update cosign to 1.5.0 and fix issuer and subject for keyless (#3089)

* update cosign to 1.5.0 and add checks Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix subject and issuer checks Signed-off-by: Jim Bugwadia <jim@nirmata.com> * make fmt Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix tests Signed-off-by: Jim Bugwadia <jim@nirmata.com>
2025-03-05 15:37:19 +00:00 · 2022-01-27 21:13:23 -08:00 · 2022-01-27 21:13:23 -08:00 · 7cf1dd2b15
commit 7cf1dd2b15
parent b27248111f
8 changed files with 735 additions and 516 deletions
--- a/go.mod
+++ b/go.mod
@ -7,18 +7,18 @@ require (
 	github.com/cornelk/hashmap v1.0.1
 	github.com/dchest/siphash v1.2.1 // indirect
 	github.com/distribution/distribution v2.7.1+incompatible
-	github.com/evanphx/json-patch/v5 v5.5.0
+	github.com/evanphx/json-patch/v5 v5.6.0
-	github.com/fatih/color v1.12.0
+	github.com/fatih/color v1.13.0
 	github.com/gardener/controller-manager-library v0.2.0
 	github.com/ghodss/yaml v1.0.1-0.20190212211648-25d852aebe32
 	github.com/go-git/go-billy/v5 v5.0.0
 	github.com/go-git/go-git/v5 v5.2.0
-	github.com/go-logr/logr v1.2.0
+	github.com/go-logr/logr v1.2.2
-	github.com/google/go-containerregistry v0.6.1-0.20210922191434-34b7f00d7a60
+	github.com/google/go-containerregistry v0.8.1-0.20220125170349-50dfc2733d10
-	github.com/google/go-containerregistry/pkg/authn/k8schain v0.0.0-20211004163346-9ae11fe20941
+	github.com/google/go-containerregistry/pkg/authn/k8schain v0.0.0-20220125170349-50dfc2733d10
 	github.com/googleapis/gnostic v0.5.5
 	github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 // indirect
-	github.com/in-toto/in-toto-golang v0.3.3
+	github.com/in-toto/in-toto-golang v0.3.4-0.20211211042327-af1f9fb822bf
 	github.com/jmespath/go-jmespath v0.4.0
 	github.com/julienschmidt/httprouter v1.3.0
 	github.com/kataras/tablewriter v0.0.0-20180708051242-e063d29b7c23
@ -32,9 +32,9 @@ require (
 	github.com/pkg/errors v0.9.1
 	github.com/prometheus/client_golang v1.11.0
 	github.com/robfig/cron/v3 v3.0.1
-	github.com/sigstore/cosign v1.3.0
+	github.com/sigstore/cosign v1.5.1-0.20220125213308-79012c354c4d
-	github.com/sigstore/sigstore v1.0.0
+	github.com/sigstore/sigstore v1.1.1-0.20220115165716-9f61ddc98390
-	github.com/spf13/cobra v1.2.1
+	github.com/spf13/cobra v1.3.0
 	github.com/stretchr/testify v1.7.0
 	github.com/xanzy/ssh-agent v0.3.0 // indirect
 	gopkg.in/yaml.v2 v2.4.0
@ -46,7 +46,7 @@ require (
 	k8s.io/cli-runtime v0.23.2
 	k8s.io/client-go v0.23.2
 	k8s.io/klog/v2 v2.40.1
-	k8s.io/kube-openapi v0.0.0-20211115234752-e816edb12b65
+	k8s.io/kube-openapi v0.0.0-20220124234850-424119656bbf
 	sigs.k8s.io/controller-runtime v0.11.0
 	sigs.k8s.io/kustomize/api v0.10.1
 	sigs.k8s.io/kustomize/kyaml v0.13.0
@ -60,49 +60,65 @@ require (
 )
 require (
-	cloud.google.com/go v0.97.0 // indirect
+	cloud.google.com/go v0.100.2 // indirect
-	cloud.google.com/go/kms v1.0.0 // indirect
+	cloud.google.com/go/compute v1.1.0 // indirect
 	cloud.google.com/go/iam v0.1.1 // indirect
 	cloud.google.com/go/kms v1.1.0 // indirect
 	cloud.google.com/go/storage v1.18.2 // indirect
-	github.com/Azure/azure-sdk-for-go v55.8.0+incompatible // indirect
+	github.com/Azure/azure-sdk-for-go v61.3.0+incompatible // indirect
 	github.com/Azure/go-autorest v14.2.0+incompatible // indirect
-	github.com/Azure/go-autorest/autorest v0.11.19 // indirect
+	github.com/Azure/go-autorest/autorest v0.11.24 // indirect
-	github.com/Azure/go-autorest/autorest/adal v0.9.13 // indirect
+	github.com/Azure/go-autorest/autorest/adal v0.9.18 // indirect
-	github.com/Azure/go-autorest/autorest/azure/auth v0.5.8 // indirect
+	github.com/Azure/go-autorest/autorest/azure/auth v0.5.11 // indirect
-	github.com/Azure/go-autorest/autorest/azure/cli v0.4.2 // indirect
+	github.com/Azure/go-autorest/autorest/azure/cli v0.4.5 // indirect
 	github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect
 	github.com/Azure/go-autorest/autorest/to v0.4.0 // indirect
