From 334594c12888d8cbbaec97a15e1236d141f574da Mon Sep 17 00:00:00 2001
From: Vishal Choudhary <vishal.choudhary@nirmata.com>
Date: Wed, 19 Jun 2024 04:33:53 +0530
Subject: [PATCH] feat: add support for cosign experimental OCI 1.1 signatures
(#10228)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
* feat: add support for cosign experimental OCI 1.1 signatures
Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>
* fix: remove unrelated changes
Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>
* fix: linter
Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>
* fix: requested changes
Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>
---------
Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>
Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
---
api/kyverno/v1/image_verification_types.go | 5 +++
.../kyverno.io_clusterpolicies.yaml | 15 +++++++++
.../kyverno.io/kyverno.io_policies.yaml | 15 +++++++++
.../data/crds/kyverno.io_clusterpolicies.yaml | 15 +++++++++
.../data/crds/kyverno.io_policies.yaml | 15 +++++++++
.../kyverno/kyverno.io_clusterpolicies.yaml | 15 +++++++++
config/crds/kyverno/kyverno.io_policies.yaml | 15 +++++++++
config/install-latest-testing.yaml | 30 ++++++++++++++++++
docs/user/crd/index.html | 13 ++++++++
docs/user/crd/kyverno.v1.html | 28 +++++++++++++++++
.../kyverno/v1/imageverification.go | 9 ++++++
pkg/cosign/cosign.go | 1 +
pkg/cosign/cosign_test.go | 23 ++++++++++++++
pkg/engine/internal/imageverifier.go | 1 +
pkg/images/verifier.go | 1 +
.../standard/keyed-oci11/README.md | 11 +++++++
.../keyed-oci11/chainsaw-step-01-apply-1.yaml | 4 +++
.../keyed-oci11/chainsaw-step-01-apply-2.yaml | 31 +++++++++++++++++++
.../chainsaw-step-01-assert-1.yaml | 9 ++++++
.../keyed-oci11/chainsaw-step-02-apply-1.yaml | 9 ++++++
.../chainsaw-step-02-assert-1.yaml | 5 +++
.../standard/keyed-oci11/chainsaw-test.yaml | 23 ++++++++++++++
22 files changed, 293 insertions(+)
create mode 100644 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-oci11/README.md
create mode 100755 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-oci11/chainsaw-step-01-apply-1.yaml
create mode 100755 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-oci11/chainsaw-step-01-apply-2.yaml
create mode 100755 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-oci11/chainsaw-step-01-assert-1.yaml
create mode 100755 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-oci11/chainsaw-step-02-apply-1.yaml
create mode 100755 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-oci11/chainsaw-step-02-assert-1.yaml
create mode 100755 test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-oci11/chainsaw-test.yaml
diff --git a/api/kyverno/v1/image_verification_types.go b/api/kyverno/v1/image_verification_types.go
index c6d1521700..473cbd5b05 100644
--- a/api/kyverno/v1/image_verification_types.go
+++ b/api/kyverno/v1/image_verification_types.go
@@ -95,6 +95,11 @@ type ImageVerification struct {
// The repository can also be overridden per Attestor or Attestation.
Repository string `json:"repository,omitempty" yaml:"repository,omitempty"`
+ // CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
+ // Defaults to false.
+ // +optional
+ CosignOCI11 bool `json:"cosignOCI11,omitempty"`
+
// MutateDigest enables replacement of image tags with digests.
// Defaults to true.
// +kubebuilder:default=true
diff --git a/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clusterpolicies.yaml b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clusterpolicies.yaml
index 731ff347a7..b42122c230 100644
--- a/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clusterpolicies.yaml
+++ b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clusterpolicies.yaml
@@ -4090,6 +4090,11 @@ spec:
type: array
type: object
type: array
+ cosignOCI11:
+ description: |-
+ CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
+ Defaults to false.
+ type: boolean
image:
description: Deprecated. Use ImageReferences instead.
type: string
@@ -8360,6 +8365,11 @@ spec:
type: array
type: object
type: array
+ cosignOCI11:
+ description: |-
+ CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
+ Defaults to false.
+ type: boolean
image:
description: Deprecated. Use ImageReferences instead.
type: string
@@ -16670,6 +16680,11 @@ spec:
type: array
type: object
type: array
+ cosignOCI11:
+ description: |-
+ CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
+ Defaults to false.
