Deployment guidelines
Re-signing SIGSTRUCT
If you need to sign the enclave with another (“production”) key after the
application was scaffolded, you can extract SIGSTRUCT from the SCAG-built
container. SIGSTRUCT is located in /app/app.sig
inside the container.
Ops people would then:
Extract the SIGSTRUCT from the container:
container=$(docker create "$image") docker cp "$container":/app/app.sig ./app.sig docker rm "$container"
Sign the SIGSTRUCT again. This step depends on the exact tooling and is not described in this document.
Replace the file in the docker image, e.g. by building a container inheriting from original container, just ADDing newly signed SIGSTRUCT. Note that the path inside the container MUST be
/app/app.sig
again.ARG FROM FROM ${FROM} COPY app.sig /app
docker build --build-arg=FROM="$image" .
This newly built container may now be deployed as usual.