This repository contains the implementation of the Alibaba Cloud Secret Manager signing plugin for Notation. This project is still in early development status.
Note The Notary Project documentation is available here. You can also find the Notary Project README to learn about the overall Notary Project.
This document demonstrates how to sign and verify an OCI artifact with Alibaba Cloud Secret Manager plugin for Notation.
| Capability | Compatibility |
|---|---|
| keySpec | RSA-2048, RSA-3072, EC-256 |
| hashAlgorithm | SHA-256 |
| signingAlgorithm | RSASSA-PSS-SHA-256, ECDSA-SHA-256 |
| pluginCapability | SIGNATURE_GENERATOR.RAW, SIGNATURE_VERIFIER.TRUSTED_IDENTITY, SIGNATURE_VERIFIER.REVOCATION_CHECK |
| signingScheme | notary.x509 |
The following summarizes the steps to configure the notation-alibabacloud-secret-manager plugin and sign and verify a container image. The following steps are based off of the Notation hello-signing example.
-
Install notation CLI. Version v1.1.1 has been tested. Note that
make installcreates the plugin directory structure based on a MacOS environment. Update the Makefile based on your OS. It then copies the plugin to the appropriate location based on the notation plugin directory structure spec. -
This plugin leverages the KMS Instance SDK, which means you'll need to meet the pre-requisites and customize the environment as follows:
| Env | Description |
|---|---|
| ALIBABA_CLOUD_ACCESS_KEY_ID | Alibaba Cloud Account Access Key ID |
| ALIBABA_CLOUD_ACCESS_KEY_SECRET | Alibaba Cloud Account Secret Access Key |
| ALIBABA_CLOUD_KMS_INSTANCE_ENDPOINT | VPC Endpoint of the Dedicated KMS Instance, for example, kst-hzxxxxxxxxxx.cryptoservice.kms.aliyuncs.com |
| ALIBABA_CLOUD_KMS_CLIENTKEY_FILEPATH | Local File Path of the ClientKey Credential for the Dedicated KMS Instance Application Access Point (AAP) |
| ALIBABA_CLOUD_KMS_PASSWORD | Password for the Dedicated KMS Instance Application Access Point (AAP) |
| ALIBABA_CLOUD_KMS_CA_FILEPATH | Local Path of the CA Certificate for the Dedicated KMS Instance |
Note: the notation-alibabacloud-secret-manager plugin supports various Credential configuration methods. For more details, please refer to credentials
Install the notation-alibabacloud-secret-manager plugin for remote signing and verification, using the notation plugin install command:
git clone
cd notation-alibabacloud-secret-manager
make buildA user can bring their own private key and certificate. As a quick start, this tutorial is using openssl to generate a private key and a certificate
-
Create an asymmetric key in KMS console, please refer to step1
-
Download a wrapping public key and an import token, please refer to step2
-
Use the wrapping public key to encrypt key material, please refer to step3
-
Import key material, please refer to step4
-
Create an x509 certificate based on the private key TakPrivPkcs1.pem from step 3 above and the server_cert configuration in openssl.cnf.
){kind=link}
openssl req -x509 -new -nodes -key TakPrivPkcs1.pem -sha256 -days 3650 -out sign.crt -config openssl.cnf -extensions server_certNow we've done all the configurations. Let's sign an artifact using Notation. (If you haven't done so, download notation from here.)
notation sign --id <keyId> --plugin alibabacloud.secretmanager.plugin <myRegistry>/<myRepo>@<digest> --plugin-config ca_certs=<certPath>Note: the --id should be identical to your specific key id in Alibaba Cloud KMS Service instance and the ca_certs in --plugin-config should be identical to the file path of the x509 certificate generated in step 5 above.
- Configure trust store.
where
./notation cert add -t ca -s myStore "{path-to-cert}/sign.crt"sign.crtis the cert generated in the previous step. - Configure the trust policy.
cat <<EOF > ./trustpolicy.json { "version": "1.0", "trustPolicies": [ { "name": "acr-hangzhou-images", "registryScopes": [ "<myRegistry>/<myRepo>" ], "signatureVerification": { "level" : "strict" }, "trustStores": [ "ca:ack.notation" ], "trustedIdentities": [ "*" ] } ] } EOF
./notation policy import ./trustpolicy.json
- Verify the artifact
./notation verify <myRegistry>/<myRepo>@<digest> -v