+ type: boolean
image:
description: Deprecated. Use ImageReferences instead.
type: string
diff --git a/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policies.yaml b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policies.yaml
index a61d59113d..04674dd65b 100644
--- a/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policies.yaml
+++ b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policies.yaml
@@ -4091,6 +4091,11 @@ spec:
type: array
type: object
type: array
+ cosignOCI11:
+ description: |-
+ CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
+ Defaults to false.
+ type: boolean
image:
description: Deprecated. Use ImageReferences instead.
type: string
@@ -8362,6 +8367,11 @@ spec:
type: array
type: object
type: array
+ cosignOCI11:
+ description: |-
+ CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
+ Defaults to false.
+ type: boolean
image:
description: Deprecated. Use ImageReferences instead.
type: string
@@ -16673,6 +16683,11 @@ spec:
type: array
type: object
type: array
+ cosignOCI11:
+ description: |-
+ CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
+ Defaults to false.
+ type: boolean
image:
description: Deprecated. Use ImageReferences instead.
type: string
diff --git a/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_clusterpolicies.yaml b/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_clusterpolicies.yaml
index cd54d346b0..25be8957fd 100644
--- a/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_clusterpolicies.yaml
+++ b/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_clusterpolicies.yaml
@@ -4084,6 +4084,11 @@ spec:
type: array
type: object
type: array
+ cosignOCI11:
+ description: |-
+ CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
+ Defaults to false.
+ type: boolean
image:
description: Deprecated. Use ImageReferences instead.
type: string
@@ -8354,6 +8359,11 @@ spec:
type: array
type: object
type: array
+ cosignOCI11:
+ description: |-
+ CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
+ Defaults to false.
+ type: boolean
image:
description: Deprecated. Use ImageReferences instead.
type: string
@@ -16664,6 +16674,11 @@ spec:
type: array
type: object
type: array
+ cosignOCI11:
+ description: |-
+ CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
+ Defaults to false.
+ type: boolean
image:
description: Deprecated. Use ImageReferences instead.
type: string
diff --git a/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policies.yaml b/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policies.yaml
index 4e4fc9eed2..c409d3ed2b 100644
--- a/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policies.yaml
+++ b/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policies.yaml
@@ -4085,6 +4085,11 @@ spec:
type: array
type: object
type: array
+ cosignOCI11:
+ description: |-
+ CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
+ Defaults to false.
+ type: boolean
image:
description: Deprecated. Use ImageReferences instead.
type: string
@@ -8356,6 +8361,11 @@ spec:
type: array
type: object
type: array
+ cosignOCI11:
+ description: |-
+ CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
+ Defaults to false.
+ type: boolean
image:
description: Deprecated. Use ImageReferences instead.
type: string
@@ -16667,6 +16677,11 @@ spec:
type: array
type: object
type: array
+ cosignOCI11:
+ description: |-
+ CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
+ Defaults to false.
+ type: boolean
image:
description: Deprecated. Use ImageReferences instead.
type: string
diff --git a/config/crds/kyverno/kyverno.io_clusterpolicies.yaml b/config/crds/kyverno/kyverno.io_clusterpolicies.yaml
index cd54d346b0..25be8957fd 100644
--- a/config/crds/kyverno/kyverno.io_clusterpolicies.yaml
+++ b/config/crds/kyverno/kyverno.io_clusterpolicies.yaml
@@ -4084,6 +4084,11 @@ spec:
type: array
type: object
type: array
+ cosignOCI11:
+ description: |-
+ CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
+ Defaults to false.
+ type: boolean
image:
description: Deprecated. Use ImageReferences instead.
type: string
@@ -8354,6 +8359,11 @@ spec:
type: array
type: object
type: array
+ cosignOCI11:
+ description: |-
+ CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
+ Defaults to false.
+ type: boolean
image:
description: Deprecated. Use ImageReferences instead.
type: string
@@ -16664,6 +16674,11 @@ spec:
type: array
type: object
type: array
+ cosignOCI11:
+ description: |-
+ CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
+ Defaults to false.
