support code signing of assets
See original GitHub issueRelated to https://github.com/aws/aws-cdk/pull/12656 , https://github.com/aws/aws-cdk/issues/12216
Created a Lambda SignedCode.fromAsset
option that takes local code uploads it to S3 and signs it using a specified AWS signer profile
Use Case
With PR https://github.com/aws/aws-cdk/pull/12656 Lambda now supports a code signing configuration. However if the signing config is set to Enforce
and local code (inline or from asset path) is provided the deployment will fail as the code has not been signed
const signingProfile = new signer.SigningProfile(stack, 'SigningProfile', {
platform: signer.Platform.AWS_LAMBDA_SHA384_ECDSA,
});
const codeSigningConfig = new lambda.CodeSigningConfig(stack, 'CodeSigningConfig', {
signingProfiles: [signingProfile],
untrustedArtifactOnDeployment: lambda.UntrustedArtifactOnDeployment.ENFORCE,
});
new lambda.Function(stack, 'MyLambda', {
code: new lambda.Code.fromAsset(...),
handler: 'index.handler',
runtime: lambda.Runtime.NODEJS_10_X,
codeSigningConfig,
});
this feature would enable usage of local code and signing of the the code given permissions to the signing profile
Proposed Solution
Having an option like
new lambda.Function(stack, 'MyLambda', {
code: new lambda.SignedCode.fromAsset(...),
handler: 'index.handler',
runtime: lambda.Runtime.NODEJS_10_X,
codeSigningConfig,
});
would solve this issue
Other
- This is how the SAM CLI does it
- The bootstrap bucket would need to have versioning enabled
- 👋 I may be able to implement this feature request
- ⚠️ This feature might incur a breaking change
This is a 🚀 Feature Request
Issue Analytics
- State:
- Created 3 years ago
- Comments:6 (1 by maintainers)
Top Results From Across the Web
Code Signing - Support - Apple Developer
Code signing your app assures users that it's from a known source and hasn't been modified since it was last signed. Before your...
Read more >What is Code Signing? Guidance InfoSec and DevOps
Code signing is a cryptographic method used by developers to prove that a piece of software is authentic. By digitally signing apps, software,...
Read more >How Code Signing Works | What is a Code Signing Certificate?
Code signing is a digital signature added to software and applications that verifies that the included code has not been tampered with after...
Read more >Security Considerations for Code Signing
Properly applied, these recommendations will help to ensure that the software supply chain is resistant to attack. NIST plans to develop further ...
Read more >Painless Code-Signing Assets - Appian Careers
We needed to simplify the process and target the source of most problems: generating the code-signing assets.
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
I don’t think we need to touch the local bundling. The signing need to occur after the object has been uploaded to the S3 bucket (I believe the upload is done here. ) I believe an optimal approach is to follow what the SAM CLI does with their python code
In addition, the CDK bootstrap bucket would need to be changed to have versioning enabled ( since Signer requires a versioned object in S3 to start a signing job)
We currently don’t have the ability in the CDK to run an asynchronous job (i.e., the signing job) and use the result as an asset.
This requires additional design into the AWS CDK lifecycle. I’m moving this to the CDK RFC repo to manage the design work.
Unfortunately, we don’t have the bandwidth to work on this in the near future. However, if anyone is interested in writing the design, we’ll be happy to review and provide feedback.