AWS Signer

2023/06/06 - AWS Signer - 2 new api methods

Changes  AWS Signer is launching Container Image Signing, a new feature that enables you to sign and verify container images. This feature enables you to validate that only container images you approve are used in your enterprise.

SignPayload (new) Link ¶

Signs a binary payload and returns a signature envelope.

See also: AWS API Documentation

Request Syntax

client.sign_payload(
    profileName='string',
    profileOwner='string',
    payload=b'bytes',
    payloadFormat='string'
)
type profileName

string

param profileName

[REQUIRED]

The name of the signing profile.

type profileOwner

string

param profileOwner

The AWS account ID of the profile owner.

type payload

bytes

param payload

[REQUIRED]

Specifies the object digest (hash) to sign.

type payloadFormat

string

param payloadFormat

[REQUIRED]

Payload content type

rtype

dict

returns

Response Syntax

{
    'jobId': 'string',
    'jobOwner': 'string',
    'metadata': {
        'string': 'string'
    },
    'signature': b'bytes'
}

Response Structure

  • (dict) --

    • jobId (string) --

      Unique identifier of the signing job.

    • jobOwner (string) --

      The AWS account ID of the job owner.

    • metadata (dict) --

      Information including the signing profile ARN and the signing job ID. Clients use metadata to signature records, for example, as annotations added to the signature manifest inside an OCI registry.

      • (string) --

        • (string) --

    • signature (bytes) --

      A cryptographic signature.

GetRevocationStatus (new) Link ¶

Retrieves the revocation status of one or more of the signing profile, signing job, and signing certificate.

See also: AWS API Documentation

Request Syntax

client.get_revocation_status(
    signatureTimestamp=datetime(2015, 1, 1),
    platformId='string',
    profileVersionArn='string',
    jobArn='string',
    certificateHashes=[
        'string',
    ]
)
type signatureTimestamp

datetime

param signatureTimestamp

[REQUIRED]

The timestamp of the signature that validates the profile or job.

type platformId

string

param platformId

[REQUIRED]

The ID of a signing platform.

type profileVersionArn

string

param profileVersionArn

[REQUIRED]

The version of a signing profile.

type jobArn

string

param jobArn

[REQUIRED]

The ARN of a signing job.

type certificateHashes

list

param certificateHashes

[REQUIRED]

A list of composite signed hashes that identify certificates.

A certificate identifier consists of a subject certificate TBS hash (signed by the parent CA) combined with a parent CA TBS hash (signed by the parent CA’s CA). Root certificates are defined as their own CA.

  • (string) --

rtype

dict

returns

Response Syntax

{
    'revokedEntities': [
        'string',
    ]
}

Response Structure

  • (dict) --

    • revokedEntities (list) --

      A list of revoked entities (including one or more of the signing profile ARN, signing job ID, and certificate hash) supplied as input to the API.

      • (string) --