Managed verification with Amazon EKS Lambda admission controller for Amazon ECS Manual verification with Notation CLI Configure authentication for the Notation client

Signature verification

After you sign your container images, you can verify the signatures to ensure that images have not been tampered with and come from a trusted source. Amazon ECR supports several methods for verifying signatures:

Managed verification with Amazon EKS

Amazon EKS provides native integration for automatic signature verification. When you configure signature verification in your Amazon EKS clusters, the service automatically verifies image signatures before allowing containers to run. For more information about configuring signature verification, see Validate container image signatures during deployment in the Amazon EKS User Guide.

Lambda admission controller for Amazon ECS

Amazon ECS provides service lifecycle hooks that allow you to run custom logic during service deployments. These hooks can trigger AWS Lambda functions at specific points in the deployment process, enabling you to validate container image signatures before allowing services to start. For more information, see Verify container image signatures for Amazon ECS in the AWS Signer Developer Guide.

Manual verification with Notation CLI

You can verify signatures manually using the Notation CLI. This method requires you to install and configure the Notation CLI on your local machine or in your verification environment. For detailed instructions about verifying an image using Notation CLI, see Verify an image locally after signing in the AWS Signer Developer Guide.

Configure authentication for the Notation client

If you use manual signing or verify signatures manually using the Notation CLI, you must configure the Notation client so it can authenticate to Amazon ECR. If you have Docker installed on the same host where you install the Notation client, then Notation will reuse the same authentication method you use for the Docker client. The Docker login and logout commands will allow the Notation sign and verify commands to use those same credentials, and you don't have to separately authenticate Notation. For more information on configuring your Notation client for authentication, see Authenticate with OCI-compliant registries in the Notary Project documentation.

If you are not using Docker or another tool that uses Docker credentials, then we recommend using the Amazon ECR Docker Credential Helper as your credential store. For more information on how to install and configure the Amazon ECR Credential Helper, see Amazon ECR Docker Credential Helper.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Managed signing

Manual signing