mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-30 03:15:05 +00:00
Code Activity

fix: subject and issuer validation when attestations are present (#4786)

Browse source 
Signed-off-by: praddy26 <pradeep.vaishnav4@gmail.com>

Signed-off-by: praddy26 <pradeep.vaishnav4@gmail.com>
Co-authored-by: shuting <shuting@nirmata.com>
This commit is contained in:
Pradeep Lakshmi Narasimha 2022-10-04 15:33:56 +05:30 committed by GitHub
parent 4cb171c980
commit 4e1c1e6785
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 14 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
pkg/cosign/cosign.go
View file

@ -279,6 +279,20 @@ func fetchAttestations(opts Options) (*Response, error) {
return nil, err
}
payload, err := extractPayload(signatures)
if err != nil {
return nil, err
}
if err := matchCertificate(signatures, opts.Subject, opts.Issuer, opts.AdditionalExtensions); err != nil {
return nil, err
}
err = checkAnnotations(payload, opts.Annotations)
if err != nil {
return nil, err
}
logger.V(3).Info("verified images", "signatures", len(signatures), "bundleVerified", bundleVerified)
inTotoStatements, digest, err := decodeStatements(signatures)
if err != nil {