mirror of
https://github.com/kyverno/kyverno.git
synced 2024-12-14 11:57:48 +00:00
Support more signature algorithms (#9102)
* Support more signature algorithms Signed-off-by: Hongxin Liang <honnix@users.noreply.github.com> * Fix codegen Signed-off-by: Hongxin Liang <honnix@users.noreply.github.com> * Fail loudly for unsupported algorithm Signed-off-by: Hongxin Liang <honnix@users.noreply.github.com> * Fix codegen Signed-off-by: Hongxin Liang <honnix@users.noreply.github.com> * Fix more Signed-off-by: Hongxin Liang <honnix@users.noreply.github.com> --------- Signed-off-by: Hongxin Liang <honnix@users.noreply.github.com> Co-authored-by: Vishal Choudhary <vishal.choudhary@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com>
This commit is contained in:
Honnix
GitHub
parent
9507a65219
commit
47cafaabd3
11 changed files with 242 additions and 125 deletions
|
|
@ -126,7 +126,24 @@ func Test_ImageVerification(t *testing.T) {
|
|||
},
|
||||
},
|
||||
{
|
||||
name: "valid static key attestor",
|
||||
name: "static key invalid signature algorithm attestor",
|
||||
subject: ImageVerification{
|
||||
ImageReferences: []string{"*"},
|
||||
Attestors: []AttestorSet{
|
||||
{Entries: []Attestor{{
|
||||
Keys: &StaticKeyAttestor{PublicKeys: "bla", SignatureAlgorithm: "sha1"},
|
||||
}}},
|
||||
},
|
||||
},
|
||||
errors: func(i *ImageVerification) field.ErrorList {
|
||||
return field.ErrorList{
|
||||
field.Invalid(path.Child("attestors").Index(0).Child("entries").Index(0).Child("keys"),
|
||||
i.Attestors[0].Entries[0].Keys, "Invalid signature algorithm provided"),
|
||||
}
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "valid static key default signature algorithm attestor",
|
||||
subject: ImageVerification{
|
||||
ImageReferences: []string{"*"},
|
||||
Attestors: []AttestorSet{
|
||||
|
|
@ -136,6 +153,39 @@ func Test_ImageVerification(t *testing.T) {
|
|||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "valid static key sha224 signature algorithm attestor",
|
||||
subject: ImageVerification{
|
||||
ImageReferences: []string{"*"},
|
||||
Attestors: []AttestorSet{
|
||||
{Entries: []Attestor{{
|
||||
Keys: &StaticKeyAttestor{PublicKeys: "bla", SignatureAlgorithm: "sha224"},
|
||||
}}},
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "valid static key sah256 signature algorithm attestor",
|
||||
subject: ImageVerification{
|
||||
ImageReferences: []string{"*"},
|
||||
Attestors: []AttestorSet{
|
||||
{Entries: []Attestor{{
|
||||
Keys: &StaticKeyAttestor{PublicKeys: "bla", SignatureAlgorithm: "sha256"},
|
||||
}}},
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "valid static key sha384 signature algorithm attestor",
|
||||
subject: ImageVerification{
|
||||
ImageReferences: []string{"*"},
|
||||
Attestors: []AttestorSet{
|
||||
{Entries: []Attestor{{
|
||||
Keys: &StaticKeyAttestor{PublicKeys: "bla", SignatureAlgorithm: "sha384"},
|
||||
}}},
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "invalid keyless attestor",
|
||||
subject: ImageVerification{
|
||||
|
|
|
|||
|
|
@ -28,6 +28,14 @@ const (
|
|||
GHCR ImageRegistryCredentialsProvidersType = "github"
|
||||
)
|
||||
|
||||
var signatureAlgorithmMap = map[string]bool{
|
||||
"": true,
|
||||
"sha224": true,
|
||||
"sha256": true,
|
||||
"sha384": true,
|
||||
"sha512": true,
|
||||
}
|
||||
|
||||
// ImageVerification validates that images that match the specified pattern
|
||||
// are signed with the supplied public key. Once the image is verified it is
|
||||
// mutated to include the SHA digest retrieved during the registration.
|
||||
|
|
@ -166,7 +174,7 @@ type StaticKeyAttestor struct {
|
|||
// (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
|
||||
PublicKeys string `json:"publicKeys,omitempty" yaml:"publicKeys,omitempty"`
|
||||
|
||||
// Specify signature algorithm for public keys. Supported values are sha256 and sha512.
|
||||
// Specify signature algorithm for public keys. Supported values are sha224, sha256, sha384 and sha512.
|
||||
// +kubebuilder:default=sha256
|
||||
SignatureAlgorithm string `json:"signatureAlgorithm,omitempty" yaml:"signatureAlgorithm,omitempty"`
|
||||
|
||||
|
|
@ -450,8 +458,10 @@ func (ska *StaticKeyAttestor) Validate(path *field.Path) (errs field.ErrorList)
|
|||
if ska.PublicKeys == "" && ska.KMS == "" && ska.Secret == nil {
|
||||
errs = append(errs, field.Invalid(path, ska, "A public key, kms key or secret is required"))
|
||||
}
|
||||
if ska.PublicKeys != "" && ska.SignatureAlgorithm != "" && ska.SignatureAlgorithm != "sha256" && ska.SignatureAlgorithm != "sha512" {
|
||||
errs = append(errs, field.Invalid(path, ska, "Invalid signature algorithm provided"))
|
||||
if ska.PublicKeys != "" {
|
||||
if _, ok := signatureAlgorithmMap[ska.SignatureAlgorithm]; !ok {
|
||||
errs = append(errs, field.Invalid(path, ska, "Invalid signature algorithm provided"))
|
||||
}
|
||||
}
|
||||
return errs
|
||||
}
|
||||
|
|
|
|||
|
|
@ -9663,7 +9663,7 @@ spec:
|
|||
default: sha256
|
||||
description: Specify signature algorithm
|
||||
for public keys. Supported values
|
||||
are sha256 and sha512.
|
||||
are sha224, sha256, sha384 and sha512.
|
||||
type: string
|
||||
type: object
|
||||
repository:
|
||||
|
|
@ -10120,7 +10120,8 @@ spec:
|
|||
default: sha256
|
||||
description: Specify signature algorithm
|
||||
for public keys. Supported values
|
||||
are sha256 and sha512.
|
||||
are sha224, sha256, sha384 and
|
||||
sha512.
|
||||
type: string
|
||||
type: object
|
||||
repository:
|
||||
|
|
@ -10536,7 +10537,7 @@ spec:
|
|||
default: sha256
|
||||
description: Specify signature algorithm
|
||||
for public keys. Supported values are
|
||||
sha256 and sha512.
|
||||
sha224, sha256, sha384 and sha512.
|
||||
type: string
|
||||
type: object
|
||||
repository:
|
||||
|
|
@ -14153,7 +14154,8 @@ spec:
|
|||
default: sha256
|
||||
description: Specify signature algorithm
|
||||
for public keys. Supported values
|
||||
are sha256 and sha512.
|
||||
are sha224, sha256, sha384 and
|
||||
sha512.
|
||||
type: string
|
||||
type: object
|
||||
repository:
|
||||
|
|
@ -14639,8 +14641,8 @@ spec:
|
|||
default: sha256
|
||||
description: Specify signature
|
||||
algorithm for public keys.
|
||||
Supported values are sha256
|
||||
and sha512.
|
||||
Supported values are sha224,
|
||||
sha256, sha384 and sha512.
|
||||
type: string
|
||||
type: object
|
||||
repository:
|
||||
|
|
@ -15078,7 +15080,7 @@ spec:
|
|||
default: sha256
|
||||
description: Specify signature algorithm
|
||||
for public keys. Supported values
|
||||
are sha256 and sha512.
|
||||
are sha224, sha256, sha384 and sha512.
|
||||
type: string
|
||||
type: object
|
||||
repository:
|
||||
|
|
@ -18417,7 +18419,7 @@ spec:
|
|||
default: sha256
|
||||
description: Specify signature algorithm
|
||||
for public keys. Supported values
|
||||
are sha256 and sha512.
|
||||
are sha224, sha256, sha384 and sha512.
|
||||
type: string
|
||||
type: object
|
||||
repository:
|
||||
|
|
@ -18863,7 +18865,8 @@ spec:
|
|||
default: sha256
|
||||
description: Specify signature algorithm
|
||||
for public keys. Supported values
|
||||
are sha256 and sha512.
|
||||
are sha224, sha256, sha384 and
|
||||
sha512.
|
||||
type: string
|
||||
type: object
|
||||
repository:
|
||||
|
|
@ -19279,7 +19282,7 @@ spec:
|
|||
default: sha256
|
||||
description: Specify signature algorithm
|
||||
for public keys. Supported values are
|
||||
sha256 and sha512.
|
||||
sha224, sha256, sha384 and sha512.
|
||||
type: string
|
||||
type: object
|
||||
repository:
|
||||
|
|
@ -22881,7 +22884,8 @@ spec:
|
|||
default: sha256
|
||||
description: Specify signature algorithm
|
||||
for public keys. Supported values
|
||||
are sha256 and sha512.
|
||||
are sha224, sha256, sha384 and
|
||||
sha512.
|
||||
type: string
|
||||
type: object
|
||||
repository:
|
||||
|
|
@ -23367,8 +23371,8 @@ spec:
|
|||
default: sha256
|
||||
description: Specify signature
|
||||
algorithm for public keys.
|
||||
Supported values are sha256
|
||||
and sha512.
|
||||
Supported values are sha224,
|
||||
sha256, sha384 and sha512.
|
||||
type: string
|
||||
type: object
|
||||
repository:
|
||||
|
|
@ -23806,7 +23810,7 @@ spec:
|
|||
default: sha256
|
||||
description: Specify signature algorithm
|
||||
for public keys. Supported values
|
||||
are sha256 and sha512.
|
||||
are sha224, sha256, sha384 and sha512.
|
||||
type: string
|
||||
type: object
|
||||
repository:
|
||||
|
|
@ -27419,7 +27423,7 @@ spec:
|
|||
default: sha256
|
||||
description: Specify signature algorithm
|
||||
for public keys. Supported values
|
||||
are sha256 and sha512.
|
||||
are sha224, sha256, sha384 and sha512.
|
||||
type: string
|
||||
type: object
|
||||
repository:
|
||||
|
|
@ -27876,7 +27880,8 @@ spec:
|
|||
default: sha256
|
||||
description: Specify signature algorithm
|
||||
for public keys. Supported values
|
||||
are sha256 and sha512.
|
||||
are sha224, sha256, sha384 and
|
||||
sha512.
|
||||
type: string
|
||||
type: object
|
||||
repository:
|
||||
|
|
@ -28292,7 +28297,7 @@ spec:
|
|||
default: sha256
|
||||
description: Specify signature algorithm
|
||||
for public keys. Supported values are
|
||||
sha256 and sha512.
|
||||
sha224, sha256, sha384 and sha512.
|
||||
type: string
|
||||
type: object
|
||||
repository:
|
||||
|
|
@ -31910,7 +31915,8 @@ spec:
|
|||
default: sha256
|
||||
description: Specify signature algorithm
|
||||
for public keys. Supported values
|
||||
are sha256 and sha512.
|
||||
are sha224, sha256, sha384 and
|
||||
sha512.
|
||||
type: string
|
||||
type: object
|
||||
repository:
|
||||
|
|
@ -32396,8 +32402,8 @@ spec:
|
|||
default: sha256
|
||||
description: Specify signature
|
||||
algorithm for public keys.
|
||||
Supported values are sha256
|
||||
and sha512.
|
||||
Supported values are sha224,
|
||||
sha256, sha384 and sha512.
|
||||
type: string
|
||||
type: object
|
||||
repository:
|
||||
|
|
@ -32835,7 +32841,7 @@ spec:
|
|||
default: sha256
|
||||
description: Specify signature algorithm
|
||||
for public keys. Supported values
|
||||
are sha256 and sha512.
|
||||
are sha224, sha256, sha384 and sha512.
|
||||
type: string
|
||||
type: object
|
||||
repository:
|
||||
|
|
@ -36175,7 +36181,7 @@ spec:
|
|||
default: sha256
|
||||
description: Specify signature algorithm
|
||||
for public keys. Supported values
|
||||
are sha256 and sha512.
|
||||
are sha224, sha256, sha384 and sha512.
|
||||
type: string
|
||||
type: object
|
||||
repository:
|
||||
|
|
@ -36621,7 +36627,8 @@ spec:
|
|||
default: sha256
|
||||
description: Specify signature algorithm
|
||||
for public keys. Supported values
|
||||
are sha256 and sha512.
|
||||
are sha224, sha256, sha384 and
|
||||
sha512.
|
||||
type: string
|
||||
type: object
|
||||
repository:
|
||||
|
|
@ -37037,7 +37044,7 @@ spec:
|
|||
default: sha256
|
||||
description: Specify signature algorithm
|
||||
for public keys. Supported values are
|
||||
sha256 and sha512.
|
||||
sha224, sha256, sha384 and sha512.
|
||||
type: string
|
||||
type: object
|
||||
repository:
|
||||
|
|
@ -40639,7 +40646,8 @@ spec:
|
|||
default: sha256
|
||||
description: Specify signature algorithm
|
||||
for public keys. Supported values
|
||||
are sha256 and sha512.
|
||||
are sha224, sha256, sha384 and
|
||||
sha512.
|
||||
type: string
|
||||
type: object
|
||||
repository:
|
||||
|
|
@ -41125,8 +41133,8 @@ spec:
|
|||
default: sha256
|
||||
description: Specify signature
|
||||
algorithm for public keys.
|
||||
Supported values are sha256
|
||||
and sha512.
|
||||
Supported values are sha224,
|
||||
sha256, sha384 and sha512.
|
||||
type: string
|
||||
type: object
|
||||
repository:
|
||||
|
|
@ -41564,7 +41572,7 @@ spec:
|
|||
default: sha256
|
||||
description: Specify signature algorithm
|
||||
for public keys. Supported values
|
||||
are sha256 and sha512.
|
||||
are sha224, sha256, sha384 and sha512.
|
||||
type: string
|
||||
type: object
|
||||
repository:
|
||||
|
|
|
|||
|
|
@ -3367,7 +3367,7 @@ spec:
|
|||
default: sha256
|
||||
description: Specify signature algorithm
|
||||
for public keys. Supported values
|
||||
are sha256 and sha512.
|
||||
are sha224, sha256, sha384 and sha512.
|
||||
type: string
|
||||
type: object
|
||||
repository:
|
||||
|
|
@ -3824,7 +3824,8 @@ spec:
|
|||
default: sha256
|
||||
description: Specify signature algorithm
|
||||
for public keys. Supported values
|
||||
are sha256 and sha512.
|
||||
are sha224, sha256, sha384 and
|
||||
sha512.
|
||||
type: string
|
||||
type: object
|
||||
repository:
|
||||
|
|
@ -4240,7 +4241,7 @@ spec:
|
|||
default: sha256
|
||||
description: Specify signature algorithm
|
||||
for public keys. Supported values are
|
||||
sha256 and sha512.
|
||||
sha224, sha256, sha384 and sha512.
|
||||
type: string
|
||||
type: object
|
||||
repository:
|
||||
|
|
@ -7857,7 +7858,8 @@ spec:
|
|||
default: sha256
|
||||
description: Specify signature algorithm
|
||||
for public keys. Supported values
|
||||
are sha256 and sha512.
|
||||
are sha224, sha256, sha384 and
|
||||
sha512.
|
||||
type: string
|
||||
type: object
|
||||
repository:
|
||||
|
|
@ -8343,8 +8345,8 @@ spec:
|
|||
default: sha256
|
||||
description: Specify signature
|
||||
algorithm for public keys.
|
||||
Supported values are sha256
|
||||
and sha512.
|
||||
Supported values are sha224,
|
||||
sha256, sha384 and sha512.
|
||||
type: string
|
||||
type: object
|
||||
repository:
|
||||
|
|
@ -8782,7 +8784,7 @@ spec:
|
|||
default: sha256
|
||||
description: Specify signature algorithm
|
||||
for public keys. Supported values
|
||||
are sha256 and sha512.
|
||||
are sha224, sha256, sha384 and sha512.
|
||||
type: string
|
||||
type: object
|
||||
repository:
|
||||
|
|
@ -12121,7 +12123,7 @@ spec:
|
|||
default: sha256
|
||||
description: Specify signature algorithm
|
||||
for public keys. Supported values
|
||||
are sha256 and sha512.
|
||||
are sha224, sha256, sha384 and sha512.
|
||||
type: string
|
||||
type: object
|
||||
repository:
|
||||
|
|
@ -12567,7 +12569,8 @@ spec:
|
|||
default: sha256
|
||||
description: Specify signature algorithm
|
||||
for public keys. Supported values
|
||||
are sha256 and sha512.
|
||||
are sha224, sha256, sha384 and
|
||||
sha512.
|
||||
type: string
|
||||
type: object
|
||||
repository:
|
||||
|
|
@ -12983,7 +12986,7 @@ spec:
|
|||
default: sha256
|
||||
description: Specify signature algorithm
|
||||
for public keys. Supported values are
|
||||
sha256 and sha512.
|
||||
sha224, sha256, sha384 and sha512.
|
||||
type: string
|
||||
type: object
|
||||
repository:
|
||||
|
|
@ -16585,7 +16588,8 @@ spec:
|
|||
default: sha256
|
||||
description: Specify signature algorithm
|
||||
for public keys. Supported values
|
||||
are sha256 and sha512.
|
||||
are sha224, sha256, sha384 and
|
||||
sha512.
|
||||
type: string
|
||||
type: object
|
||||
repository:
|
||||
|
|
@ -17071,8 +17075,8 @@ spec:
|
|||
default: sha256
|
||||
description: Specify signature
|
||||
algorithm for public keys.
|
||||
Supported values are sha256
|
||||
and sha512.
|
||||
Supported values are sha224,
|
||||
sha256, sha384 and sha512.
|
||||
type: string
|
||||
type: object
|
||||
repository:
|
||||
|
|
@ -17510,7 +17514,7 @@ spec:
|
|||
default: sha256
|
||||
description: Specify signature algorithm
|
||||
for public keys. Supported values
|
||||
are sha256 and sha512.
|
||||
are sha224, sha256, sha384 and sha512.
|
||||
type: string
|
||||
type: object
|
||||
repository:
|
||||
|
|
|
|||
|
|
@ -3368,7 +3368,7 @@ spec:
|
|||
default: sha256
|
||||
description: Specify signature algorithm
|
||||
for public keys. Supported values
|
||||
are sha256 and sha512.
|
||||
are sha224, sha256, sha384 and sha512.
|
||||
type: string
|
||||
type: object
|
||||
repository:
|
||||
|
|
@ -3825,7 +3825,8 @@ spec:
|
|||
default: sha256
|
||||
description: Specify signature algorithm
|
||||
for public keys. Supported values
|
||||
are sha256 and sha512.
|
||||
are sha224, sha256, sha384 and
|
||||
sha512.
|
||||
type: string
|
||||
type: object
|
||||
repository:
|
||||
|
|
@ -4241,7 +4242,7 @@ spec:
|
|||
default: sha256
|
||||
description: Specify signature algorithm
|
||||
for public keys. Supported values are
|
||||
sha256 and sha512.
|
||||
sha224, sha256, sha384 and sha512.
|
||||
type: string
|
||||
type: object
|
||||
repository:
|
||||
|
|
@ -7859,7 +7860,8 @@ spec:
|
|||
default: sha256
|
||||
description: Specify signature algorithm
|
||||
for public keys. Supported values
|
||||
are sha256 and sha512.
|
||||
are sha224, sha256, sha384 and
|
||||
sha512.
|
||||
type: string
|
||||
type: object
|
||||
repository:
|
||||
|
|
@ -8345,8 +8347,8 @@ spec:
|
|||
default: sha256
|
||||
description: Specify signature
|
||||
algorithm for public keys.
|
||||
Supported values are sha256
|
||||
and sha512.
|
||||
Supported values are sha224,
|
||||
sha256, sha384 and sha512.
|
||||
type: string
|
||||
type: object
|
||||
repository:
|
||||
|
|
@ -8784,7 +8786,7 @@ spec:
|
|||
default: sha256
|
||||
description: Specify signature algorithm
|
||||
for public keys. Supported values
|
||||
are sha256 and sha512.
|
||||
are sha224, sha256, sha384 and sha512.
|
||||
type: string
|
||||
type: object
|
||||
repository:
|
||||
|
|
@ -12124,7 +12126,7 @@ spec:
|
|||
default: sha256
|
||||
description: Specify signature algorithm
|
||||
for public keys. Supported values
|
||||
are sha256 and sha512.
|
||||
are sha224, sha256, sha384 and sha512.
|
||||
type: string
|
||||
type: object
|
||||
repository:
|
||||
|
|
@ -12570,7 +12572,8 @@ spec:
|
|||
default: sha256
|
||||
description: Specify signature algorithm
|
||||
for public keys. Supported values
|
||||
are sha256 and sha512.
|
||||
are sha224, sha256, sha384 and
|
||||
sha512.
|
||||
type: string
|
||||
type: object
|
||||
repository:
|
||||
|
|
@ -12986,7 +12989,7 @@ spec:
|
|||
default: sha256
|
||||
description: Specify signature algorithm
|
||||
for public keys. Supported values are
|
||||
sha256 and sha512.
|
||||
sha224, sha256, sha384 and sha512.
|
||||
type: string
|
||||
type: object
|
||||
repository:
|
||||
|
|
@ -16588,7 +16591,8 @@ spec:
|
|||
default: sha256
|
||||
description: Specify signature algorithm
|
||||
for public keys. Supported values
|
||||
are sha256 and sha512.
|
||||
are sha224, sha256, sha384 and
|
||||
sha512.