 	github.com/Azure/go-autorest/autorest/validation v0.3.1 // indirect
 	github.com/Azure/go-autorest/logger v0.2.1 // indirect
 	github.com/Azure/go-autorest/tracing v0.6.0 // indirect
 	github.com/Masterminds/semver v1.5.0 // indirect
-	github.com/Microsoft/go-winio v0.5.0 // indirect
+	github.com/Microsoft/go-winio v0.5.1 // indirect
 	github.com/PaesslerAG/gval v1.0.0 // indirect
 	github.com/PaesslerAG/jsonpath v0.1.1 // indirect
 	github.com/PuerkitoBio/purell v1.1.1 // indirect
 	github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect
-	github.com/ReneKroon/ttlcache/v2 v2.7.0 // indirect
+	github.com/ReneKroon/ttlcache/v2 v2.11.0 // indirect
 	github.com/ThalesIgnite/crypto11 v1.2.5 // indirect
 	github.com/armon/go-metrics v0.3.10 // indirect
 	github.com/armon/go-radix v1.0.0 // indirect
 	github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d // indirect
-	github.com/aws/aws-sdk-go v1.40.7 // indirect
+	github.com/aws/aws-sdk-go v1.42.34 // indirect
 	github.com/aws/aws-sdk-go-v2 v1.13.0 // indirect
 	github.com/aws/aws-sdk-go-v2/config v1.13.0 // indirect
 	github.com/aws/aws-sdk-go-v2/credentials v1.8.0 // indirect
 	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.10.0 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.4 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.2.0 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/ini v1.3.4 // indirect
 	github.com/aws/aws-sdk-go-v2/service/ecr v1.14.0 // indirect
 	github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.11.0 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.7.0 // indirect
 	github.com/aws/aws-sdk-go-v2/service/sso v1.9.0 // indirect
 	github.com/aws/aws-sdk-go-v2/service/sts v1.14.0 // indirect
 	github.com/aws/smithy-go v1.10.0 // indirect
 	github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20211215200129-69c85dc22db6 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/blang/semver v3.5.1+incompatible // indirect
-	github.com/cenkalti/backoff/v3 v3.0.0 // indirect
+	github.com/cenkalti/backoff/v3 v3.2.2 // indirect
 	github.com/census-instrumentation/opencensus-proto v0.3.0 // indirect
 	github.com/cespare/xxhash/v2 v2.1.2 // indirect
-	github.com/cncf/udpa/go v0.0.0-20210930031921-04548b0d99d4 // indirect
+	github.com/chrismellard/docker-credential-acr-env v0.0.0-20220119192733-fe33c00cee21 // indirect
-	github.com/cncf/xds/go v0.0.0-20210922020428-25de7278fc84 // indirect
+	github.com/containerd/stargz-snapshotter/estargz v0.10.1 // indirect
-	github.com/containerd/stargz-snapshotter/estargz v0.8.0 // indirect
+	github.com/coreos/go-oidc/v3 v3.1.0 // indirect
 	github.com/coreos/go-oidc/v3 v3.0.0 // indirect
 	github.com/cyberphone/json-canonicalization v0.0.0-20210823021906-dc406ceaf94b // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/dimchansky/utfbom v1.1.1 // indirect
-	github.com/docker/cli v20.10.8+incompatible // indirect
+	github.com/docker/cli v20.10.12+incompatible // indirect
 	github.com/docker/distribution v2.7.1+incompatible // indirect
-	github.com/docker/docker v20.10.8+incompatible // indirect
+	github.com/docker/docker v20.10.12+incompatible // indirect
-	github.com/docker/docker-credential-helpers v0.6.3 // indirect
+	github.com/docker/docker-credential-helpers v0.6.4 // indirect
 	github.com/dustin/go-humanize v1.0.0 // indirect
 	github.com/emirpasic/gods v1.12.0 // indirect
 	github.com/envoyproxy/go-control-plane v0.9.10-0.20210907150352-cf90f659a021 // indirect
 	github.com/envoyproxy/protoc-gen-validate v0.6.1 // indirect
 	github.com/evanphx/json-patch v4.12.0+incompatible // indirect
 	github.com/form3tech-oss/jwt-go v3.2.5+incompatible // indirect
 	github.com/fsnotify/fsnotify v1.5.1 // indirect
 	github.com/go-chi/chi v4.1.2+incompatible // indirect
 	github.com/go-errors/errors v1.0.1 // indirect
@ -111,38 +127,50 @@ require (
 	github.com/go-openapi/errors v0.20.1 // indirect
 	github.com/go-openapi/jsonpointer v0.19.5 // indirect
 	github.com/go-openapi/jsonreference v0.19.6 // indirect
