Verify image signature and skip signing if already signed

aws · Dec 20, 2023 · 176be9f · 176be9f
1 parent 773fcc9
commit 176be9f
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 11 deletions.
diff --git a/release/cli/cmd/release.go b/release/cli/cmd/release.go
@@ -194,12 +194,11 @@ var releaseCmd = &cobra.Command{
 				os.Exit(1)
 			}
 
-			// WIP[Pankti Shah]: skip image signing until we fix maximum number of artifacts issue from Public ECR
-			// err = operations.SignImagesNotation(releaseConfig, imageDigests)
-			// if err != nil {
-			// 	fmt.Printf("Error signing container images using notation CLI and AWS Signer: %v\n", err)
-			// 	os.Exit(1)
-			// }
+			err = operations.SignImagesNotation(releaseConfig, imageDigests)
+			if err != nil {
+				fmt.Printf("Error signing container images using notation CLI and AWS Signer: %v\n", err)
+				os.Exit(1)
+			}
 
 			err = operations.GenerateBundleSpec(releaseConfig, bundle, imageDigests)
 			if err != nil {

diff --git a/release/cli/pkg/operations/bundle_release.go b/release/cli/pkg/operations/bundle_release.go
@@ -17,6 +17,7 @@ package operations
 import (
 	"fmt"
 	"os/exec"
+	"strings"
 
 	"github.com/pkg/errors"
 
@@ -120,14 +121,25 @@ func SignImagesNotation(r *releasetypes.ReleaseConfig, imageDigests map[string]s
 	releaseRegistryUsername := r.ReleaseClients.ECRPublic.AuthConfig.Username
 	releaseRegistryPassword := r.ReleaseClients.ECRPublic.AuthConfig.Password
 	for image, digest := range imageDigests {
-		// Sign public ECR image using AWS signer and notation CLI
-		// notation sign <registry>/<repository>@<sha256:shasum> --plugin com.amazonaws.signer.notation.plugin --id <signer_profile_arn>
-		cmd := exec.Command("notation", "sign", fmt.Sprintf("%s@%s", image, digest), "--plugin", "com.amazonaws.signer.notation.plugin", "--id", r.AwsSignerProfileArn, "-u", releaseRegistryUsername, "-p", releaseRegistryPassword)
+		cmd := exec.Command("notation", "list", fmt.Sprintf("%s@%s", image, digest), "-u", releaseRegistryUsername, "-p", releaseRegistryPassword)
 		out, err := commandutils.ExecCommand(cmd)
-		fmt.Println(out)
 		if err != nil {
-			return fmt.Errorf("executing sigining container image with Notation CLI: %v", err)
+			return fmt.Errorf("listing signatures associated with image %s: %v", fmt.Sprintf("%s@%s", image, digest), err)
 		}
+		// Skip signing image if it is already signed.
+		if strings.Contains(out, "no associated signature") {
+			// Sign public ECR image using AWS signer and notation CLI
+			// notation sign <registry>/<repository>@<sha256:shasum> --plugin com.amazonaws.signer.notation.plugin --id <signer_profile_arn>
+			cmd := exec.Command("notation", "sign", fmt.Sprintf("%s@%s", image, digest), "--plugin", "com.amazonaws.signer.notation.plugin", "--id", r.AwsSignerProfileArn, "-u", releaseRegistryUsername, "-p", releaseRegistryPassword)
+			out, err := commandutils.ExecCommand(cmd)
+			fmt.Println(out)
+			if err != nil {
+				return fmt.Errorf("sigining container image with Notation CLI: %v", err)
+			}
+		} else {
+			fmt.Printf("skipping the image signing for image %s since it has already been signed", fmt.Sprintf("%s@%s", image, digest))
+		}
+
 	}
 	return nil
 }