|
||||
type: string
|
||||
type: object
|
||||
repository:
|
||||
|
|
@ -17074,8 +17078,8 @@ spec:
|
|||
default: sha256
|
||||
description: Specify signature
|
||||
algorithm for public keys.
|
||||
Supported values are sha256
|
||||
and sha512.
|
||||
Supported values are sha224,
|
||||
sha256, sha384 and sha512.
|
||||
type: string
|
||||
type: object
|
||||
repository:
|
||||
|
|
@ -17513,7 +17517,7 @@ spec:
|
|||
default: sha256
|
||||
description: Specify signature algorithm
|
||||
for public keys. Supported values
|
||||
are sha256 and sha512.
|
||||
are sha224, sha256, sha384 and sha512.
|
||||
type: string
|
||||
type: object
|
||||
repository:
|
||||
|
|
|
|||
|
|
@ -3367,7 +3367,7 @@ spec:
|
|||
default: sha256
|
||||
description: Specify signature algorithm
|
||||
for public keys. Supported values
|
||||
are sha256 and sha512.
|
||||
are sha224, sha256, sha384 and sha512.
|
||||
type: string
|
||||
type: object
|
||||
repository:
|
||||
|
|
@ -3824,7 +3824,8 @@ spec:
|
|||
default: sha256
|
||||
description: Specify signature algorithm
|
||||
for public keys. Supported values
|
||||
are sha256 and sha512.
|
||||
are sha224, sha256, sha384 and
|
||||
sha512.
|
||||
type: string
|
||||
type: object
|
||||
repository:
|
||||
|
|
@ -4240,7 +4241,7 @@ spec:
|
|||
default: sha256
|
||||
description: Specify signature algorithm
|
||||
for public keys. Supported values are
|
||||
sha256 and sha512.
|
||||
sha224, sha256, sha384 and sha512.
|
||||
type: string
|
||||
type: object
|
||||
repository:
|
||||
|
|
@ -7857,7 +7858,8 @@ spec:
|
|||
default: sha256
|
||||
description: Specify signature algorithm
|
||||
for public keys. Supported values
|
||||
are sha256 and sha512.
|
||||
are sha224, sha256, sha384 and
|
||||
sha512.
|
||||
type: string
|
||||
type: object
|
||||
repository:
|
||||
|
|
@ -8343,8 +8345,8 @@ spec:
|
|||
default: sha256
|
||||
description: Specify signature
|
||||
algorithm for public keys.
|
||||
Supported values are sha256
|
||||
and sha512.
|
||||
Supported values are sha224,
|
||||
sha256, sha384 and sha512.
|
||||
type: string
|
||||
type: object
|
||||
repository:
|
||||
|
|
@ -8782,7 +8784,7 @@ spec:
|
|||
default: sha256
|
||||
description: Specify signature algorithm
|
||||
for public keys. Supported values
|
||||
are sha256 and sha512.
|
||||
are sha224, sha256, sha384 and sha512.
|
||||
type: string
|
||||
type: object
|
||||
repository:
|
||||
|
|
@ -12121,7 +12123,7 @@ spec:
|
|||
default: sha256
|
||||
description: Specify signature algorithm
|
||||
for public keys. Supported values
|
||||
are sha256 and sha512.
|
||||
are sha224, sha256, sha384 and sha512.
|
||||
type: string
|
||||
type: object
|
||||
repository:
|
||||
|
|
@ -12567,7 +12569,8 @@ spec:
|
|||
default: sha256
|
||||
description: Specify signature algorithm
|
||||
for public keys. Supported values
|
||||
are sha256 and sha512.
|
||||
are sha224, sha256, sha384 and
|
||||
sha512.
|
||||
type: string
|
||||
type: object
|
||||
repository:
|
||||
|
|
@ -12983,7 +12986,7 @@ spec:
|
|||
default: sha256
|
||||
description: Specify signature algorithm
|
||||
for public keys. Supported values are
|
||||
sha256 and sha512.
|
||||
sha224, sha256, sha384 and sha512.
|
||||
type: string
|
||||
type: object
|
||||
repository:
|
||||
|
|
@ -16585,7 +16588,8 @@ spec:
|
|||
default: sha256
|
||||
description: Specify signature algorithm
|
||||
for public keys. Supported values
|
||||
are sha256 and sha512.
|
||||
are sha224, sha256, sha384 and
|
||||
sha512.
|
||||
type: string
|
||||
type: object
|
||||
repository:
|
||||
|
|
@ -17071,8 +17075,8 @@ spec:
|
|||
default: sha256
|
||||
description: Specify signature
|
||||
algorithm for public keys.
|
||||
Supported values are sha256
|
||||
and sha512.
|
||||
Supported values are sha224,
|
||||
sha256, sha384 and sha512.
|
||||
type: string
|
||||
type: object
|
||||
repository:
|
||||
|
|
@ -17510,7 +17514,7 @@ spec:
|
|||
default: sha256
|
||||
description: Specify signature algorithm
|
||||
for public keys. Supported values
|
||||
are sha256 and sha512.
|
||||
are sha224, sha256, sha384 and sha512.
|
||||
type: string
|
||||
type: object
|
||||
repository:
|
||||
|
|
|
|||
|
|
@ -3368,7 +3368,7 @@ spec:
|
|||
default: sha256
|
||||
description: Specify signature algorithm
|
||||
for public keys. Supported values
|
||||
are sha256 and sha512.
|
||||
are sha224, sha256, sha384 and sha512.