+ type: boolean
image:
description: Deprecated. Use ImageReferences instead.
type: string
diff --git a/config/crds/kyverno/kyverno.io_policies.yaml b/config/crds/kyverno/kyverno.io_policies.yaml
index 4e4fc9eed2..c409d3ed2b 100644
--- a/config/crds/kyverno/kyverno.io_policies.yaml
+++ b/config/crds/kyverno/kyverno.io_policies.yaml
@@ -4085,6 +4085,11 @@ spec:
type: array
type: object
type: array
+ cosignOCI11:
+ description: |-
+ CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
+ Defaults to false.
+ type: boolean
image:
description: Deprecated. Use ImageReferences instead.
type: string
@@ -8356,6 +8361,11 @@ spec:
type: array
type: object
type: array
+ cosignOCI11:
+ description: |-
+ CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
+ Defaults to false.
+ type: boolean
image:
description: Deprecated. Use ImageReferences instead.
type: string
@@ -16667,6 +16677,11 @@ spec:
type: array
type: object
type: array
+ cosignOCI11:
+ description: |-
+ CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
+ Defaults to false.
+ type: boolean
image:
description: Deprecated. Use ImageReferences instead.
type: string
diff --git a/config/install-latest-testing.yaml b/config/install-latest-testing.yaml
index ba250aae5a..246c5dfe95 100644
--- a/config/install-latest-testing.yaml
+++ b/config/install-latest-testing.yaml
@@ -11821,6 +11821,11 @@ spec:
type: array
type: object
type: array
+ cosignOCI11:
+ description: |-
+ CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
+ Defaults to false.
+ type: boolean
image:
description: Deprecated. Use ImageReferences instead.
type: string
@@ -16091,6 +16096,11 @@ spec:
type: array
type: object
type: array
+ cosignOCI11:
+ description: |-
+ CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
+ Defaults to false.
+ type: boolean
image:
description: Deprecated. Use ImageReferences instead.
type: string
@@ -24401,6 +24411,11 @@ spec:
type: array
type: object
type: array
+ cosignOCI11:
+ description: |-
+ CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
+ Defaults to false.
+ type: boolean
image:
description: Deprecated. Use ImageReferences instead.
type: string
@@ -28978,6 +28993,11 @@ spec:
type: array
type: object
type: array
+ cosignOCI11:
+ description: |-
+ CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
+ Defaults to false.
+ type: boolean
image:
description: Deprecated. Use ImageReferences instead.
type: string
@@ -33249,6 +33269,11 @@ spec:
type: array
type: object
type: array
+ cosignOCI11:
+ description: |-
+ CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
+ Defaults to false.
+ type: boolean
image:
description: Deprecated. Use ImageReferences instead.
type: string
@@ -41560,6 +41585,11 @@ spec:
type: array
type: object
type: array
+ cosignOCI11:
+ description: |-
+ CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
+ Defaults to false.
+ type: boolean
image:
description: Deprecated. Use ImageReferences instead.
type: string
diff --git a/docs/user/crd/index.html b/docs/user/crd/index.html
index c46f6ae373..384284679d 100644
--- a/docs/user/crd/index.html
+++ b/docs/user/crd/index.html
@@ -2475,6 +2475,19 @@ The repository can also be overridden per Attestor or Attestation.</p>
</tr>
<tr>
<td>
+<code>cosignOCI11</code><br/>
+<em>
+bool
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
+Defaults to false.</p>
+</td>
+</tr>
+<tr>
+<td>
<code>mutateDigest</code><br/>
<em>
bool
diff --git a/docs/user/crd/kyverno.v1.html b/docs/user/crd/kyverno.v1.html
index e305446a1a..24351f157e 100644
--- a/docs/user/crd/kyverno.v1.html
+++ b/docs/user/crd/kyverno.v1.html
@@ -4894,6 +4894,34 @@ The repository can also be overridden per Attestor or Attestation.</p>
+ <tr>
+ <td><code>cosignOCI11</code>
+
+ </br>
+
+
+
+
+ <span style="font-family: monospace">bool</span>
+
+
+ </td>
+ <td>
+
+
+ <p>CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
+Defaults to false.</p>
+
+
+
+
+
+ </td>
+ </tr>
+
+
+
+
<tr>
<td><code>mutateDigest</code>
diff --git a/pkg/client/applyconfigurations/kyverno/v1/imageverification.go b/pkg/client/applyconfigurations/kyverno/v1/imageverification.go
index 60920acaf1..b9e664c13b 100644
--- a/pkg/client/applyconfigurations/kyverno/v1/imageverification.go
+++ b/pkg/client/applyconfigurations/kyverno/v1/imageverification.go
@@ -38,6 +38,7 @@ type ImageVerificationApplyConfiguration struct {
Attestations []AttestationApplyConfiguration `json:"attestations,omitempty"`
Annotations map[string]string `json:"annotations,omitempty"`
Repository *string `json:"repository,omitempty"`
+ CosignOCI11 *bool `json:"cosignOCI11,omitempty"`
MutateDigest *bool `json:"mutateDigest,omitempty"`
VerifyDigest *bool `json:"verifyDigest,omitempty"`
Required *bool `json:"required,omitempty"`
@@ -181,6 +182,14 @@ func (b *ImageVerificationApplyConfiguration) WithRepository(value string) *Imag
return b
}
+// WithCosignOCI11 sets the CosignOCI11 field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the CosignOCI11 field is set to the value of the last call.
