Skip to content

OCI signing

In order to do OCI signing following actions/configurations are required:

  • Product is created with the configuration which supports OCI signing.
    • From the product information the public key can be retrieved for client side usage.
  • Artifact to be signed has been pushed to the ECR and the URI is available. Not covered in this document.
  • Imagesigning request created with the relevant product info and artifact URI.
    • Necessary approvals in place.
  • Contact support@laavat.io for enabling this feature.

Product configuration

When product is created the product must contain productConfigItem describing the AWS ECR uri and then the desired product operation with relevant access groups. Select the keysize accordingly.

Example of product:

{
    "name": "OCI SIGN",
    "description": "Product OCI signing",
    "productType": "Product",
    "enabled": true,
    "caInfo": [],
    "rndKeys": [],
    "productOperations": [
            {
                "name": "OCI sign",
                "description": "OCI signing",
                "operationType": "SignOCI",
                "token":{
                        "name": "Key for ocisigning",
                        "description": "HSM token for ocisigning",
                        "keyType": "RSA4096"
                    },
                "approvalRule": {
                    "name": "Test rule",
                    "description": "Rule used for testing",
                    "allowedGroups": ["b716abb1-2e3b-47a9-bca5-a3669faa50a6"],
                    "approvalGroups": ["b716abb1-2e3b-47a9-bca5-a3669faa50a6","f65a3ea9-60db-47a4-9ad8-c6915735ec5f"],
                    "blanketGroups": []
                }
            }
        ],
    "productConfigItems": [
        {
            "name": "RegistryURL",
            "value": "example.dkr.ecr.eu-west-1.amazonaws.com"
        }
    ]
}

OCI Signing

Actual signing happens same way as e.g., digest signing but in this case, there is no need to upload to S3. The signing request only takes the Artifact URI in Base64 format as a optionalParameters

E.g.: 656666598317.dkr.ecr.eu-west-1.amazonaws.com/test@sha256:3fbc632167424a6d997e74f52b878d7cc478225cffac6bc977eedfe51c7f4e79 is encoded to NjU2NjY2NTk4MzE3LmRrci5lY3IuZXUtd2VzdC0xLmFtYXpvbmF3cy5jb20vdGVzdEBzaGEyNTY6M2ZiYzYzMjE2NzQyNGE2ZDk5N2U3NGY1MmI4NzhkN2NjNDc4MjI1Y2ZmYWM2YmM5NzdlZWRmZTUxYzdmNGU3OQo=

The domain the artifact uri must match the one in the productConfigItems. Otherwise the request is denied.

Then the actual signing request ( using e.g., curl ) is:

echo '{"name": "NAME", "idProductOperation": "'$PRODUCTOPER'", "description": "Normal product oci signing ", "payload": {"name": "OCI sign request","metadata": [{"name": "Version", "value": "v1.0"}, {"name": "Date", "value":"today"}],"optionalParameters": [{"artifactURI": "NjU2NjY2NTk4MzE3LmRrci5lY3IuZXUtd2VzdC0xLmFtYXpvbmF3cy5jb20vdGVzdEBzaGEyNTY6M2ZiYzYzMjE2NzQyNGE2ZDk5N2U3NGY1MmI4NzhkN2NjNDc4MjI1Y2ZmYWM2YmM5NzdlZWRmZTUxYzdmNGU3OQo"}]},"productId": "'$PRODUCTID'"}' | curl -sS -X POST $TLS -H "accept: application/json" -H "${CONTENTTYPE}" -d @- "$HOSTPATH/imagesignings" -H "Authorization: Bearer ${TOKEN}"

The PRODUCTOPER and PRODUCTID are from the created product.

Once signing request is approved ( or it might be autoapproved ) the status can be checked as with other signings. If the status is 16 then the OCI signing was successful and the ECR has the signature.

Limitations

Currently only one username/password is supported per domain.

Example usage with reference client package: OCI signing

Generate artifact URI from the desired AWS ECR

example: 656666598317.dkr.ecr.eu-west-1.amazonaws.com/test@sha256:3fbc632167424a6d997e74f52b878d7cc478225cffac6bc977eedfe51c7f4e79

Base64 encode the URI

example: NjU2NjY2NTk4MzE3LmRrci5lY3IuZXUtd2VzdC0xLmFtYXpvbmF3cy5jb20vdGVzdEBzaGEyNTY6M2ZiYzYzMjE2NzQyNGE2ZDk5N2U3NGY1MmI4NzhkN2NjNDc4MjI1Y2ZmYWM2YmM5NzdlZWRmZTUxYzdmNGU3OQo=

Make the signing request for the given product which support this.

(venv) $ ./signing-tool.py -c -t $TOKEN -a https://app.laavat.io/<CustomerName>/api/v1 imagesigning add SignOCI \
     -P e1ec8ea5-b569-4da7-8a70-6eb910dad8ac --operid b4f4c9e4-cbd2-4073-820c-9d553a957e54 -A NjU2NjY2NTk4MzE3LmRrci5lY3IuZXUtd2VzdC0xLmFtYXpvbmF3cy5jb20vdGVzdEBzaGEyNTY6M2ZiYzYzMjE2NzQyNGE2ZDk5N2U3NGY1MmI4NzhkN2NjNDc4MjI1Y2ZmYWM2YmM5NzdlZWRmZTUxYzdmNGU3OQo=

Approve the request if needed with the id received from the previous call

(venv) $ ./signing-tool.py -c -t $APPROVERTOKEN -a https://app.laavat.io/<CustomerName>/api/v1 imagesigning approve \
    -I a83081a6-1d3b-4117-a81b-0ebcfcf0669c

Check the status of the operation after approval.

(venv) $ ./signing-tool.py -c -t $TOKEN -a https://app.laavat.io/<CustomerName>/api/v1 imagesigning get \
    -I a83081a6-1d3b-4117-a81b-0ebcfcf0669c