Notation Signature Media Type Not Support
Overview
My company is attempting to implement image signing using AWS Signer via Notation. Provenance and SBOM types were supported and their attachment to the image via oras was permitted. The error occurred when trying to sign the image itself. The media type is not supported. After verifying the list of supported types, the decision was made to upload to ECR before signing. Support for signing an image in Gitlab's registry is still desired.
Code:
.notation-install: ¬ation-install
- yum update && yum install -y wget docker amazon-ecr-credential-helper python 2>/dev/null
- wget https://d2hvyiie56hcat.cloudfront.net/linux/amd64/installer/rpm/latest/aws-signer-notation-cli_amd64.rpm -O aws-signer-notation.rpm
- rpm -U aws-signer-notation.rpm
- notation plugin list | grep -q signer || { echo "Signer plugin not found"; exit 1; }
- jq '.credHelpers."public.ecr.aws" = "ecr-login"' $HOME/.docker/config.json > temp.json
- jq '.credHelpers."$AWS_ACCOUNT.dkr.ecr.$AWS_REGION.amazonaws.com" = "ecr-login"' temp.json > temp2.json
- mv temp2.json $HOME/.docker/config.json
.oras_install: &oras_install
- |
OS="$(uname -s | tr A-Z a-z)"
ARCH=$(uname -m | sed -e 's/x86_64/amd64/g')
VERSION="1.3.0"
curl -LO "https://github.com/oras-project/oras/releases/download/v${VERSION}/oras_${VERSION}_${OS}_${ARCH}.tar.gz"
mkdir -p oras-install/
yum install -y tar jq
tar -zxf oras_${VERSION}_${OS}_${ARCH}.tar.gz -C oras-install/
chown root:0 oras-install/oras
mv oras-install/oras /usr/local/bin/
rm -rf oras_${VERSION}_${OS}_${ARCH}.tar.gz oras-install/
.syft-install: &syft-install
- curl -sSfL https://get.anchore.io/syft | sh -s -- -b /usr/local/bin
.oidc-aws:
image:
name: amazon/aws-cli:2.33.6
entrypoint: [ "" ]
id_tokens:
GITLAB_OIDC_TOKEN:
aud: https://gitlab.com
services:
- docker:27.5.1-dind
variables:
AWS_REGION: $REGION
ROLE_ARN: $ROLE
SIGNING_PROFILE: $PROFILE
SBOM_TYPE: application/vnd.cyclonedx+json
PROVENANCE_TYPE: application/vnd.in-toto+json
before_script:
- ls -lh
- source $VARIABLES_FILE
- cat $VARIABLES_FILE
- mkdir -p $HOME/.docker
- echo $DOCKER_AUTH_CONFIG > $HOME/.docker/config.json
- >
aws_sts_output=$(aws sts assume-role-with-web-identity
--role-arn ${ROLE_ARN}
--role-session-name "GitLabRunner-${CI_PROJECT_ID}-${CI_PIPELINE_ID}"
--web-identity-token ${GITLAB_OIDC_TOKEN}
--duration-seconds 3600
--query 'Credentials.[AccessKeyId,SecretAccessKey,SessionToken]'
--output text)
- export $(printf "AWS_ACCESS_KEY_ID=%s AWS_SECRET_ACCESS_KEY=%s AWS_SESSION_TOKEN=%s" $aws_sts_output)
- aws sts get-caller-identity
- *notation-install
- *oras_install
.sign_image: &sign-image
- *syft-install
- IMAGE_SHA256=$(oras discover $DOCKER_IMAGE_SLUG_SHA --format json | jq -r '.reference')
- syft ${IMAGE_SHA256} -o cyclonedx-json=./sbom.json
- oras attach ${IMAGE_SHA256} sbom.json --artifact-type ${SBOM_TYPE}
- oras attach ${IMAGE_SHA256} provenance.json --artifact-type ${PROVENANCE_TYPE}
- notation sign ${PROV_SHA256} --plugin "com.amazonaws.signer.notation.plugin" --id "${SIGNING_PROFILE}"
- oras discover ${IMAGE_SHA256}
sign_image:
extends:
- .oidc-aws
script: *sign-imageError Message:
Error: failed to push signature to registry with error: failed to push manifest: PUT "https://registry.gitlab.com/v2/path/to/project/branch/manifests/image_sha": response status code 400: manifest invalid: manifest invalid: unknown media type: application/vnd.cncf.notary.signatureSuspected Solution
Add application/vnd.cncf.notary.signature to supported media types.
Temporary Solution
Upload image to ECR prior to signing.
If there are any follow up questions, please let me know. Any help is appreciated.
Edited by DJ Nigh