diff --git a/release/cli/cmd/release.go b/release/cli/cmd/release.go index d937e3022952..b754b5dab537 100644 --- a/release/cli/cmd/release.go +++ b/release/cli/cmd/release.go @@ -194,12 +194,11 @@ var releaseCmd = &cobra.Command{ os.Exit(1) } - // WIP[Pankti Shah]: skip image signing until we fix maximum number of artifacts issue from Public ECR - // err = operations.SignImagesNotation(releaseConfig, imageDigests) - // if err != nil { - // fmt.Printf("Error signing container images using notation CLI and AWS Signer: %v\n", err) - // os.Exit(1) - // } + err = operations.SignImagesNotation(releaseConfig, imageDigests) + if err != nil { + fmt.Printf("Error signing container images using notation CLI and AWS Signer: %v\n", err) + os.Exit(1) + } err = operations.GenerateBundleSpec(releaseConfig, bundle, imageDigests) if err != nil { diff --git a/release/cli/pkg/operations/bundle_release.go b/release/cli/pkg/operations/bundle_release.go index c74e4ad1aeb5..980331879eb9 100644 --- a/release/cli/pkg/operations/bundle_release.go +++ b/release/cli/pkg/operations/bundle_release.go @@ -17,6 +17,7 @@ package operations import ( "fmt" "os/exec" + "strings" "github.com/pkg/errors" @@ -120,14 +121,25 @@ func SignImagesNotation(r *releasetypes.ReleaseConfig, imageDigests map[string]s releaseRegistryUsername := r.ReleaseClients.ECRPublic.AuthConfig.Username releaseRegistryPassword := r.ReleaseClients.ECRPublic.AuthConfig.Password for image, digest := range imageDigests { - // Sign public ECR image using AWS signer and notation CLI - // notation sign /@ --plugin com.amazonaws.signer.notation.plugin --id - cmd := exec.Command("notation", "sign", fmt.Sprintf("%s@%s", image, digest), "--plugin", "com.amazonaws.signer.notation.plugin", "--id", r.AwsSignerProfileArn, "-u", releaseRegistryUsername, "-p", releaseRegistryPassword) + cmd := exec.Command("notation", "list", fmt.Sprintf("%s@%s", image, digest), "-u", releaseRegistryUsername, "-p", releaseRegistryPassword) out, err := commandutils.ExecCommand(cmd) - fmt.Println(out) if err != nil { - return fmt.Errorf("executing sigining container image with Notation CLI: %v", err) + return fmt.Errorf("listing signatures associated with image %s: %v", fmt.Sprintf("%s@%s", image, digest), err) } + // Skip signing image if it is already signed. + if strings.Contains(out, "no associated signature") { + // Sign public ECR image using AWS signer and notation CLI + // notation sign /@ --plugin com.amazonaws.signer.notation.plugin --id + cmd := exec.Command("notation", "sign", fmt.Sprintf("%s@%s", image, digest), "--plugin", "com.amazonaws.signer.notation.plugin", "--id", r.AwsSignerProfileArn, "-u", releaseRegistryUsername, "-p", releaseRegistryPassword) + out, err := commandutils.ExecCommand(cmd) + fmt.Println(out) + if err != nil { + return fmt.Errorf("sigining container image with Notation CLI: %v", err) + } + } else { + fmt.Printf("skipping the image signing for image %s since it has already been signed", fmt.Sprintf("%s@%s", image, digest)) + } + } return nil }