-
Notifications
You must be signed in to change notification settings - Fork 83
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
support code signing of assets #305
Comments
I read the code around In the case of code: Code.fromAsset(path.dirname(options.depsLockFilePath), {
assetHashType: cdk.AssetHashType.OUTPUT,
Bundling: new Bundling(options),
}) Building process is executed locally by default, but if esbuild command not available in the environment, executed in compatible docker container. As for signatures, is it possible to rely on the local environment? (Once we have a policy for implementation, I would like to start implementing it.) |
Looks like something for |
I don't think we need to touch the local bundling. The signing need to occur after the object has been uploaded to the S3 bucket (I believe the upload is done here. ) I believe an optimal approach is to follow what the SAM CLI does with their python code
In addition, the CDK bootstrap bucket would need to be changed to have versioning enabled ( since Signer requires a versioned object in S3 to start a signing job) |
Thank you. I misunderstood it as something to be signed locally. I understand that we should start signing job after s3.upload. To specify asset that need to be singed, should we path profile name of signer here?,, If we set up the signing profile name when Is there any good way to do this? |
Is this a good place to add parameters related to signature settings? |
We currently don't have the ability in the CDK to run an asynchronous job (i.e., the signing job) and use the result as an asset. This requires additional design into the AWS CDK lifecycle. I'm moving this to the CDK RFC repo to manage the design work. Unfortunately, we don't have the bandwidth to work on this in the near future. |
Just curious if there have been any thoughts on this since the original posts. We're actively using CDK now and would like to have our code signed for compliance purposes. Are there any clever approaches we can leverage here, or do we need to build our own process from scratch? |
Closing as we unfortunately do not have the bandwidth to work on this in the near future. We suggest to pursue experimentation in a separate package or a fork if needed. If a successful implementation emerges, reopen the proposal with details on the functionality and how it can be implemented in the core library. |
Related to aws/aws-cdk#12656 , aws/aws-cdk#12216
Created a Lambda
SignedCode.fromAsset
option that takes local code uploads it to S3 and signs it using a specified AWS signer profileUse Case
With PR aws/aws-cdk#12656 Lambda now supports a code signing configuration. However if the signing config is set to
Enforce
and local code (inline or from asset path) is provided the deployment will fail as the code has not been signedthis feature would enable usage of local code and signing of the the code given permissions to the signing profile
Proposed Solution
Having an option like
would solve this issue
Other
This is a 🚀 Feature Request
The text was updated successfully, but these errors were encountered: