mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-31 03:45:17 +00:00
Code Activity

Support more signature algorithms (#9102) (#9289)

Browse source 
* Support more signature algorithms



* Fix codegen



* Fail loudly for unsupported algorithm



* Fix codegen



* Fix more



---------

Signed-off-by: Hongxin Liang <honnix@users.noreply.github.com>
Co-authored-by: Honnix <honnix@users.noreply.github.com>
Co-authored-by: Vishal Choudhary <vishal.choudhary@nirmata.com>
Co-authored-by: shuting <shuting@nirmata.com>
This commit is contained in:
gcp-cherry-pick-bot[bot] 2023-12-27 08:34:16 +00:00 committed by GitHub
parent 0306c3fd7c
commit 8b117276cd
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
11 changed files with 242 additions and 125 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

52
api/kyverno/v1/image_verification_test.go
View file

@ -126,7 +126,24 @@ func Test_ImageVerification(t *testing.T) {
},
},
{
name: "valid static key attestor",
name: "static key invalid signature algorithm attestor",
subject: ImageVerification{
ImageReferences: []string{"*"},
Attestors: []AttestorSet{
{Entries: []Attestor{{
Keys: &StaticKeyAttestor{PublicKeys: "bla", SignatureAlgorithm: "sha1"},
}}},
},
},
errors: func(i *ImageVerification) field.ErrorList {
return field.ErrorList{
field.Invalid(path.Child("attestors").Index(0).Child("entries").Index(0).Child("keys"),
i.Attestors[0].Entries[0].Keys, "Invalid signature algorithm provided"),
}
},
},
{
name: "valid static key default signature algorithm attestor",
subject: ImageVerification{
ImageReferences: []string{"*"},
Attestors: []AttestorSet{
@ -136,6 +153,39 @@ func Test_ImageVerification(t *testing.T) {
},
},
},
{
name: "valid static key sha224 signature algorithm attestor",
subject: ImageVerification{
ImageReferences: []string{"*"},
Attestors: []AttestorSet{
{Entries: []Attestor{{
Keys: &StaticKeyAttestor{PublicKeys: "bla", SignatureAlgorithm: "sha224"},
}}},
},
},
},
{
name: "valid static key sah256 signature algorithm attestor",
subject: ImageVerification{
ImageReferences: []string{"*"},
Attestors: []AttestorSet{
{Entries: []Attestor{{
Keys: &StaticKeyAttestor{PublicKeys: "bla", SignatureAlgorithm: "sha256"},
}}},
},
},
},
{
name: "valid static key sha384 signature algorithm attestor",
subject: ImageVerification{
ImageReferences: []string{"*"},
Attestors: []AttestorSet{
{Entries: []Attestor{{
Keys: &StaticKeyAttestor{PublicKeys: "bla", SignatureAlgorithm: "sha384"},
}}},
},
},
},
{
name: "invalid keyless attestor",
subject: ImageVerification{

16
api/kyverno/v1/image_verification_types.go
View file

@ -28,6 +28,14 @@ const (
GHCR ImageRegistryCredentialsProvidersType = "github"
)
var signatureAlgorithmMap = map[string]bool{
"": true,
"sha224": true,
"sha256": true,
"sha384": true,
"sha512": true,
}
// ImageVerification validates that images that match the specified pattern
// are signed with the supplied public key. Once the image is verified it is
// mutated to include the SHA digest retrieved during the registration.
@ -166,7 +174,7 @@ type StaticKeyAttestor struct {
// (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
PublicKeys string `json:"publicKeys,omitempty" yaml:"publicKeys,omitempty"`
// Specify signature algorithm for public keys. Supported values are sha256 and sha512.
// Specify signature algorithm for public keys. Supported values are sha224, sha256, sha384 and sha512.
// +kubebuilder:default=sha256
SignatureAlgorithm string `json:"signatureAlgorithm,omitempty" yaml:"signatureAlgorithm,omitempty"`
@ -450,8 +458,10 @@ func (ska *StaticKeyAttestor) Validate(path *field.Path) (errs field.ErrorList)
if ska.PublicKeys == "" && ska.KMS == "" && ska.Secret == nil {
errs = append(errs, field.Invalid(path, ska, "A public key, kms key or secret is required"))
}
if ska.PublicKeys != "" && ska.SignatureAlgorithm != "" && ska.SignatureAlgorithm != "sha256" && ska.SignatureAlgorithm != "sha512" {
errs = append(errs, field.Invalid(path, ska, "Invalid signature algorithm provided"))
if ska.PublicKeys != "" {
if _, ok := signatureAlgorithmMap[ska.SignatureAlgorithm]; !ok {
errs = append(errs, field.Invalid(path, ska, "Invalid signature algorithm provided"))
}
}
return errs
}

