Image Signing Support in ECR

[DrFaust92]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Tell us about your request
Support for storing image signatures in ECR.

Which service(s) is this request for?
Storing container image signatures in ECR, verification of signatures in ECS/EKS.

Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard?
Notary V1 is the currently available community-supported tool that would allow for signing and verifying OCI/Docker images, but it requires standing up a separate service and a lot of heavy lifting that each customer must do to setup and maintain.

Are you currently working around this issue?
N/A

Additional context

Update from ECR team (10/14):

We are actively working on adding support for container image signing in ECR. To deliver this feature, AWS is participating in two parallel open source efforts to deliver support for storing signatures (and other related artifacts) in an OCI registry and performing signature validation in a container orchestrator so we can launch a solution that will be compatible across container orchestrators and OCI registries.

• To enable the storage and discovery of “reference artifacts”, such as signatures, in an OCI registry, we are working with the ORAS project to define a new specification for OCI Artifacts. Last month, we were excited to announce an initial draft release for that project!
• We are also participating in the design and development of Notary V2, to define industry standards for signing and validating images that can be implemented in the tools used to build images today and container orchestrators like EKS & ECS.

We will update this issue when we reach key milestones, but for an up to date picture of our progress, please take a look at the respective projects. We’re always looking for feedback and collaborators, so join us in the oras-project/artifacts-spec & notaryproject/notaryproject repositories!

[jtoberon]

Thanks for feedback, @DrFaust92. We've started to discuss how we want this to work for our customers. It's a surprisingly complicated topic though, so we don't have a proposal to share yet. We're going to leave this open as a placeholder.

[DrFaust92]

Any update on this?

[omerfsen]

Would be great to see it on AWS ECR. Also I think until it is out we can run our own notary server and then after signing docker image via Notary then push it to ECR

[jmb12686]

Any update or insight into the status of this for ECS? Image SHA tracking was announced for ECS https://aws.amazon.com/about-aws/whats-new/2019/10/amazon-ecs-now-supports-ecs-image-sha-tracking/ , however it's not clear if this fulfills the trusted content requirement.

[omieomye]

Update: as part of a broader community 'Notary v2' initiative, ECR will participate and contribute with a view to apply that specification to our effort tracked by this issue. Its an open group with multiple cloud and on-premise vendors working together, with the kickoff meeting held on 12/12 here in Seattle.

[jmb12686]

@omieomye , Thank you for providing an update and transparency into the current state of container signing within the broader community. Aside from listening to the kick-off meeting, how can users get involved in the discussion?

[jtoberon]

Call in details for the OCI weekly meeting is available here: https://github.com/opencontainers/org. You also can join the relevant IRC and Slack channels, which are linked from the same github page.

[jonassteinberg1]

Am I correct in thinking that notary cannot be used with ecr still?

[chrisdipesa]

Yup. https://awscloudcontainersconference.splashthat.com/ Everyone should attend this event.

Security Best Practices with Amazon ECR
Omar Paul, Sr Product Manager, ECR

We have questions for Omar!

[omieomye]

Our progress on Notary is tracked by this issue, and we're actively participating towards a Notary v2 specification. On the summit presentation, I would love to get feedback what the ECR community wants us to tackle. Tweet or DM @omieomye and we'll go from there.

[w8mej]

Currently slated 2021 with Notary v2 per Omar's presentation linked by @chrisdipesa above. Are there any other compensating controls one could perform to meet this need until 2021?