-	github.com/go-openapi/loads v0.20.2 // indirect
+	github.com/go-openapi/loads v0.21.0 // indirect
-	github.com/go-openapi/runtime v0.20.0 // indirect
+	github.com/go-openapi/runtime v0.21.1 // indirect
-	github.com/go-openapi/spec v0.20.3 // indirect
+	github.com/go-openapi/spec v0.20.4 // indirect
-	github.com/go-openapi/strfmt v0.21.0 // indirect
+	github.com/go-openapi/strfmt v0.21.1 // indirect
 	github.com/go-openapi/swag v0.19.15 // indirect
-	github.com/go-openapi/validate v0.20.2 // indirect
+	github.com/go-openapi/validate v0.20.3 // indirect
-	github.com/go-playground/locales v0.13.0 // indirect
+	github.com/go-playground/locales v0.14.0 // indirect
-	github.com/go-playground/universal-translator v0.17.0 // indirect
+	github.com/go-playground/universal-translator v0.18.0 // indirect
-	github.com/go-playground/validator v9.31.0+incompatible // indirect
+	github.com/go-playground/validator/v10 v10.10.0 // indirect
 	github.com/go-stack/stack v1.8.0 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang-jwt/jwt/v4 v4.2.0 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.2 // indirect
 	github.com/golang/snappy v0.0.4 // indirect
 	github.com/google/btree v1.0.1 // indirect
-	github.com/google/go-cmp v0.5.6 // indirect
+	github.com/google/go-cmp v0.5.7 // indirect
-	github.com/google/go-github/v39 v39.2.0 // indirect
+	github.com/google/go-containerregistry/pkg/authn/kubernetes v0.0.0-20220125170349-50dfc2733d10 // indirect
 	github.com/google/go-github/v42 v42.0.0 // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
-	github.com/google/trillian v1.3.14-0.20210713114448-df474653733c // indirect
+	github.com/google/trillian v1.4.0 // indirect
 	github.com/google/uuid v1.3.0 // indirect
 	github.com/googleapis/gax-go/v2 v2.1.1 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
 	github.com/hashicorp/go-hclog v1.0.0 // indirect
 	github.com/hashicorp/go-immutable-radix v1.3.1 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
 	github.com/hashicorp/go-plugin v1.4.3 // indirect
 	github.com/hashicorp/go-retryablehttp v0.7.0 // indirect
 	github.com/hashicorp/go-rootcerts v1.0.2 // indirect
 	github.com/hashicorp/go-secure-stdlib/mlock v0.1.2 // indirect
 	github.com/hashicorp/go-secure-stdlib/parseutil v0.1.2 // indirect
 	github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 // indirect
 	github.com/hashicorp/go-sockaddr v1.0.2 // indirect
 	github.com/hashicorp/go-uuid v1.0.2 // indirect
 	github.com/hashicorp/go-version v1.3.0 // indirect
 	github.com/hashicorp/golang-lru v0.5.4 // indirect
 	github.com/hashicorp/hcl v1.0.0 // indirect
-	github.com/hashicorp/vault/api v1.1.1 // indirect
+	github.com/hashicorp/vault/api v1.3.1 // indirect
-	github.com/hashicorp/vault/sdk v0.2.1 // indirect
+	github.com/hashicorp/vault/sdk v0.3.0 // indirect
 	github.com/hashicorp/yamux v0.0.0-20211028200310-0bc27b27de87 // indirect
 	github.com/imdario/mergo v0.3.12 // indirect
 	github.com/inconshreveable/mousetrap v1.0.0 // indirect
 	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
@ -155,81 +183,84 @@ require (
 	github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect
 	github.com/magiconair/properties v1.8.5 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
-	github.com/mattn/go-colorable v0.1.8 // indirect
+	github.com/mattn/go-colorable v0.1.12 // indirect
-	github.com/mattn/go-isatty v0.0.13 // indirect
+	github.com/mattn/go-isatty v0.0.14 // indirect
 	github.com/mattn/go-runewidth v0.0.13 // indirect
 	github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 // indirect
 	github.com/miekg/pkcs11 v1.1.1 // indirect
 	github.com/mitchellh/copystructure v1.2.0 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
-	github.com/mitchellh/mapstructure v1.4.1 // indirect
+	github.com/mitchellh/go-testing-interface v1.14.1 // indirect
 	github.com/mitchellh/mapstructure v1.4.3 // indirect
 	github.com/mitchellh/reflectwalk v1.0.2 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 // indirect