+func (b *ImageVerificationApplyConfiguration) WithCosignOCI11(value bool) *ImageVerificationApplyConfiguration {
+ b.CosignOCI11 = &value
+ return b
+}
+
// WithMutateDigest sets the MutateDigest field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the MutateDigest field is set to the value of the last call.
diff --git a/pkg/cosign/cosign.go b/pkg/cosign/cosign.go
index b9363ee442..3cf8c8d584 100644
--- a/pkg/cosign/cosign.go
+++ b/pkg/cosign/cosign.go
@@ -229,6 +229,7 @@ func buildCosignOptions(ctx context.Context, opts images.Options) (*cosign.Check
cosignOpts.TSARootCertificates = roots
}
+ cosignOpts.ExperimentalOCI11 = opts.CosignOCI11
return cosignOpts, nil
}
diff --git a/pkg/cosign/cosign_test.go b/pkg/cosign/cosign_test.go
index 846c7eabba..053bbac018 100644
--- a/pkg/cosign/cosign_test.go
+++ b/pkg/cosign/cosign_test.go
@@ -324,6 +324,29 @@ I2MLdq2qjZFDOCXsxBxJpbmLGBx9ow6ZerlUxzws2AWv2pk=
assert.NilError(t, err)
}
+func TestCosignOCI11Experimental(t *testing.T) {
+ opts := images.Options{
+ ImageRef: "ghcr.io/kyverno/test-verify-image:cosign-oci11",
+ Key: `-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEoKYkkX32oSx61B4iwKXa6llAF2dB
+IoL3R/9n1SJ7s00Nfkk3z4/Ar6q8el/guUmXi8akEJMxvHnvphorVUz8vQ==
+-----END PUBLIC KEY-----
+`,
+ }
+
+ rc, err := registryclient.New()
+ assert.NilError(t, err)
+ opts.Client = rc
+
+ verifier := &cosignVerifier{}
+ _, err = verifier.VerifySignature(context.TODO(), opts)
+ assert.ErrorContains(t, err, "no signatures found")
+
+ opts.CosignOCI11 = true
+ _, err = verifier.VerifySignature(context.TODO(), opts)
+ assert.NilError(t, err)
+}
+
type testSignature struct {
cert *x509.Certificate
}
diff --git a/pkg/engine/internal/imageverifier.go b/pkg/engine/internal/imageverifier.go
index 9831aad071..c3d6c908bc 100644
--- a/pkg/engine/internal/imageverifier.go
+++ b/pkg/engine/internal/imageverifier.go
@@ -551,6 +551,7 @@ func (iv *ImageVerifier) buildCosignVerifier(
opts := &images.Options{
ImageRef: image,
Repository: imageVerify.Repository,
+ CosignOCI11: imageVerify.CosignOCI11,
Annotations: imageVerify.Annotations,
Client: iv.rclient,
}
diff --git a/pkg/images/verifier.go b/pkg/images/verifier.go
index 3778f1348a..5deead8097 100644
--- a/pkg/images/verifier.go
+++ b/pkg/images/verifier.go
@@ -33,6 +33,7 @@ type Options struct {
AdditionalExtensions map[string]string
Annotations map[string]string
Repository string
+ CosignOCI11 bool
IgnoreTlog bool
RekorURL string
RekorPubKey string
diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-oci11/README.md b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-oci11/README.md
new file mode 100644
index 0000000000..8c84b5a79d
--- /dev/null
+++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-oci11/README.md
@@ -0,0 +1,11 @@
+## Description
+
+This test performs a simple verification of an image using a public key specified directly in the policy.
