Skip to content

sign ADOT ECR image #1288

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wangzlei wants to merge 2 commits into
base: main
Choose a base branch
from
Open

sign ADOT ECR image #1288

wangzlei wants to merge 2 commits into from

Conversation

@wangzlei
Copy link
Contributor

@wangzlei wangzlei commented Jan 14, 2026

Description of changes:

Manual sign ADOT ECR image by "notation" + AWS Signer. The signing profile is arn:aws:signer:us-east-1:020628701572:/signing-profiles/ADOTECRSigningProfile
ADOT ECR image consumer can verify it by notation, the trust policy config trustpolicy.json is:

{
    "version": "1.0",
    "trustPolicies": [
        {
            "name": "aws-signer-tp",
            "registryScopes": [ "*" ],
            "signatureVerification": { "level": "strict" },
            "trustStores": [ "signingAuthority:aws-signer-ts" ],
            "trustedIdentities": [
                "arn:aws:signer:us-east-1:020628701572:/signing-profiles/ADOTECRSigningProfile"
            ]
        }
    ]
}

Then verify the ADOT image by commands:

aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin

notation policy import trustpolicy.json

notation verify public.ecr.aws/s8x6f3t0/signed-wangzl@sha256:435b648cbd17912354bd1fb3ac685f2e468394a7229ab282a1af090db9632e53
Successfully verified signature for public.ecr.aws/s8x6f3t0/signed-wangzl@sha256:435b648cbd17912354bd1fb3ac685f2e468394a7229ab282a1af090db9632e53

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@wangzlei wangzlei requested a review from a team as a code owner January 14, 2026 04:58
@codecov-commenter
Copy link

codecov-commenter commented Jan 14, 2026

⚠️ Please install the 'codecov app svg image' to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 69.42%. Comparing base (09e6487) to head (14228eb).
⚠️ Report is 529 commits behind head on main.
❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files 
@@              Coverage Diff              @@
##               main    #1288       +/-   ##
=============================================
- Coverage     85.71%   69.42%   -16.30%     
- Complexity       19      676      +657     
=============================================
  Files             3       63       +60     
  Lines            49     3365     +3316     
  Branches          5      467      +462     
=============================================
+ Hits             42     2336     +2294     
- Misses            3      842      +839     
- Partials          4      187      +183

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@wangzlei @codecov-commenter