当前位置: 首页 > 文档资料 > Yubikey 使用手册 >

角色授权 - 在 CI 系统上自动签名镜像

优质
小牛编辑
134浏览
2023-12-01

Automating image signing on CI systems

  1. Create a delegation key for the CI system.
  2. Expose an encrypted passphrase in the CI environment that imports the key via the local notary client:

    1. ❯ export NOTARY_DELEGATION_PASSPHRASE=foobar
    2. ❯ notary -D -v -s https://127.0.0.1:4443 -d ~/.docker/trust key import ./delegation.key --role user
  3. Use the encrypted passphrase to sign and push the image:

    1. ❯ export DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE=$NOTARY_DELEGATION_PASSPHRASE
    2. ❯ DOCKER_CONTENT_TRUST_SERVER=https://notary.docker.io docker build -t <aws_account_id>.dkr.ecr.us-east-1.amazonaws.com/app:latest .
    3. ❯ docker push <aws_account_id>.dkr.ecr.us-east-1.amazonaws.com/app:latest