64
charts/kyverno/charts/crds/templates/crds.yaml
View file

@ -9663,7 +9663,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512.
are sha224, sha256, sha384 and sha512.
type: string
type: object
repository:
@ -10120,7 +10120,8 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512.
are sha224, sha256, sha384 and
sha512.
type: string
type: object
repository:
@ -10536,7 +10537,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values are
sha256 and sha512.
sha224, sha256, sha384 and sha512.
type: string
type: object
repository:
@ -14155,7 +14156,8 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512.
are sha224, sha256, sha384 and
sha512.
type: string
type: object
repository:
@ -14641,8 +14643,8 @@ spec:
default: sha256
description: Specify signature
algorithm for public keys.
Supported values are sha256
and sha512.
Supported values are sha224,
sha256, sha384 and sha512.
type: string
type: object
repository:
@ -15080,7 +15082,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512.
are sha224, sha256, sha384 and sha512.
type: string
type: object
repository:
@ -18419,7 +18421,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512.
are sha224, sha256, sha384 and sha512.
type: string
type: object
repository:
@ -18865,7 +18867,8 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512.
are sha224, sha256, sha384 and
sha512.
type: string
type: object
repository:
@ -19281,7 +19284,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values are
sha256 and sha512.
sha224, sha256, sha384 and sha512.
type: string
type: object
repository:
@ -22885,7 +22888,8 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512.
are sha224, sha256, sha384 and
sha512.
type: string
type: object
repository:
@ -23371,8 +23375,8 @@ spec:
default: sha256
description: Specify signature
algorithm for public keys.
Supported values are sha256
and sha512.
Supported values are sha224,
sha256, sha384 and sha512.
type: string
type: object
repository:
@ -23810,7 +23814,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512.
are sha224, sha256, sha384 and sha512.
type: string
type: object
repository:
@ -27423,7 +27427,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512.
are sha224, sha256, sha384 and sha512.
type: string
type: object
repository:
@ -27880,7 +27884,8 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512.
are sha224, sha256, sha384 and
sha512.
type: string
type: object
repository:
@ -28296,7 +28301,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values are
sha256 and sha512.
sha224, sha256, sha384 and sha512.
type: string
type: object
repository:
@ -31916,7 +31921,8 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512.
are sha224, sha256, sha384 and
sha512.
type: string
type: object
repository:
@ -32402,8 +32408,8 @@ spec:
default: sha256
description: Specify signature
algorithm for public keys.
Supported values are sha256
and sha512.
Supported values are sha224,
sha256, sha384 and sha512.
type: string
type: object
repository:
@ -32841,7 +32847,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512.
are sha224, sha256, sha384 and sha512.
type: string
type: object
repository:
@ -36181,7 +36187,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512.
are sha224, sha256, sha384 and sha512.
type: string
type: object
repository:
@ -36627,7 +36633,8 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512.
are sha224, sha256, sha384 and
sha512.
type: string
type: object
repository:
@ -37043,7 +37050,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values are
sha256 and sha512.
sha224, sha256, sha384 and sha512.
type: string
type: object
repository:
@ -40647,7 +40654,8 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512.
are sha224, sha256, sha384 and
sha512.
type: string
type: object
repository:
@ -41133,8 +41141,8 @@ spec:
default: sha256
description: Specify signature
algorithm for public keys.
Supported values are sha256
and sha512.
Supported values are sha224,
sha256, sha384 and sha512.
type: string
type: object
repository:
@ -41572,7 +41580,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512.
are sha224, sha256, sha384 and sha512.
type: string
type: object
repository:

32
cmd/cli/kubectl-kyverno/data/crds/kyverno.io_clusterpolicies.yaml
View file

@ -3367,7 +3367,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512.
are sha224, sha256, sha384 and sha512.
type: string
type: object
repository:
@ -3824,7 +3824,8 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512.
are sha224, sha256, sha384 and
sha512.
type: string
type: object
repository:
@ -4240,7 +4241,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values are
sha256 and sha512.
sha224, sha256, sha384 and sha512.
type: string
type: object
repository:
@ -7859,7 +7860,8 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512.
are sha224, sha256, sha384 and
sha512.
type: string
type: object
repository:
@ -8345,8 +8347,8 @@ spec:
default: sha256
description: Specify signature
algorithm for public keys.
Supported values are sha256
and sha512.
Supported values are sha224,
sha256, sha384 and sha512.
type: string
type: object
repository:
@ -8784,7 +8786,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512.
are sha224, sha256, sha384 and sha512.
type: string
type: object
repository:
@ -12123,7 +12125,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512.
are sha224, sha256, sha384 and sha512.
type: string
type: object
repository:
@ -12569,7 +12571,8 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512.
are sha224, sha256, sha384 and
sha512.
type: string
type: object
repository:
@ -12985,7 +12988,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values are
sha256 and sha512.
sha224, sha256, sha384 and sha512.
type: string
type: object
repository:
@ -16589,7 +16592,8 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512.
are sha224, sha256, sha384 and
sha512.
type: string
type: object
repository:
@ -17075,8 +17079,8 @@ spec:
default: sha256
description: Specify signature
algorithm for public keys.
Supported values are sha256
and sha512.
Supported values are sha224,
sha256, sha384 and sha512.
type: string
type: object
repository:
@ -17514,7 +17518,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512.
are sha224, sha256, sha384 and sha512.
type: string
type: object
repository:

32
cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policies.yaml
View file

@ -3368,7 +3368,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512.
are sha224, sha256, sha384 and sha512.
type: string
type: object
repository:
@ -3825,7 +3825,8 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512.
are sha224, sha256, sha384 and
sha512.
type: string
type: object
repository:
@ -4241,7 +4242,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values are
sha256 and sha512.
sha224, sha256, sha384 and sha512.
type: string
type: object
repository:
@ -7861,7 +7862,8 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512.
are sha224, sha256, sha384 and
sha512.
type: string
type: object
repository:
@ -8347,8 +8349,8 @@ spec:
default: sha256
description: Specify signature
algorithm for public keys.
Supported values are sha256
and sha512.
Supported values are sha224,
sha256, sha384 and sha512.
type: string
type: object
repository:
@ -8786,7 +8788,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512.
are sha224, sha256, sha384 and sha512.
type: string
type: object
repository:
@ -12126,7 +12128,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512.
are sha224, sha256, sha384 and sha512.
type: string
type: object
repository:
@ -12572,7 +12574,8 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512.
are sha224, sha256, sha384 and
sha512.
type: string
type: object
repository:
@ -12988,7 +12991,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values are
sha256 and sha512.
sha224, sha256, sha384 and sha512.
type: string
type: object
repository:
@ -16592,7 +16595,8 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512.
are sha224, sha256, sha384 and
sha512.
type: string
type: object
repository:
@ -17078,8 +17082,8 @@ spec:
default: sha256
description: Specify signature
algorithm for public keys.
Supported values are sha256
and sha512.
Supported values are sha224,
sha256, sha384 and sha512.
type: string
type: object
repository:
@ -17517,7 +17521,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512.
are sha224, sha256, sha384 and sha512.
type: string
type: object
repository:

32
config/crds/kyverno.io_clusterpolicies.yaml
View file

@ -3367,7 +3367,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512.
are sha224, sha256, sha384 and sha512.
type: string
type: object
repository:
@ -3824,7 +3824,8 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512.
are sha224, sha256, sha384 and
sha512.
type: string
type: object
repository:
@ -4240,7 +4241,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values are
sha256 and sha512.
sha224, sha256, sha384 and sha512.
type: string
type: object
repository:
@ -7859,7 +7860,8 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512.
are sha224, sha256, sha384 and
sha512.
type: string
type: object
repository:
@ -8345,8 +8347,8 @@ spec:
default: sha256
description: Specify signature
algorithm for public keys.
Supported values are sha256
and sha512.
Supported values are sha224,
sha256, sha384 and sha512.
type: string
type: object
repository:
@ -8784,7 +8786,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512.
are sha224, sha256, sha384 and sha512.
type: string
type: object
repository:
@ -12123,7 +12125,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512.
are sha224, sha256, sha384 and sha512.
type: string
type: object
repository:
@ -12569,7 +12571,8 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512.
are sha224, sha256, sha384 and
sha512.
type: string
type: object
repository:
@ -12985,7 +12988,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values are
sha256 and sha512.
sha224, sha256, sha384 and sha512.
type: string
type: object
repository:
@ -16589,7 +16592,8 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512.
are sha224, sha256, sha384 and
sha512.
type: string
type: object
repository:
@ -17075,8 +17079,8 @@ spec:
default: sha256
description: Specify signature
algorithm for public keys.
Supported values are sha256
and sha512.
Supported values are sha224,
sha256, sha384 and sha512.
type: string
type: object
repository:
@ -17514,7 +17518,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512.
are sha224, sha256, sha384 and sha512.
type: string
type: object
repository:

32
config/crds/kyverno.io_policies.yaml
View file

@ -3368,7 +3368,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512.
are sha224, sha256, sha384 and sha512.
type: string
type: object
repository:
@ -3825,7 +3825,8 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512.
are sha224, sha256, sha384 and
sha512.
type: string
type: object
repository:
@ -4241,7 +4242,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values are
sha256 and sha512.
sha224, sha256, sha384 and sha512.
type: string
type: object
repository:
@ -7861,7 +7862,8 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512.
are sha224, sha256, sha384 and
sha512.
type: string
type: object
repository:
@ -8347,8 +8349,8 @@ spec:
default: sha256
description: Specify signature
algorithm for public keys.
Supported values are sha256
and sha512.
Supported values are sha224,
sha256, sha384 and sha512.
type: string
type: object
repository:
@ -8786,7 +8788,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512.
are sha224, sha256, sha384 and sha512.
type: string
type: object
repository:
@ -12126,7 +12128,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512.
are sha224, sha256, sha384 and sha512.
type: string
type: object
repository:
@ -12572,7 +12574,8 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512.
are sha224, sha256, sha384 and
sha512.
type: string
type: object
repository:
@ -12988,7 +12991,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values are
sha256 and sha512.
sha224, sha256, sha384 and sha512.
type: string
type: object
repository:
@ -16592,7 +16595,8 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512.
are sha224, sha256, sha384 and
sha512.
type: string
type: object
repository:
@ -17078,8 +17082,8 @@ spec:
default: sha256
description: Specify signature
algorithm for public keys.
Supported values are sha256
and sha512.
Supported values are sha224,
sha256, sha384 and sha512.
type: string
type: object
repository:
@ -17517,7 +17521,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512.
are sha224, sha256, sha384 and sha512.
type: string
type: object
repository:

64
config/install-latest-testing.yaml
View file

@ -9882,7 +9882,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512.
are sha224, sha256, sha384 and sha512.
type: string
type: object
repository:
@ -10339,7 +10339,8 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512.
are sha224, sha256, sha384 and
sha512.
type: string
type: object
repository:
@ -10755,7 +10756,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values are
sha256 and sha512.
sha224, sha256, sha384 and sha512.
type: string
type: object
repository:
@ -14374,7 +14375,8 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512.
are sha224, sha256, sha384 and
sha512.
type: string
type: object
repository:
@ -14860,8 +14862,8 @@ spec:
default: sha256
description: Specify signature
algorithm for public keys.
Supported values are sha256
and sha512.
Supported values are sha224,
sha256, sha384 and sha512.
type: string
type: object
repository:
@ -15299,7 +15301,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512.
are sha224, sha256, sha384 and sha512.
type: string
type: object
repository:
@ -18638,7 +18640,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512.
are sha224, sha256, sha384 and sha512.
type: string
type: object
repository:
@ -19084,7 +19086,8 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512.
are sha224, sha256, sha384 and
sha512.
type: string
type: object
repository:
@ -19500,7 +19503,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values are
sha256 and sha512.
sha224, sha256, sha384 and sha512.
type: string
type: object
repository:
@ -23104,7 +23107,8 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512.
are sha224, sha256, sha384 and
sha512.
type: string
type: object
repository:
@ -23590,8 +23594,8 @@ spec:
default: sha256
description: Specify signature
algorithm for public keys.
Supported values are sha256
and sha512.
Supported values are sha224,
sha256, sha384 and sha512.
type: string
type: object
repository:
@ -24029,7 +24033,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512.
are sha224, sha256, sha384 and sha512.
type: string
type: object
repository:
@ -27644,7 +27648,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512.
are sha224, sha256, sha384 and sha512.
type: string
type: object
repository:
@ -28101,7 +28105,8 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512.
are sha224, sha256, sha384 and
sha512.
type: string
type: object
repository:
@ -28517,7 +28522,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values are
sha256 and sha512.
sha224, sha256, sha384 and sha512.
type: string
type: object
repository:
@ -32137,7 +32142,8 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512.
are sha224, sha256, sha384 and
sha512.
type: string
type: object
repository:
@ -32623,8 +32629,8 @@ spec:
default: sha256
description: Specify signature
algorithm for public keys.
Supported values are sha256
and sha512.
Supported values are sha224,
sha256, sha384 and sha512.
type: string
type: object
repository:
@ -33062,7 +33068,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512.
are sha224, sha256, sha384 and sha512.
type: string
type: object
repository:
@ -36402,7 +36408,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512.
are sha224, sha256, sha384 and sha512.
type: string
type: object
repository:
@ -36848,7 +36854,8 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512.
are sha224, sha256, sha384 and
sha512.
type: string
type: object
repository:
@ -37264,7 +37271,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values are
sha256 and sha512.
sha224, sha256, sha384 and sha512.
type: string
type: object
repository:
@ -40868,7 +40875,8 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512.
are sha224, sha256, sha384 and
sha512.
type: string
type: object
repository:
@ -41354,8 +41362,8 @@ spec:
default: sha256
description: Specify signature
algorithm for public keys.
Supported values are sha256
and sha512.
Supported values are sha224,
sha256, sha384 and sha512.
type: string
type: object
repository:
@ -41793,7 +41801,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512.
are sha224, sha256, sha384 and sha512.
type: string
type: object
repository:

