the following command:
notation plugin install --file ./build/bin/notation-com.amazonaws.signer.notation.plugin
The following targets are available. Each may be run with make <target>.
| Make Target | Description |
|---|---|
help |
shows available make targets |
build |
builds the plugin executable for current environment (e.g. Linux, Darwin and Windows) |
test |
runs all the unit tests using go test |
generate-mocks |
generates the mocks required for unit tests |
clean |
removes build artifacts and auto generated mocks. |
To report a potential security issue, please do not create a new Issue in the repository. Instead, please report using the instructions here or email AWS security directly.
This project is licensed under the Apache-2.0 License.
![@dependabot[bot]](https://avatars.githubusercontent.com/in/29110?s=64&v=4){kind=small}
