How is possible sign the image on Azure Container Registry.

Cleber Ramos 20 Reputation points

How is possible sign the image in azure container registry, I ever receive error 401, not authorized, however I'm owner and "acr signer" of ACR.

After sign, how is possible to guarantee that K8S just receive the image signed and that signed has the correct signature with specific key.

I tried looking for in all documentation, however any one isn't clear.

Azure Container Registry
Azure Container Registry
An Azure service that provides a registry of Docker and Open Container Initiative images.
306 questions
0 comments No comments
{count} votes

Accepted answer
  1. vipullag-MSFT 21,351 Reputation points Microsoft Employee

    Hello Cleber Ramos
    Welcome to Microsoft Q&A Platform, thanks for posting your query here.

    To sign an image in Azure Container Registry (ACR), you need to use the az acr pack build command. This command builds and signs an image using the specified Dockerfile and a signing key.

    Here is an example command:
    az acr pack build --image myimage:v1 --registry myregistry --file Dockerfile --sign

    This command builds the image using the Dockerfile, tags it as myimage:v1, and signs it using the default signing key. You can also specify a different signing key using the --signing-key option.

    To verify that the image has been signed correctly, you can use the az acr repository show-manifests command. This command shows the manifests for a repository, including the signatures.

    Here is an example command:

    az acr repository show-manifests --name myregistry --repository myimage --output table

    This command shows the manifests for the myimage repository in the myregistry registry, and outputs the results in a table format. The output includes the digest of the signed image, which you can use to verify the signature.

    To ensure that Kubernetes only pulls the signed image, you can use an imagePullPolicy of "Always" in your Kubernetes deployment. This ensures that Kubernetes always pulls the latest version of the image, including any new signatures. You can also use Kubernetes admission controllers to enforce image signing policies.

    Hope this helps.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. JimmySalian-2011 36,446 Reputation points

    Hi Cleber,

    Did you check this article - it might help you to go through the process.

    Also check the troubleshooting steps over here -

    Hope this helps.



    Please Accept the answer if the information helped you. This will help us and others in the community as well.