From 8b117276cd5ab02d4fae82cb8b26d5ee45fac963 Mon Sep 17 00:00:00 2001 From: "gcp-cherry-pick-bot[bot]" <98988430+gcp-cherry-pick-bot[bot]@users.noreply.github.com> Date: Wed, 27 Dec 2023 08:34:16 +0000 Subject: [PATCH] Support more signature algorithms (#9102) (#9289) * Support more signature algorithms * Fix codegen * Fail loudly for unsupported algorithm * Fix codegen * Fix more --------- Signed-off-by: Hongxin Liang Co-authored-by: Honnix Co-authored-by: Vishal Choudhary Co-authored-by: shuting --- api/kyverno/v1/image_verification_test.go | 52 ++++++++++++++- api/kyverno/v1/image_verification_types.go | 16 ++++- .../kyverno/charts/crds/templates/crds.yaml | 64 +++++++++++-------- .../data/crds/kyverno.io_clusterpolicies.yaml | 32 ++++++---- .../data/crds/kyverno.io_policies.yaml | 32 ++++++---- config/crds/kyverno.io_clusterpolicies.yaml | 32 ++++++---- config/crds/kyverno.io_policies.yaml | 32 ++++++---- config/install-latest-testing.yaml | 64 +++++++++++-------- docs/user/crd/index.html | 2 +- pkg/cosign/cosign.go | 23 ++++--- pkg/cosign/cosign_test.go | 18 ++++++ 11 files changed, 242 insertions(+), 125 deletions(-) diff --git a/api/kyverno/v1/image_verification_test.go b/api/kyverno/v1/image_verification_test.go index 0f5f491ef5..1f663a8729 100644 --- a/api/kyverno/v1/image_verification_test.go +++ b/api/kyverno/v1/image_verification_test.go @@ -126,7 +126,24 @@ func Test_ImageVerification(t *testing.T) { }, }, { - name: "valid static key attestor", + name: "static key invalid signature algorithm attestor", + subject: ImageVerification{ + ImageReferences: []string{"*"}, + Attestors: []AttestorSet{ + {Entries: []Attestor{{ + Keys: &StaticKeyAttestor{PublicKeys: "bla", SignatureAlgorithm: "sha1"}, + }}}, + }, + }, + errors: func(i *ImageVerification) field.ErrorList { + return field.ErrorList{ + field.Invalid(path.Child("attestors").Index(0).Child("entries").Index(0).Child("keys"), + i.Attestors[0].Entries[0].Keys, "Invalid signature algorithm provided"), + } + }, + }, + { + name: "valid static key default signature algorithm attestor", subject: ImageVerification{ ImageReferences: []string{"*"}, Attestors: []AttestorSet{ @@ -136,6 +153,39 @@ func Test_ImageVerification(t *testing.T) { }, }, }, + { + name: "valid static key sha224 signature algorithm attestor", + subject: ImageVerification{ + ImageReferences: []string{"*"}, + Attestors: []AttestorSet{ + {Entries: []Attestor{{ + Keys: &StaticKeyAttestor{PublicKeys: "bla", SignatureAlgorithm: "sha224"}, + }}}, + }, + }, + }, + { + name: "valid static key sah256 signature algorithm attestor", + subject: ImageVerification{ + ImageReferences: []string{"*"}, + Attestors: []AttestorSet{ + {Entries: []Attestor{{ + Keys: &StaticKeyAttestor{PublicKeys: "bla", SignatureAlgorithm: "sha256"}, + }}}, + }, + }, + }, + { + name: "valid static key sha384 signature algorithm attestor", + subject: ImageVerification{ + ImageReferences: []string{"*"}, + Attestors: []AttestorSet{ + {Entries: []Attestor{{ + Keys: &StaticKeyAttestor{PublicKeys: "bla", SignatureAlgorithm: "sha384"}, + }}}, + }, + }, + }, { name: "invalid keyless attestor", subject: ImageVerification{ diff --git a/api/kyverno/v1/image_verification_types.go b/api/kyverno/v1/image_verification_types.go index a5041ed9b2..3ad5a49c09 100644 --- a/api/kyverno/v1/image_verification_types.go +++ b/api/kyverno/v1/image_verification_types.go @@ -28,6 +28,14 @@ const ( GHCR ImageRegistryCredentialsProvidersType = "github" ) +var