Optional: Signing the Lambda Layers with AWS Code Signing #1963
Description
Is your feature request related to a problem? Please describe.
Running the above workflow to produce private layers.
If a team is running an AWS CodeSigner, then the publish job should also include an optional capability to sign the layers to confirm the provenance.
https://docs.aws.amazon.com/lambda/latest/dg/governance-code-signing.html
Describe the solution you'd like
I'd like the GitHub action to include an artefact attestation for the zip binaries and each of the language-specific binaries released.
https://docs.github.com/en/actions/how-tos/secure-your-work/use-artifact-attestations/use-artifact-attestations and couple that with AWS's codesigner for the zip files.
aws signer start-signing-job \
--source 's3={bucketName=xxxx,key=collector-layer.zip,version=xxxxx}' \
--destination 's3={bucketName=xxxx,prefix=signed/}' \
--profile-name SigningProfile_XXXXX
--client-request-token XXXUNIQUE_FROM_GITHUB_JOB
The additional parameter would need to be the SigningProfile, that would need to be present in the account that the GHA is uploading to.
Prerequisites
- The Github OIDC role would also need permission to be able to sign.
- The S3 bucket needs to have versioning enabled.
Describe alternatives you've considered
I think the GitHub attestation step is optional, but could allow extra confidence that the artefacts have not been tampered with, especially if the signing job connects directly to the GitHub attestation.
Additional context
I'm keen to raise a PR to demonstrate that this could be an optional extra; but wanted to raise the issue first as I couldn't find evidence of where this has been/not-been considered.
Tip: React with 👍 to help prioritize this issue. Please use comments to provide useful context, avoiding +1 or me too, to help us triage it. Learn more here.