 	github.com/nxadm/tail v1.4.8 // indirect
 	github.com/oklog/run v1.1.0 // indirect
 	github.com/oklog/ulid v1.3.1 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.0.2 // indirect
 	github.com/opentracing/opentracing-go v1.2.0 // indirect
-	github.com/pelletier/go-toml v1.9.3 // indirect
+	github.com/pelletier/go-toml v1.9.4 // indirect
 	github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
 	github.com/pierrec/lz4 v2.6.1+incompatible // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/prometheus/client_model v0.2.0 // indirect
-	github.com/prometheus/common v0.31.1 // indirect
+	github.com/prometheus/common v0.32.1 // indirect
 	github.com/prometheus/procfs v0.7.3 // indirect
 	github.com/rivo/uniseg v0.2.0 // indirect
 	github.com/ryanuber/go-glob v1.0.0 // indirect
 	github.com/sassoftware/relic v0.0.0-20210427151427-dfb082b79b74 // indirect
-	github.com/secure-systems-lab/go-securesystemslib v0.1.0 // indirect
+	github.com/secure-systems-lab/go-securesystemslib v0.3.0 // indirect
 	github.com/segmentio/ksuid v1.0.4 // indirect
 	github.com/sergi/go-diff v1.2.0 // indirect
-	github.com/shibumi/go-pathspec v1.2.0 // indirect
+	github.com/shibumi/go-pathspec v1.3.0 // indirect
-	github.com/sigstore/fulcio v0.1.2-0.20210831152525-42f7422734bb // indirect
+	github.com/sigstore/fulcio v0.1.2-0.20220114150912-86a2036f9bc7 // indirect
-	github.com/sigstore/rekor v0.3.0 // indirect
+	github.com/sigstore/rekor v0.4.1-0.20220114213500-23f583409af3 // indirect
 	github.com/sirupsen/logrus v1.8.1 // indirect
 	github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 // indirect
-	github.com/spf13/afero v1.6.0 // indirect
+	github.com/spf13/afero v1.8.0 // indirect
-	github.com/spf13/cast v1.3.1 // indirect
+	github.com/spf13/cast v1.4.1 // indirect
 	github.com/spf13/jwalterweatherman v1.1.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
-	github.com/spf13/viper v1.8.1 // indirect
+	github.com/spf13/viper v1.10.1 // indirect
 	github.com/subosito/gotenv v1.2.0 // indirect
 	github.com/syndtr/goleveldb v1.0.0 // indirect
 	github.com/tent/canonical-json-go v0.0.0-20130607151641-96e4ba3a7613 // indirect
-	github.com/theupdateframework/go-tuf v0.0.0-20210722233521-90e262754396 // indirect
+	github.com/thales-e-security/pool v0.0.2 // indirect
-	github.com/vdemeester/k8s-pkg-credentialprovider v1.21.0-1 // indirect
+	github.com/theupdateframework/go-tuf v0.0.0-20220124194755-2c5d73bebc1c // indirect
-	github.com/xanzy/go-gitlab v0.51.1 // indirect
+	github.com/vbatts/tar-split v0.11.2 // indirect
 	github.com/xanzy/go-gitlab v0.54.3 // indirect
 	github.com/xlab/treeprint v0.0.0-20181112141820-a009c3971eca // indirect
-	go.mongodb.org/mongo-driver v1.7.3 // indirect
+	go.mongodb.org/mongo-driver v1.7.5 // indirect
 	go.opencensus.io v0.23.0 // indirect
 	go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 // indirect
 	go.uber.org/atomic v1.9.0 // indirect
 	go.uber.org/multierr v1.7.0 // indirect
-	go.uber.org/zap v1.19.1 // indirect
+	go.uber.org/zap v1.20.0 // indirect
-	golang.org/x/crypto v0.0.0-20210817164053-32db794688a5 // indirect
+	golang.org/x/crypto v0.0.0-20220112180741-5e0467b6c7ce // indirect
 	golang.org/x/mod v0.5.1 // indirect
-	golang.org/x/net v0.0.0-20211209124913-491a49abca63 // indirect
+	golang.org/x/net v0.0.0-20220121210141-e204ce36a2ba // indirect
-	golang.org/x/oauth2 v0.0.0-20211005180243-6b3c2da341f1 // indirect
+	golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8 // indirect
 	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c // indirect
-	golang.org/x/sys v0.0.0-20211029165221-6e7872819dc8 // indirect
+	golang.org/x/sys v0.0.0-20220114195835-da31bd327af9 // indirect
 	golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 // indirect
 	golang.org/x/text v0.3.7 // indirect
-	golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac // indirect
+	golang.org/x/time v0.0.0-20211116232009-f0f3c7e86c11 // indirect
