Bug fix- update cert thumbprint to latest ame prod cert (#615)

* Removing duplicate alerts from ci recommended alerts * Remove test branch * Remove preview keyword from policy readme * Bug fix- update cert thumbprint for image signing to latest ame prod cert
Azure · Oct 6, 2023 · 59ab96a · 59ab96a
1 parent b463226
commit 59ab96a
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 3 deletions.
diff --git a/.pipelines/azure-pipeline-build.yml b/.pipelines/azure-pipeline-build.yml
@@ -337,7 +337,7 @@ jobs:
         oras attach $(LINUX_FULL_IMAGE_NAME) \
           --artifact-type 'application/vnd.cncf.notary.signature' \
           ./payload.json:application/cose \
-          -a "io.cncf.notary.x509chain.thumbprint#S256=[\"659AAA9C0E822B4B20A964AA0178BD9419A50530\"]"
+          -a "io.cncf.notary.x509chain.thumbprint#S256=[\"79E6A702361E1F60DAA84AEEC4CBF6F6420DE6BA\"]"
       workingDirectory: $(Build.ArtifactStagingDirectory)/linux/
       displayName: "ORAS Push Artifacts in $(Build.ArtifactStagingDirectory)/linux/"
       condition: eq(variables.IS_MAIN_BRANCH, true)
@@ -581,7 +581,7 @@ jobs:
         New-Item -ItemType Directory -Force -Path $env:USERPROFILE\bin
         Copy-Item -Path $currentDirectory\oras.exe -Destination "$env:USERPROFILE\bin\"
         $env:PATH = "$env:USERPROFILE\bin;$env:PATH"
-        oras attach $(WINDOWS_FULL_IMAGE_NAME) --artifact-type application/vnd.cncf.notary.signature ./payload.json:application/cose -a io.cncf.notary.x509chain.thumbprint#S256=[\""659AAA9C0E822B4B20A964AA0178BD9419A50530\""]
+        oras attach $(WINDOWS_FULL_IMAGE_NAME) --artifact-type application/vnd.cncf.notary.signature ./payload.json:application/cose -a io.cncf.notary.x509chain.thumbprint#S256=[\""79E6A702361E1F60DAA84AEEC4CBF6F6420DE6BA\""]
       workingDirectory: $(Build.ArtifactStagingDirectory)/windows
       displayName: "Download, install Oras and run oras attach"
       condition: eq(variables.IS_MAIN_BRANCH, true)

diff --git a/internal/docs/ESRPCodeSign.md b/internal/docs/ESRPCodeSign.md
@@ -10,4 +10,4 @@ I have followed this [doc](https://eng.ms/docs/more/containers-secure-supply-cha
 For verification of signing we can do through 2 ways.
 
 1. Locally through the doc https://eng.ms/docs/more/containers-secure-supply-chain/signing under validation section using notation. We have to use our own [certificate](https://ms.portal.azure.com/#view/Microsoft_Azure_KeyVault/ListObjectVersionsRBACBlade/~/overview/objectType/certificates/objectId/https%3A%2F%2Fesrpprometheuskv.vault.azure.net%2Fcertificates%2FESRPReqPrometheusCert/vaultResourceUri/%2Fsubscriptions%2F9b96ebbd-c57a-42d1-bbe9-b69296e4c7fb%2FresourceGroups%2FESRPPrometheus%2Fproviders%2FMicrosoft.KeyVault%2Fvaults%2FESRPPrometheusKV/vaultId/%2Fsubscriptions%2F9b96ebbd-c57a-42d1-bbe9-b69296e4c7fb%2FresourceGroups%2FESRPPrometheus%2Fproviders%2FMicrosoft.KeyVault%2Fvaults%2FESRPPrometheusKV) instead of the one in the example.
-2. We can do a docker pull on the signed images and it will not have the following error message - "manifest verification failed for digest sha256..."
+2. We can do a "docker manifest inspect -v <image>" on the signed images and it will not have the following error message - "manifest verification failed for digest sha256..."