|
||||
type: string
|
||||
type: object
|
||||
repository:
|
||||
|
|
@ -3825,7 +3825,8 @@ spec:
|
|||
default: sha256
|
||||
description: Specify signature algorithm
|
||||
for public keys. Supported values
|
||||
are sha256 and sha512.
|
||||
are sha224, sha256, sha384 and
|
||||
sha512.
|
||||
type: string
|
||||
type: object
|
||||
repository:
|
||||
|
|
@ -4241,7 +4242,7 @@ spec:
|
|||
default: sha256
|
||||
description: Specify signature algorithm
|
||||
for public keys. Supported values are
|
||||
sha256 and sha512.
|
||||
sha224, sha256, sha384 and sha512.
|
||||
type: string
|
||||
type: object
|
||||
repository:
|
||||
|
|
@ -7859,7 +7860,8 @@ spec:
|
|||
default: sha256
|
||||
description: Specify signature algorithm
|
||||
for public keys. Supported values
|
||||
are sha256 and sha512.
|
||||
are sha224, sha256, sha384 and
|
||||
sha512.
|
||||
type: string
|
||||
type: object
|
||||
repository:
|
||||
|
|
@ -8345,8 +8347,8 @@ spec:
|
|||
default: sha256
|
||||
description: Specify signature
|
||||
algorithm for public keys.
|
||||
Supported values are sha256
|
||||
and sha512.
|
||||
Supported values are sha224,
|
||||
sha256, sha384 and sha512.
|
||||
type: string
|
||||
type: object
|
||||
repository:
|
||||
|
|
@ -8784,7 +8786,7 @@ spec:
|
|||
default: sha256
|
||||
description: Specify signature algorithm
|
||||
for public keys. Supported values
|
||||
are sha256 and sha512.
|
||||
are sha224, sha256, sha384 and sha512.
|
||||
type: string
|
||||
type: object
|
||||
repository:
|
||||
|
|
@ -12124,7 +12126,7 @@ spec:
|
|||
default: sha256
|
||||
description: Specify signature algorithm
|
||||
for public keys. Supported values
|
||||
are sha256 and sha512.
|
||||
are sha224, sha256, sha384 and sha512.
|
||||
type: string
|
||||
type: object
|
||||
repository:
|
||||
|
|
@ -12570,7 +12572,8 @@ spec:
|
|||
default: sha256
|
||||
description: Specify signature algorithm
|
||||
for public keys. Supported values
|
||||
are sha256 and sha512.
|
||||
are sha224, sha256, sha384 and
|
||||
sha512.
|
||||
type: string
|
||||
type: object
|
||||
repository:
|
||||
|
|
@ -12986,7 +12989,7 @@ spec:
|
|||
default: sha256
|
||||
description: Specify signature algorithm
|
||||
for public keys. Supported values are
|
||||
sha256 and sha512.
|
||||
sha224, sha256, sha384 and sha512.
|
||||
type: string
|
||||
type: object
|
||||
repository:
|
||||
|
|
@ -16588,7 +16591,8 @@ spec:
|
|||
default: sha256
|
||||
description: Specify signature algorithm
|
||||
for public keys. Supported values
|
||||
are sha256 and sha512.
|
||||
are sha224, sha256, sha384 and
|
||||
sha512.
|
||||
type: string
|
||||
type: object
|
||||
repository:
|
||||
|
|
@ -17074,8 +17078,8 @@ spec:
|
|||
default: sha256
|
||||
description: Specify signature
|
||||
algorithm for public keys.
|
||||
Supported values are sha256
|
||||
and sha512.
|
||||
Supported values are sha224,
|
||||
sha256, sha384 and sha512.
|
||||
type: string
|
||||
type: object
|
||||
repository:
|
||||
|
|
@ -17513,7 +17517,7 @@ spec:
|
|||
default: sha256
|
||||
description: Specify signature algorithm
|
||||
for public keys. Supported values
|
||||
are sha256 and sha512.
|
||||
are sha224, sha256, sha384 and sha512.
|
||||
type: string
|
||||
type: object
|
||||
repository:
|
||||
|
|
|
|||
|
|
@ -9882,7 +9882,7 @@ spec:
|
|||
default: sha256
|
||||
description: Specify signature algorithm
|
||||
for public keys. Supported values
|
||||
are sha256 and sha512.
|
||||
are sha224, sha256, sha384 and sha512.
|
||||
type: string
|
||||
type: object
|
||||
repository:
|
||||
|
|
@ -10339,7 +10339,8 @@ spec:
|
|||
default: sha256
|
||||
description: Specify signature algorithm
|
||||
for public keys. Supported values
|
||||
are sha256 and sha512.
|
||||
are sha224, sha256, sha384 and
|
||||
sha512.
|
||||
type: string
|
||||
type: object
|
||||
repository:
|
||||
|
|
@ -10755,7 +10756,7 @@ spec:
|
|||
default: sha256
|
||||
description: Specify signature algorithm
|
||||
for public keys. Supported values are
|
||||
sha256 and sha512.
|
||||
sha224, sha256, sha384 and sha512.
|
||||
type: string
|
||||
type: object
|
||||
repository:
|
||||
|
|
@ -14372,7 +14373,8 @@ spec:
|
|||
default: sha256
|
||||
description: Specify signature algorithm
|
||||
for public keys. Supported values
|
||||
are sha256 and sha512.
|
||||
are sha224, sha256, sha384 and
|
||||
sha512.
|
||||
type: string
|
||||
type: object
|
||||
repository:
|
||||
|
|
@ -14858,8 +14860,8 @@ spec:
|
|||
default: sha256
|
||||
description: Specify signature
|
||||
algorithm for public keys.