 	golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect
-	google.golang.org/api v0.60.0 // indirect
+	google.golang.org/api v0.65.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
-	google.golang.org/genproto v0.0.0-20211021150943-2b146023228c // indirect
+	google.golang.org/genproto v0.0.0-20220111164026-67b88f271998 // indirect
-	google.golang.org/grpc v1.41.0 // indirect
+	google.golang.org/grpc v1.43.0 // indirect
 	google.golang.org/protobuf v1.27.1 // indirect
-	gopkg.in/ini.v1 v1.62.0 // indirect
+	gopkg.in/ini.v1 v1.66.2 // indirect
 	gopkg.in/square/go-jose.v2 v2.6.0 // indirect
 	gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
-	k8s.io/cloud-provider v0.21.0 // indirect
+	k8s.io/utils v0.0.0-20211208161948-7d6a63dca704 // indirect
-	k8s.io/component-base v0.23.2 // indirect
+	knative.dev/pkg v0.0.0-20220121092305-3ba5d72e310a // indirect
-	k8s.io/legacy-cloud-providers v0.21.0 // indirect
+	sigs.k8s.io/json v0.0.0-20211208200746-9f7c6b3444d2 // indirect
 	k8s.io/utils v0.0.0-20210930125809-cb0fa318a74b // indirect
 	knative.dev/pkg v0.0.0-20211004133827-74ac82a333a4 // indirect
 	sigs.k8s.io/json v0.0.0-20211020170558-c049b76a60c6 // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.2.1 // indirect
 )
--- a/go.sum
+++ b/go.sum
--- a/pkg/cosign/client.go
+++ b/pkg/cosign/client.go
@ -11,12 +11,18 @@ import (
 var client Cosign = &driver{}
 type Cosign interface {
-	Verify(ctx context.Context, signedImgRef name.Reference, accessor cosign.Accessor, co *cosign.CheckOpts) ([]oci.Signature, bool, error)
+	VerifyImageSignatures(ctx context.Context, signedImgRef name.Reference, co *cosign.CheckOpts) ([]oci.Signature, bool, error)
 	VerifyImageAttestations(ctx context.Context, signedImgRef name.Reference, co *cosign.CheckOpts) (checkedAttestations []oci.Signature, bundleVerified bool, err error)
 }
 type driver struct {
 }
-func (d *driver) Verify(ctx context.Context, signedImgRef name.Reference, accessor cosign.Accessor, co *cosign.CheckOpts) ([]oci.Signature, bool, error) {
+func (d *driver) VerifyImageSignatures(ctx context.Context, signedImgRef name.Reference, co *cosign.CheckOpts) ([]oci.Signature, bool, error) {
-	return cosign.Verify(ctx, signedImgRef, accessor, co)
+	return cosign.VerifyImageSignatures(ctx, signedImgRef, co)
 }
 func (d *driver) VerifyImageAttestations(ctx context.Context, signedImgRef name.Reference, co *cosign.CheckOpts) (checkedAttestations []oci.Signature, bundleVerified bool, err error) {
 	return cosign.VerifyImageAttestations(ctx, signedImgRef, co)
 }
--- a/pkg/cosign/cosign.go
+++ b/pkg/cosign/cosign.go
@ -9,6 +9,8 @@ import (
 	"fmt"
 	"strings"
 	"github.com/sigstore/cosign/cmd/cosign/cli/rekor"
 	"github.com/sigstore/cosign/cmd/cosign/cli/fulcio"
 	"github.com/sigstore/cosign/pkg/oci/remote"
@ -57,6 +59,7 @@ func VerifySignature(opts Options) (digest string, err error) {
 	cosignOpts := &cosign.CheckOpts{
 		Annotations:        map[string]interface{}{},
 		RegistryClientOpts: remoteOpts,
 		ClaimVerifier:      cosign.SimpleClaimVerifier,
 	}
 	if opts.Key != "" {
@ -67,7 +70,10 @@ func VerifySignature(opts Options) (digest string, err error) {
 		}
 	} else {
 		cosignOpts.CertEmail = ""
-		cosignOpts.RootCerts, err = getX509CertPool(opts.Roots)
+		cosignOpts.RootCerts, err = getFulcioRoots(opts.Roots)
 		if err == nil {
 			cosignOpts.RekorClient, err = rekor.NewClient("https://rekor.sigstore.dev")
 		}
 	}
 	if err != nil {
@ -88,7 +94,7 @@ func VerifySignature(opts Options) (digest string, err error) {
 		return "", errors.Wrap(err, "failed to parse image")
 	}
-	verified, _, err := client.Verify(ctx, ref, cosign.SignaturesAccessor, cosignOpts)
+	signatures, bundleVerified, err := client.VerifyImageSignatures(ctx, ref, cosignOpts)
 	if err != nil {
 		msg := err.Error()
 		log.Info("image verification failed", "error", msg)
@ -101,35 +107,22 @@ func VerifySignature(opts Options) (digest string, err error) {
 		return "", err
 	}
-	payload, err := extractPayload(opts.ImageRef, verified, log)
+	log.V(3).Info("verified image", "count", len(signatures), "bundleVerified", bundleVerified)
 	pld, err := extractPayload(signatures)
 	if err != nil {
-		return "", errors.Wrap(err, "failed to get payload")
+		return "", errors.Wrap(err, "failed to get pld")
 	}
-	if opts.Issuer != "" {
+	if err := matchSubjectAndIssuer(signatures, opts.Subject, opts.Issuer); err != nil {
-		issuer, err := extractIssuer(opts.ImageRef, payload, log)
+		return "", err
 		if err == nil && (issuer != opts.Issuer) {
 			return "", errors.Wrap(err, "issuer mismatch")
 		}
 		return "", errors.Wrap(err, "issuer not found")
 	}
-	if opts.Subject != "" {
+	err = checkAnnotations(pld, opts.Annotations)
 		subject, err := extractSubject(opts.ImageRef, payload, log)
 		if err == nil && wildcard.Match(opts.Subject, subject) {
 			return "", errors.Wrap(err, "subject mismatch")
 		}
 		return "", errors.Wrap(err, "subject not found")
 	}
 	err = checkAnnotations(payload, opts.Annotations, log)
 	if err != nil {
 		return "", errors.Wrap(err, "annotation mismatch")
 	}
-	digest, err = extractDigest(opts.ImageRef, payload, log)
+	digest, err = extractDigest(opts.ImageRef, pld, log)
 	if err != nil {
 		return "", errors.Wrap(err, "failed to get digest")
 	}
@ -137,8 +130,8 @@ func VerifySignature(opts Options) (digest string, err error) {
 	return digest, nil
 }
-func getX509CertPool(roots []byte) (*x509.CertPool, error) {
+func getFulcioRoots(roots []byte) (*x509.CertPool, error) {
-	if roots == nil {
+	if len(roots) == 0 {
 		return fulcio.GetRoots(), nil
 	}
@ -196,7 +189,7 @@ func FetchAttestations(imageRef string, key string, repository string, log logr.
 		return nil, errors.Wrap(err, "failed to parse image")
 	}
-	verified, _, err := client.Verify(context.Background(), ref, cosign.AttestationsAccessor, cosignOpts)
+	signatures, bundleVerified, err := client.VerifyImageAttestations(context.Background(), ref, cosignOpts)
 	if err != nil {
 		msg := err.Error()
 		log.Info("failed to fetch attestations", "error", msg)
@ -207,7 +200,8 @@ func FetchAttestations(imageRef string, key string, repository string, log logr.
 		return nil, err
 	}
-	inTotoStatements, err := decodeStatements(verified)
+	log.V(3).Info("verified images", "count", len(signatures), "bundleVerified", bundleVerified)
 	inTotoStatements, err := decodeStatements(signatures)
 	if err != nil {
 		return nil, err
 	}
@ -222,20 +216,26 @@ func decodeStatements(sigs []oci.Signature) ([]map[string]interface{}, error) {
 	decodedStatements := make([]map[string]interface{}, len(sigs))
 	for i, sig := range sigs {
-		payload, err := sig.Payload()
+		pld, err := sig.Payload()
 		if err != nil {
-			return nil, errors.Wrap(err, "failed to get payload")
+			return nil, errors.Wrap(err, "failed to decode payload")
 		}
 		data := make(map[string]interface{})
 		if err := json.Unmarshal(payload, &data); err != nil {
 			return nil, errors.Wrapf(err, "failed to unmarshal JSON payload: %v", sig)
 		}
 		decodedStatement, err := decodeStatement(data["payload"].(string))
 		if err != nil {
 			return nil, errors.Wrapf(err, "failed to decode statement %s", string(payload))
 		}
-		decodedStatements[i] = decodedStatement
+		data := make(map[string]interface{})
 		if err := json.Unmarshal(pld, &data); err != nil {
 			return nil, errors.Wrapf(err, "failed to unmarshal JSON payload: %v", sig)
 		}
 		if dataPayload, ok := data["payload"]; !ok {
 			return nil, fmt.Errorf("missing payload in %v", data)
 		} else {
 			decodedStatement, err := decodeStatement(dataPayload.(string))
 			if err != nil {
 				return nil, errors.Wrapf(err, "failed to decode statement %s", string(pld))
 			}
 			decodedStatements[i] = decodedStatement
 		}
 	}
 	return decodedStatements, nil
@ -313,50 +313,22 @@ func decodePEM(raw []byte) (signature.Verifier, error) {
 	return signature.LoadECDSAVerifier(ed, crypto.SHA256)
 }
-func extractPayload(imgRef string, verified []oci.Signature, log logr.Logger) ([]payload.SimpleContainerImage, error) {
+func extractPayload(verified []oci.Signature) ([]payload.SimpleContainerImage, error) {
-	var sigPayload []payload.SimpleContainerImage
+	var sigPayloads []payload.SimpleContainerImage
 	for _, sig := range verified {
-		p, err := sig.Payload()
+		pld, err := sig.Payload()
 		if err != nil {
 			return nil, errors.Wrap(err, "failed to get payload")
 		}
-		ss := payload.SimpleContainerImage{}
+		sci := payload.SimpleContainerImage{}
-		if err := json.Unmarshal(p, &ss); err != nil {
+		if err := json.Unmarshal(pld, &sci); err != nil {
 			return nil, errors.Wrap(err, "error decoding the payload")
 		}
-		log.V(3).Info("image verification response", "image", imgRef, "payload", ss)
+		sigPayloads = append(sigPayloads, sci)
 		// The expected payload is in one of these JSON formats:
 		// {
 		//   "critical": {
 		// 	   "identity": {
 		// 	     "docker-reference": "registry-v2.nirmata.io/pause"
 		// 	    },
 		//   	"image": {
 		// 	     "docker-manifest-digest": "sha256:4a1c4b21597c1b4415bdbecb28a3296c6b5e23ca4f9feeb599860a1dac6a0108"
 		// 	    },
 		// 	    "type": "cosign container image signature"
 		//    },
 		//    "optional": null
 		// }
 		//
 		// {
 		//   "Critical": {
 		//     "Identity": {
 		//       "docker-reference": "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/nop"
 		//     },
 		//     "Image": {
 		//       "Docker-manifest-digest": "sha256:6a037d5ba27d9c6be32a9038bfe676fb67d2e4145b4f53e9c61fb3e69f06e816"
 		//     },
 		//     "Type": "Tekton container signature"
 		//   },
 		//   "Optional": {}
 		// }
 		sigPayload = append(sigPayload, ss)
 	}
-	return sigPayload, nil
+	return sigPayloads, nil
 }
 func extractDigest(imgRef string, payload []payload.SimpleContainerImage, log logr.Logger) (string, error) {
@ -371,35 +343,40 @@ func extractDigest(imgRef string, payload []payload.SimpleContainerImage, log lo
 	return "", fmt.Errorf("digest not found for " + imgRef)
 }
-func extractIssuer(imgRef string, payload []payload.SimpleContainerImage, log logr.Logger) (string, error) {
+func matchSubjectAndIssuer(signatures []oci.Signature, subject, issuer string) error {
-	for _, p := range payload {
+	if subject == "" && issuer == "" {
-		if issuer := p.Optional["Issuer"]; issuer != nil {
+		return nil
-			return issuer.(string), nil
+	}
-		} else {
+
-			log.V(3).Info("failed to extract image issuer from verification response", "image", imgRef, "payload", p)
+	for _, sig := range signatures {
-			return "", fmt.Errorf("unknown image response for " + imgRef)
+		cert, err := sig.Cert()
 		if err == nil {
 			return errors.Wrap(err, "failed to read certificate")
 		}
 		if cert == nil {
 			return errors.Wrap(err, "certificate not found")
 		}
 		s := sigs.CertSubject(cert)
 		i := sigs.CertIssuerExtension(cert)
 		if subject == "" || wildcard.Match(subject, s) {
 			if issuer == "" || (issuer == i) {
 				return nil
 			} else {
 				return fmt.Errorf("issuer mismatch")
 			}
 		}
 	}
-	return "", fmt.Errorf("issuer not found for " + imgRef)
+
 	return fmt.Errorf("subject mismatch")
 }
-func extractSubject(imgRef string, payload []payload.SimpleContainerImage, log logr.Logger) (string, error) {
+func checkAnnotations(payload []payload.SimpleContainerImage, annotations map[string]string) error {
 	for _, p := range payload {
 		if subject := p.Optional["Subject"]; subject != nil {
 			return subject.(string), nil
 		} else {
 			log.V(3).Info("failed to extract image subject from verification response", "image", imgRef, "payload", p)
 			return "", fmt.Errorf("unknown image response for " + imgRef)
 		}
 	}
 	return "", fmt.Errorf("image subject not found for " + imgRef)
 }
 func checkAnnotations(payload []payload.SimpleContainerImage, annotations map[string]string, log logr.Logger) error {
 	for _, p := range payload {
 		for key, val := range annotations {
 			if val != p.Optional[key] {
