Setup a GitHub Action for signing container images with Notary

joshduffney

Josh Duffney

Posted on November 2, 2022

Setup a GitHub Action for signing container images with Notary

In this article, you'll configure a GitHub Action to digitally sign container images hosted on Azure Container Registry with Notary.

"GitHub Actions is a continuous integration and continuous delivery (CI/CD) platform that allows you to automate your build, test, and deployment pipeline". You'll use it to automate the process of building, signing, and pushing a Docker image to Azure Container Registry.

Create GitHub Action Secrets

A GitHub Action Secret allows you to securely pass a value to the GitHub Action runner, which prevents sensitive data from being displayed in the build logs. You'll

Create several GitHub Action Secrets to securely pass your Azure and Notation credentials to your workflow.

  1. Click the Settings on the repository
  2. Select Secrets, then Actions,
  3. Then click New repository secret Image description
  4. Enter the secret name and value
  5. Click Add secret Image description

Repeat steps 3-5 for each secrets listed below.

Name Value
AZURE_CREDENTIALS JSON object of the Azure Service Principal output from the az ad sp create-for-rbac command
NOTATION_USERNAME Name of the Azure Container Registry token
NOTATION_PASSWORD Password of the Azure Container Registry token

TIP
In case you didn't save the JSON output, rerunning the az ad sp create-for-rbac command will reset the password of the service principal and generate a new JSON object.

Update the GitHub Workflow

With the Azure infrastructure deployed and your GitHub Actions secrets configured, the last thing you have to do is update the GitHub workflow file.

  1. Open the GitHub workflow file located at .github/workflows/docker-image.yml.
  2. Replace all values from the table below with the appropriate information.
  3. Issue the git add, git commit, and git push commands to push your changes to GitHub.
Placeholder Description AzCli command
<registry-name> Name of the Azure Container Registry az acr list --query '[].name' -o tsv
<key-name> Name of the signing certificate az keyvault certificate list --vault-name $vaultName --query '[].name' -o tsv
<certificate-key-id> Key Id of the Azure Key Vault certificate az keyvault certificate show --name example --vault-name $vaultName --query kid -o tsv

Replace $vaultName with the name of your Azure Key Vault instance.

Confirm the container image was signed

Congratulations! 🎉 You've made it to the end of the tutorial.

Your final tasks are to confirm the workflow executed properly and that there is a digital signature attached to the container image hosted on Azure Container Registry.

View the GitHub workflow run

  1. To confirm your workflow executed properly, open the repository on GitHub and click the Actions tab. You should see a workflow run that is green.
  2. Click to expand the steps within the workflow and examine the actions taken to sign the container image.

Confirm the digital signature exists

  1. Open the Azure portal by going to portal.azure.com
  2. Navigate to your Azure Container Registry instance
  3. Under Services, select Repositories
  4. Select the web-app-sample repository
  5. Select the most recent tag
  6. Click the Artifact tab
  7. Confirm cncf.notary.v2.signature exists on the artifact
💖 💪 🙅 🚩
joshduffney
Josh Duffney

Posted on November 2, 2022

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related