diff --git a/pkg/cosign/sigstore.go b/pkg/cosign/sigstore.go index 82cf628706..7e0226c0d2 100644 --- a/pkg/cosign/sigstore.go +++ b/pkg/cosign/sigstore.go @@ -185,17 +185,7 @@ func buildPolicy(desc *v1.Descriptor, opts images.Options) (verify.PolicyBuilder } artifactDigestVerificationOption := verify.WithArtifactDigest(desc.Digest.Algorithm, digest) - // TODO: Add full regexp support to sigstore and cosign - // Verify images only has subject field, and no subject regexp, subject cannot be passed to subject regexp - // because then string containing the subjects will also work. We should just add an issuer regexp - // Solve this in a separate PR, - // See: https://github.com/sigstore/cosign/blob/7c20052077a81d667526af879ec40168899dde1f/pkg/cosign/verify.go#L339-L356 - subjectRegexp := "" - if strings.Contains(opts.Subject, "*") { - subjectRegexp = opts.Subject - opts.Subject = "" - } - id, err := verify.NewShortCertificateIdentity(opts.Issuer, opts.Subject, "", subjectRegexp) + id, err := verify.NewShortCertificateIdentity(opts.Issuer, opts.Subject, "", opts.SubjectRegExp) if err != nil { return verify.PolicyBuilder{}, err } diff --git a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/sigstore-attestation-verification-regexp/policy.yaml b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/sigstore-attestation-verification-regexp/policy.yaml index f8d81cc3b2..47caaf0aa1 100755 --- a/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/sigstore-attestation-verification-regexp/policy.yaml +++ b/test/conformance/chainsaw/verifyImages/clusterpolicy/standard/sigstore-attestation-verification-regexp/policy.yaml @@ -24,7 +24,7 @@ spec: - entries: - keyless: issuer: https://token.actions.githubusercontent.com - subject: https://github.com/vishal-chdhry/artifact-attestation-example/.github/workflows/* + subjectRegExp: https://github.com/vishal-chdhry/artifact-attestation-example/.github/workflows/.+ rekor: url: https://rekor.sigstore.dev conditions: