AWS Signer

2023/06/06 - AWS Signer - 2 new api methods

Changes  AWS Signer is launching Container Image Signing, a new feature that enables you to sign and verify container images. This feature enables you to validate that only container images you approve are used in your enterprise.

GetRevocationStatus (new) Link ¶

Retrieves the revocation status of one or more of the signing profile, signing job, and signing certificate.

See also: AWS API Documentation

Request Syntax

client.get_revocation_status(
    signatureTimestamp=datetime(2015, 1, 1),
    platformId='string',
    profileVersionArn='string',
    jobArn='string',
    certificateHashes=[
        'string',
    ]
)
type signatureTimestamp:

datetime

param signatureTimestamp:

[REQUIRED]

The timestamp of the signature that validates the profile or job.

type platformId:

string

param platformId:

[REQUIRED]

The ID of a signing platform.

type profileVersionArn:

string

param profileVersionArn:

[REQUIRED]

The version of a signing profile.

type jobArn:

string

param jobArn:

[REQUIRED]

The ARN of a signing job.

type certificateHashes:

list

param certificateHashes:

[REQUIRED]

A list of composite signed hashes that identify certificates.

A certificate identifier consists of a subject certificate TBS hash (signed by the parent CA) combined with a parent CA TBS hash (signed by the parent CA’s CA). Root certificates are defined as their own CA.

  • (string) --

rtype:

dict

returns:

Response Syntax

{
    'revokedEntities': [
        'string',
    ]
}

Response Structure

  • (dict) --

    • revokedEntities (list) --

      A list of revoked entities (including one or more of the signing profile ARN, signing job ID, and certificate hash) supplied as input to the API.

      • (string) --

SignPayload (new) Link ¶

Signs a binary payload and returns a signature envelope.

See also: AWS API Documentation

Request Syntax

client.sign_payload(
    profileName='string',
    profileOwner='string',
    payload=b'bytes',
    payloadFormat='string'
)
type profileName:

string

param profileName:

[REQUIRED]

The name of the signing profile.

type profileOwner:

string

param profileOwner:

The AWS account ID of the profile owner.

type payload:

bytes

param payload:

[REQUIRED]

Specifies the object digest (hash) to sign.

type payloadFormat:

string

param payloadFormat:

[REQUIRED]

Payload content type

rtype:

dict

returns:

Response Syntax

{
    'jobId': 'string',
    'jobOwner': 'string',
    'metadata': {
        'string': 'string'
    },
    'signature': b'bytes'
}

Response Structure

  • (dict) --

    • jobId (string) --

      Unique identifier of the signing job.

    • jobOwner (string) --

      The AWS account ID of the job owner.

    • metadata (dict) --

      Information including the signing profile ARN and the signing job ID. Clients use metadata to signature records, for example, as annotations added to the signature manifest inside an OCI registry.

      • (string) --

        • (string) --

    • signature (bytes) --

      A cryptographic signature.