Aug 31, 2025
Signing and verifying container images with a Code signing certificate issued by a trusted Certificate Authority like GlobalSign is a valuable security practice. This security measure will help you to responsibly identify, authorize, and validate the identity of both the publisher of the container image and the container image itself. The Trusted Certificate Authorities (CAs) play a crucial role in the validation of a user's or organization's identity, maintaining the security of digital certificates, and revoking the certificate immediately upon any risk or misuse.
Install and configure the latest Azure CLI.
Inspect the contents of the script yourself before executing, download the script first using curl
and inspect it in your favourite text editor.
curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash
Create or use an Azure Container Registry for storing container images and signatures
az acr create --resource-group $RG_NAME --name $ACR_NAME --sku Basic
Before pushing and pulling container images, you must log in to the registry.
az acr login --name $ACR_NAME
Installation of notation CLI.
# Download, extract and install curl -Lo notation.tar.gz https://github.com/notaryproject/notation/releases/download/v1.2.0/notation_1.2.0_linux_amd64.tar.gz tar xvzf notation.tar.gz # Copy the notation cli to the desired bin directory in your PATH, for example cp ./notation /usr/local/bin
Install the Notation Azure Key Vault plugin.
Verify the plugin installation.
notation plugin ls
Docker installation.
# Add Docker's official GPG key: sudo apt-get update sudo apt-get install ca-certificates curl sudo install -m 0755 -d /etc/apt/keyrings sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc sudo chmod a+r /etc/apt/keyrings/docker.asc # Add the repository to Apt sources: echo \ "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \ $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \ sudo tee /etc/apt/sources.list.d/docker.list > /dev/null sudo apt-get update sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
AKV_SUB_ID=myAkvSubscriptionId AKV_RG=myAkvResourceGroup AKV_NAME=myakv # Name of the certificate created or imported in AKV CERT_NAME=GlobaSign # X.509 certificate subject CERT_SUBJECT="CN=SecureBuilder,O=SecureBuilder,L=Seattle,S=WA,C=US"
Configure environment variables for ACR and images. ACR_SUB_ID=myAcrSubscriptionId ACR_RG=myAcrResourceGroup # Name of the existing registry example: myregistry.azurecr.io ACR_NAME=myregistry # Existing full domain of the ACR REGISTRY=$ACR_NAME.azurecr.io # Container name inside ACR where image will be stored REPO=net-monitor TAG=v1 # Source code directory containing Dockerfile to build IMAGE_SOURCE=https://github.com/iamantil/codeSigning.git
AcrPull
and AcrPush
roles are required for building and signing container images in ACR.
Sign
, secret permission Get
, and certificate permissions Get
. To grant these permissions to the principal:$CERT_NAME
certificate.$ROOT_CERT
to the $STORE_NAME
trust store.$ROOT_CERT
is added successfully.{
"version": "1.0",
"trustPolicies": [
{
"name": "GlobalSign",
"registryScopes": [ "containerimagesigning.azurecr.io/code-signed-images" ],
"signatureVerification": {
"level" : "strict",
"override" : {
"revocation" : "skip"
}
},
"trustStores": [ "ca:GlobalSign" ],
"trustedIdentities": [
"x509.subject: C=US, ST=WA, L=Seattle, O=SecureBuilder, OU=Finance, CN=SecureBuilder"
]
}
]
}
Use notation policy
to import the trust policy configuration from trustpolicy.json
.
notation policy import ./trustpolicy.json
Show the trust policy configuration to confirm its successful import.
notation policy show
Use notation verify
to verify the integrity of the image:
notation verify $IMAGE
Check your certificate installation for SSL issues and vulnerabilities.