+
+## Expected Behavior
+
+Pod creation should pass as the image has been signed by the public key specified in the policy.
+
+## Reference Issue(s)
+
+N/A
\ No newline at end of file
diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-oci11/chainsaw-step-01-apply-1.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-oci11/chainsaw-step-01-apply-1.yaml
new file mode 100755
index 0000000000..54c1efb587
--- /dev/null
+++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-oci11/chainsaw-step-01-apply-1.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+ name: test-verify-images
diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-oci11/chainsaw-step-01-apply-2.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-oci11/chainsaw-step-01-apply-2.yaml
new file mode 100755
index 0000000000..6b92c397bd
--- /dev/null
+++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-oci11/chainsaw-step-01-apply-2.yaml
@@ -0,0 +1,31 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+ name: keyed-basic-policy
+spec:
+ background: false
+ failurePolicy: Fail
+ rules:
+ - match:
+ any:
+ - resources:
+ kinds:
+ - Pod
+ name: keyed-basic-rule
+ verifyImages:
+ - attestors:
+ - entries:
+ - keys:
+ publicKeys: |-
+ -----BEGIN PUBLIC KEY-----
+ MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEoKYkkX32oSx61B4iwKXa6llAF2dB
+ IoL3R/9n1SJ7s00Nfkk3z4/Ar6q8el/guUmXi8akEJMxvHnvphorVUz8vQ==
+ -----END PUBLIC KEY-----
+ rekor:
+ ignoreTlog: true
+ url: https://rekor.sigstore.dev
+ imageReferences:
+ - ghcr.io/kyverno/test-verify-image:*
+ cosignOCI11: true
+ validationFailureAction: Enforce
+ webhookTimeoutSeconds: 30
diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-oci11/chainsaw-step-01-assert-1.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-oci11/chainsaw-step-01-assert-1.yaml
new file mode 100755
index 0000000000..a2d2cc907e
--- /dev/null
+++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-oci11/chainsaw-step-01-assert-1.yaml
@@ -0,0 +1,9 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+ name: keyed-basic-policy
+status:
+ conditions:
+ - reason: Succeeded
+ status: "True"
+ type: Ready
diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-oci11/chainsaw-step-02-apply-1.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-oci11/chainsaw-step-02-apply-1.yaml
new file mode 100755
index 0000000000..e273346915
--- /dev/null
+++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-oci11/chainsaw-step-02-apply-1.yaml
@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Pod
+metadata:
+ name: test-secret-pod
+ namespace: test-verify-images
+spec:
+ containers:
+ - image: ghcr.io/kyverno/test-verify-image:cosign-oci11
+ name: test-secret
diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-oci11/chainsaw-step-02-assert-1.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-oci11/chainsaw-step-02-assert-1.yaml
new file mode 100755
index 0000000000..d1b6e4b775
--- /dev/null
+++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-oci11/chainsaw-step-02-assert-1.yaml
@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: Pod
+metadata:
+ name: test-secret-pod
+ namespace: test-verify-images
diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-oci11/chainsaw-test.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-oci11/chainsaw-test.yaml
new file mode 100755
index 0000000000..59c98f02a0
--- /dev/null
+++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/keyed-oci11/chainsaw-test.yaml
@@ -0,0 +1,23 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+ creationTimestamp: null
+ name: keyed-basic
+spec:
+ timeouts:
+ delete: 2m
+ steps:
+ - name: step-01
+ try:
+ - apply:
+ file: chainsaw-step-01-apply-1.yaml
+ - apply:
+ file: chainsaw-step-01-apply-2.yaml
+ - assert:
+ file: chainsaw-step-01-assert-1.yaml
+ - name: step-02
+ try:
+ - apply:
+ file: chainsaw-step-02-apply-1.yaml
+ - assert:
+ file: chainsaw-step-02-assert-1.yaml