2
docs/user/crd/index.html
View file

@ -3910,7 +3910,7 @@ string
</em>
</td>
<td>
<p>Specify signature algorithm for public keys. Supported values are sha256 and sha512.</p>
<p>Specify signature algorithm for public keys. Supported values are sha224, sha256, sha384 and sha512.</p>
</td>
</tr>
<tr>

23
pkg/cosign/cosign.go
View file

@ -31,6 +31,14 @@ import (
"go.uber.org/multierr"
)
var signatureAlgorithmMap = map[string]crypto.Hash{
"": crypto.SHA256,
"sha224": crypto.SHA224,
"sha256": crypto.SHA256,
"sha384": crypto.SHA384,
"sha512": crypto.SHA512,
}
func NewVerifier() images.ImageVerifier {
return &cosignVerifier{}
}
@ -89,11 +97,6 @@ func (v *cosignVerifier) VerifySignature(ctx context.Context, opts images.Option
func buildCosignOptions(ctx context.Context, opts images.Options) (*cosign.CheckOpts, error) {
var remoteOpts []remote.Option
var err error
signatureAlgorithmMap := map[string]crypto.Hash{
"": crypto.SHA256,
"sha256": crypto.SHA256,
"sha512": crypto.SHA512,
}
cosignRemoteOpts, err := opts.Client.BuildCosignRemoteOption(ctx)
if err != nil {
@ -121,9 +124,13 @@ func buildCosignOptions(ctx context.Context, opts images.Options) (*cosign.Check
if opts.Key != "" {
if strings.HasPrefix(strings.TrimSpace(opts.Key), "-----BEGIN PUBLIC KEY-----") {
cosignOpts.SigVerifier, err = decodePEM([]byte(opts.Key), signatureAlgorithmMap[opts.SignatureAlgorithm])
if err != nil {
return nil, fmt.Errorf("failed to load public key from PEM: %w", err)
if signatureAlgorithm, ok := signatureAlgorithmMap[opts.SignatureAlgorithm]; ok {
cosignOpts.SigVerifier, err = decodePEM([]byte(opts.Key), signatureAlgorithm)
if err != nil {
return nil, fmt.Errorf("failed to load public key from PEM: %w", err)
}
} else {
return nil, fmt.Errorf("invalid signature algorithm provided %s", opts.SignatureAlgorithm)
}
} else {
// this supports Kubernetes secrets and KMS

18
pkg/cosign/cosign_test.go
View file

@ -96,6 +96,24 @@ func TestCosignPayload(t *testing.T) {
assert.Equal(t, d2, "sha256:ee53528c4e3c723945cf870d73702b76135955a218dd7497bf344aa73ebb4227")
}
func TestCosignInvalidSignatureAlgorithm(t *testing.T) {
opts := images.Options{
ImageRef: "ghcr.io/jimbugwadia/pause2",
Client: nil,
FetchAttestations: false,
Key: globalRekorPubKey,
SignatureAlgorithm: "sha1",
}
rc, err := registryclient.New()
assert.NilError(t, err)
opts.Client = rc
verifier := &cosignVerifier{}
_, err = verifier.VerifySignature(context.TODO(), opts)
assert.ErrorContains(t, err, "invalid signature algorithm provided sha1")
}
func TestCosignKeyless(t *testing.T) {
opts := images.Options{
ImageRef: "ghcr.io/jimbugwadia/pause2",