|
||||
Supported values are sha256
|
||||
and sha512.
|
||||
Supported values are sha224,
|
||||
sha256, sha384 and sha512.
|
||||
type: string
|
||||
type: object
|
||||
repository:
|
||||
|
|
@ -15297,7 +15299,7 @@ spec:
|
|||
default: sha256
|
||||
description: Specify signature algorithm
|
||||
for public keys. Supported values
|
||||
are sha256 and sha512.
|
||||
are sha224, sha256, sha384 and sha512.
|
||||
type: string
|
||||
type: object
|
||||
repository:
|
||||
|
|
@ -18636,7 +18638,7 @@ spec:
|
|||
default: sha256
|
||||
description: Specify signature algorithm
|
||||
for public keys. Supported values
|
||||
are sha256 and sha512.
|
||||
are sha224, sha256, sha384 and sha512.
|
||||
type: string
|
||||
type: object
|
||||
repository:
|
||||
|
|
@ -19082,7 +19084,8 @@ spec:
|
|||
default: sha256
|
||||
description: Specify signature algorithm
|
||||
for public keys. Supported values
|
||||
are sha256 and sha512.
|
||||
are sha224, sha256, sha384 and
|
||||
sha512.
|
||||
type: string
|
||||
type: object
|
||||
repository:
|
||||
|
|
@ -19498,7 +19501,7 @@ spec:
|
|||
default: sha256
|
||||
description: Specify signature algorithm
|
||||
for public keys. Supported values are
|
||||
sha256 and sha512.
|
||||
sha224, sha256, sha384 and sha512.
|
||||
type: string
|
||||
type: object
|
||||
repository:
|
||||
|
|
@ -23100,7 +23103,8 @@ spec:
|
|||
default: sha256
|
||||
description: Specify signature algorithm
|
||||
for public keys. Supported values
|
||||
are sha256 and sha512.
|
||||
are sha224, sha256, sha384 and
|
||||
sha512.
|
||||
type: string
|
||||
type: object
|
||||
repository:
|
||||
|
|
@ -23586,8 +23590,8 @@ spec:
|
|||
default: sha256
|
||||
description: Specify signature
|
||||
algorithm for public keys.
|
||||
Supported values are sha256
|
||||
and sha512.
|
||||
Supported values are sha224,
|
||||
sha256, sha384 and sha512.
|
||||
type: string
|
||||
type: object
|
||||
repository:
|
||||
|
|
@ -24025,7 +24029,7 @@ spec:
|
|||
default: sha256
|
||||
description: Specify signature algorithm
|
||||
for public keys. Supported values
|
||||
are sha256 and sha512.
|
||||
are sha224, sha256, sha384 and sha512.
|
||||
type: string
|
||||
type: object
|
||||
repository:
|
||||
|
|
@ -27640,7 +27644,7 @@ spec:
|
|||
default: sha256
|
||||
description: Specify signature algorithm
|
||||
for public keys. Supported values
|
||||
are sha256 and sha512.
|
||||
are sha224, sha256, sha384 and sha512.
|
||||
type: string
|
||||
type: object
|
||||
repository:
|
||||
|
|
@ -28097,7 +28101,8 @@ spec:
|
|||
default: sha256
|
||||
description: Specify signature algorithm
|
||||
for public keys. Supported values
|
||||
are sha256 and sha512.
|
||||
are sha224, sha256, sha384 and
|
||||
sha512.
|
||||
type: string
|
||||
type: object
|
||||
repository:
|
||||
|
|
@ -28513,7 +28518,7 @@ spec:
|
|||
default: sha256
|
||||
description: Specify signature algorithm
|
||||
for public keys. Supported values are
|
||||
sha256 and sha512.
|
||||
sha224, sha256, sha384 and sha512.
|
||||
type: string
|
||||
type: object
|
||||
repository:
|
||||
|
|
@ -32131,7 +32136,8 @@ spec:
|
|||
default: sha256
|
||||
description: Specify signature algorithm
|
||||
for public keys. Supported values
|
||||
are sha256 and sha512.
|
||||
are sha224, sha256, sha384 and
|
||||
sha512.
|
||||
type: string
|
||||
type: object
|
||||
repository:
|
||||
|
|
@ -32617,8 +32623,8 @@ spec:
|
|||
default: sha256
|
||||
description: Specify signature
|
||||
algorithm for public keys.
|
||||
Supported values are sha256
|
||||
and sha512.
|
||||
Supported values are sha224,
|
||||
sha256, sha384 and sha512.
|
||||
type: string
|
||||
type: object
|
||||
repository:
|
||||
|
|
@ -33056,7 +33062,7 @@ spec:
|
|||
default: sha256
|
||||
description: Specify signature algorithm
|
||||
for public keys. Supported values
|
||||
are sha256 and sha512.
|
||||
are sha224, sha256, sha384 and sha512.
|
||||
type: string
|
||||
type: object
|
||||
repository:
|
||||
|
|
@ -36396,7 +36402,7 @@ spec:
|
|||
default: sha256
|
||||
description: Specify signature algorithm
|
||||
for public keys. Supported values
|
||||
are sha256 and sha512.
|
||||
are sha224, sha256, sha384 and sha512.
|
||||
type: string
|
||||
type: object
|
||||
repository:
|
||||
|
|
@ -36842,7 +36848,8 @@ spec:
|
|||
default: sha256
|
||||
description: Specify signature algorithm
|
||||
for public keys. Supported values
|
||||
are sha256 and sha512.
|
||||
are sha224, sha256, sha384 and
|
||||
sha512.
