Setup a GitHub Action for signing container images with Notary
Josh Duffney
Posted on November 2, 2022
In this article, you'll configure a GitHub Action to digitally sign container images hosted on Azure Container Registry with Notary.
"GitHub Actions is a continuous integration and continuous delivery (CI/CD) platform that allows you to automate your build, test, and deployment pipeline". You'll use it to automate the process of building, signing, and pushing a Docker image to Azure Container Registry.
Create GitHub Action Secrets
A GitHub Action Secret allows you to securely pass a value to the GitHub Action runner, which prevents sensitive data from being displayed in the build logs. You'll
Create several GitHub Action Secrets to securely pass your Azure and Notation credentials to your workflow.
- Click the
Settings
on the repository - Select
Secrets
, thenActions
, - Then click
New repository secret
- Enter the secret name and value
- Click Add secret
Repeat steps 3-5 for each secrets listed below.
Name | Value |
---|---|
AZURE_CREDENTIALS | JSON object of the Azure Service Principal output from the az ad sp create-for-rbac command |
NOTATION_USERNAME | Name of the Azure Container Registry token |
NOTATION_PASSWORD | Password of the Azure Container Registry token |
TIP
In case you didn't save the JSON output, rerunning theaz ad sp create-for-rbac
command will reset the password of the service principal and generate a new JSON object.
Update the GitHub Workflow
With the Azure infrastructure deployed and your GitHub Actions secrets configured, the last thing you have to do is update the GitHub workflow file.
- Open the GitHub workflow file located at
.github/workflows/docker-image.yml
. - Replace all values from the table below with the appropriate information.
- Issue the
git add
,git commit
, andgit push
commands to push your changes to GitHub.
Placeholder | Description | AzCli command |
---|---|---|
<registry-name> |
Name of the Azure Container Registry | az acr list --query '[].name' -o tsv |
<key-name> |
Name of the signing certificate | az keyvault certificate list --vault-name $vaultName --query '[].name' -o tsv |
<certificate-key-id> |
Key Id of the Azure Key Vault certificate | az keyvault certificate show --name example --vault-name $vaultName --query kid -o tsv |
Replace $vaultName
with the name of your Azure Key Vault instance.
Confirm the container image was signed
Congratulations! 🎉 You've made it to the end of the tutorial.
Your final tasks are to confirm the workflow executed properly and that there is a digital signature attached to the container image hosted on Azure Container Registry.
View the GitHub workflow run
- To confirm your workflow executed properly, open the repository on GitHub and click the Actions tab. You should see a workflow run that is green.
- Click to expand the steps within the workflow and examine the actions taken to sign the container image.
Confirm the digital signature exists
- Open the Azure portal by going to portal.azure.com
- Navigate to your Azure Container Registry instance
- Under Services, select Repositories
- Select the web-app-sample repository
- Select the most recent tag
- Click the Artifact tab
- Confirm cncf.notary.v2.signature exists on the artifact
Posted on November 2, 2022
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.
Related
November 2, 2022