-				return fmt.Errorf("value of " + key + " does not match")
+				return fmt.Errorf("annotation value for %s does not match", key)
 			}
 		}
 	}
--- a/pkg/cosign/cosign_test.go
+++ b/pkg/cosign/cosign_test.go
@ -6,7 +6,6 @@ import (
 	"github.com/sigstore/cosign/pkg/oci"
 	"github.com/go-logr/logr"
 	"github.com/minio/pkg/wildcard"
 	"github.com/sigstore/cosign/pkg/cosign"
 	"gotest.tools/assert"
 )
@ -47,10 +46,10 @@ func TestCosignPayload(t *testing.T) {
 	var log logr.Logger = logr.Discard()
 	image := "registry-v2.nirmata.io/pause"
 	signedPayloads := cosign.SignedPayload{Payload: []byte(cosignPayload)}
-	p, err := extractPayload(image, []oci.Signature{&sig{cosignPayload: signedPayloads}}, log)
+	p, err := extractPayload([]oci.Signature{&sig{cosignPayload: signedPayloads}})
 	assert.NilError(t, err)
 	a := map[string]string{"foo": "bar"}
-	err = checkAnnotations(p, a, log)
+	err = checkAnnotations(p, a)
 	assert.NilError(t, err)
 	d, err := extractDigest(image, p, log)
 	assert.NilError(t, err)
@ -58,14 +57,10 @@ func TestCosignPayload(t *testing.T) {
 	image2 := "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/nop"
 	signedPayloads2 := cosign.SignedPayload{Payload: []byte(tektonPayload)}
-	p2, err := extractPayload(image2, []oci.Signature{&sig{cosignPayload: signedPayloads2}}, log)
+	signatures2 := []oci.Signature{&sig{cosignPayload: signedPayloads2}}
 	p2, err := extractPayload(signatures2)
 	assert.NilError(t, err)
-	i2, err := extractIssuer(image2, p2, log)
+
 	assert.NilError(t, err)
 	assert.Equal(t, i2, "https://github.com/login/oauth")
 	s2, err := extractSubject(image2, p2, log)
 	assert.NilError(t, err)
 	assert.Assert(t, wildcard.Match("https://github.com/mycompany/*/.github/workflows/*.yml@refs/heads/main", s2))
 	d2, err := extractDigest(image2, p2, log)
 	assert.NilError(t, err)
 	assert.Equal(t, d2, "sha256:6a037d5ba27d9c6be32a9038bfe676fb67d2e4145b4f53e9c61fb3e69f06e816")
--- a/pkg/cosign/mock.go
+++ b/pkg/cosign/mock.go
@ -33,7 +33,15 @@ type mock struct {
 	data map[string][]cosign.SignedPayload
 }
-func (m *mock) Verify(_ context.Context, signedImgRef name.Reference, accessor cosign.Accessor, _ *cosign.CheckOpts) ([]oci.Signature, bool, error) {
+func (m *mock) VerifyImageSignatures(_ context.Context, signedImgRef name.Reference, _ *cosign.CheckOpts) ([]oci.Signature, bool, error) {
 	return m.getSignatures(signedImgRef)
 }
 func (m *mock) VerifyImageAttestations(ctx context.Context, signedImgRef name.Reference, co *cosign.CheckOpts) (checkedAttestations []oci.Signature, bundleVerified bool, err error) {
 	return m.getSignatures(signedImgRef)
 }
 func (m *mock) getSignatures(signedImgRef name.Reference) ([]oci.Signature, bool, error) {
 	results, ok := m.data[signedImgRef.String()]
 	if !ok {
 		return nil, false, fmt.Errorf("failed to find mock data for %s", signedImgRef.String())
--- a/pkg/engine/imageVerify.go
+++ b/pkg/engine/imageVerify.go
@ -203,9 +203,9 @@ func (iv *imageVerifier) verifySignature(imageVerify *v1.ImageVerification, imag
 	start := time.Now()
 	digest, err := cosign.VerifySignature(opts)
 	if err != nil {
-		iv.logger.Info("failed to verify image signature", "image", image, "error", err, "duration", time.Since(start).Seconds())
+		iv.logger.Info("failed to verify image", "image", image, "error", err, "duration", time.Since(start).Seconds())
 		ruleResp.Status = response.RuleStatusFail
-		ruleResp.Message = fmt.Sprintf("image signature verification failed for %s: %v", image, err)
+		ruleResp.Message = fmt.Sprintf("image verification failed for %s: %v", image, err)
 		return ruleResp, ""
 	}
--- a/pkg/kyverno/validate/commmand_test.go
+++ b/pkg/kyverno/validate/commmand_test.go
@ -57,7 +57,7 @@ func Test_validateUsingPolicyCRD(t *testing.T) {
 			}
 		  }
 		`),
-			errorDetail: "spec.rules.name in body should be at most 63 chars long",
+			errorDetail: "spec.rules[0].name in body should be at most 63 chars long",
 			detail:      "Test: char count for rule name",
 		},