|
||||
type: string
|
||||
type: object
|
||||
repository:
|
||||
|
|
@ -37258,7 +37265,7 @@ spec:
|
|||
default: sha256
|
||||
description: Specify signature algorithm
|
||||
for public keys. Supported values are
|
||||
sha256 and sha512.
|
||||
sha224, sha256, sha384 and sha512.
|
||||
type: string
|
||||
type: object
|
||||
repository:
|
||||
|
|
@ -40860,7 +40867,8 @@ spec:
|
|||
default: sha256
|
||||
description: Specify signature algorithm
|
||||
for public keys. Supported values
|
||||
are sha256 and sha512.
|
||||
are sha224, sha256, sha384 and
|
||||
sha512.
|
||||
type: string
|
||||
type: object
|
||||
repository:
|
||||
|
|
@ -41346,8 +41354,8 @@ spec:
|
|||
default: sha256
|
||||
description: Specify signature
|
||||
algorithm for public keys.
|
||||
Supported values are sha256
|
||||
and sha512.
|
||||
Supported values are sha224,
|
||||
sha256, sha384 and sha512.
|
||||
type: string
|
||||
type: object
|
||||
repository:
|
||||
|
|
@ -41785,7 +41793,7 @@ spec:
|
|||
default: sha256
|
||||
description: Specify signature algorithm
|
||||
for public keys. Supported values
|
||||
are sha256 and sha512.
|
||||
are sha224, sha256, sha384 and sha512.
|
||||
type: string
|
||||
type: object
|
||||
repository:
|
||||
|
|
|
|||
|
|
@ -3907,7 +3907,7 @@ string
|
|||
</em>
|
||||
</td>
|
||||
<td>
|
||||
<p>Specify signature algorithm for public keys. Supported values are sha256 and sha512.</p>
|
||||
<p>Specify signature algorithm for public keys. Supported values are sha224, sha256, sha384 and sha512.</p>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
|
|
|
|||
|
|
@ -31,6 +31,14 @@ import (
|
|||
"go.uber.org/multierr"
|
||||
)
|
||||
|
||||
var signatureAlgorithmMap = map[string]crypto.Hash{
|
||||
"": crypto.SHA256,
|
||||
"sha224": crypto.SHA224,
|
||||
"sha256": crypto.SHA256,
|
||||
"sha384": crypto.SHA384,
|
||||
"sha512": crypto.SHA512,
|
||||
}
|
||||
|
||||
func NewVerifier() images.ImageVerifier {
|
||||
return &cosignVerifier{}
|
||||
}
|
||||
|
|
@ -88,11 +96,6 @@ func (v *cosignVerifier) VerifySignature(ctx context.Context, opts images.Option
|
|||
|
||||
func buildCosignOptions(ctx context.Context, opts images.Options) (*cosign.CheckOpts, error) {
|
||||
var err error
|
||||
signatureAlgorithmMap := map[string]crypto.Hash{
|
||||
"": crypto.SHA256,
|
||||
"sha256": crypto.SHA256,
|
||||
"sha512": crypto.SHA512,
|
||||
}
|
||||
|
||||
options, err := opts.Client.Options(ctx)
|
||||
if err != nil {
|
||||
|
|
@ -120,9 +123,13 @@ func buildCosignOptions(ctx context.Context, opts images.Options) (*cosign.Check
|
|||
|
||||
if opts.Key != "" {
|
||||
if strings.HasPrefix(strings.TrimSpace(opts.Key), "-----BEGIN PUBLIC KEY-----") {
|
||||
cosignOpts.SigVerifier, err = decodePEM([]byte(opts.Key), signatureAlgorithmMap[opts.SignatureAlgorithm])
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to load public key from PEM: %w", err)
|
||||
if signatureAlgorithm, ok := signatureAlgorithmMap[opts.SignatureAlgorithm]; ok {
|
||||
cosignOpts.SigVerifier, err = decodePEM([]byte(opts.Key), signatureAlgorithm)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to load public key from PEM: %w", err)
|
||||
}
|
||||
} else {
|
||||
return nil, fmt.Errorf("invalid signature algorithm provided %s", opts.SignatureAlgorithm)
|
||||
}
|
||||
} else {
|
||||
// this supports Kubernetes secrets and KMS
|
||||
|
|
|
|||
|
|
@ -96,6 +96,24 @@ func TestCosignPayload(t *testing.T) {
|
|||
assert.Equal(t, d2, "sha256:ee53528c4e3c723945cf870d73702b76135955a218dd7497bf344aa73ebb4227")
|
||||
}
|
||||
|
||||
func TestCosignInvalidSignatureAlgorithm(t *testing.T) {
|
||||
opts := images.Options{
|
||||
ImageRef: "ghcr.io/jimbugwadia/pause2",
|
||||
Client: nil,
|
||||
FetchAttestations: false,
|
||||
Key: globalRekorPubKey,
|
||||
SignatureAlgorithm: "sha1",
|
||||
}
|
||||
|
||||
rc, err := registryclient.New()
|
||||
assert.NilError(t, err)
|
||||
opts.Client = rc
|
||||
|
||||
verifier := &cosignVerifier{}
|
||||
_, err = verifier.VerifySignature(context.TODO(), opts)
|
||||
assert.ErrorContains(t, err, "invalid signature algorithm provided sha1")
|
||||
}
|
||||
|
||||
func TestCosignKeyless(t *testing.T) {
|
||||
opts := images.Options{
|
||||
ImageRef: "ghcr.io/jimbugwadia/pause2",
|
||||
|
|
|
|||
Loading…
Reference in a new issue