signatureAlgorithmMap = map[string]bool{ + "": true, + "sha224": true, + "sha256": true, + "sha384": true, + "sha512": true, +} + // ImageVerification validates that images that match the specified pattern // are signed with the supplied public key. Once the image is verified it is // mutated to include the SHA digest retrieved during the registration. @@ -166,7 +174,7 @@ type StaticKeyAttestor struct { // (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. PublicKeys string `json:"publicKeys,omitempty" yaml:"publicKeys,omitempty"` - // Specify signature algorithm for public keys. Supported values are sha256 and sha512. + // Specify signature algorithm for public keys. Supported values are sha224, sha256, sha384 and sha512. // +kubebuilder:default=sha256 SignatureAlgorithm string `json:"signatureAlgorithm,omitempty" yaml:"signatureAlgorithm,omitempty"` @@ -450,8 +458,10 @@ func (ska *StaticKeyAttestor) Validate(path *field.Path) (errs field.ErrorList) if ska.PublicKeys == "" && ska.KMS == "" && ska.Secret == nil { errs = append(errs, field.Invalid(path, ska, "A public key, kms key or secret is required")) } - if ska.PublicKeys != "" && ska.SignatureAlgorithm != "" && ska.SignatureAlgorithm != "sha256" && ska.SignatureAlgorithm != "sha512" { - errs = append(errs, field.Invalid(path, ska, "Invalid signature algorithm provided")) + if ska.PublicKeys != "" { + if _, ok := signatureAlgorithmMap[ska.SignatureAlgorithm]; !ok { + errs = append(errs, field.Invalid(path, ska, "Invalid signature algorithm provided")) + } } return errs } diff --git a/charts/kyverno/charts/crds/templates/crds.yaml b/charts/kyverno/charts/crds/templates/crds.yaml index 4defa2ad27..2e4e222b5a 100644 --- a/charts/kyverno/charts/crds/templates/crds.yaml +++ b/charts/kyverno/charts/crds/templates/crds.yaml @@ -9663,7 +9663,7 @@ spec: default: sha256 description: Specify signature algorithm for public keys. Supported values - are sha256 and sha512. + are sha224, sha256, sha384 and sha512. type: string type: object repository: @@ -10120,7 +10120,8 @@ spec: default: sha256 description: Specify signature algorithm for public keys. Supported values - are sha256 and sha512. + are sha224, sha256, sha384 and + sha512. type: string type: object repository: @@ -10536,7 +10537,7 @@ spec: default: sha256 description: Specify signature algorithm for public keys. Supported values are - sha256 and sha512. + sha224, sha256, sha384 and sha512. type: string type: object repository: @@ -14155,7 +14156,8 @@ spec: default: sha256 description: Specify signature algorithm for public keys. Supported values - are sha256 and sha512. + are sha224, sha256, sha384 and + sha512. type: string type: object repository: @@ -14641,8 +14643,8 @@ spec: default: sha256 description: Specify signature algorithm for public keys. - Supported values are sha256 - and sha512. + Supported values are sha224, + sha256, sha384 and sha512. type: string type: object repository: @@ -15080,7 +15082,7 @@ spec: default: sha256 description: Specify signature algorithm for public keys. Supported values - are sha256 and sha512. + are sha224, sha256, sha384 and sha512. type: string type: object repository: @@ -18419,7 +18421,7 @@ spec: default: sha256 description: Specify signature algorithm for public keys. Supported values - are sha256 and sha512. + are sha224, sha256, sha384 and sha512. type: string type: object repository: @@ -18865,7 +18867,8 @@ spec: default: sha256 description: Specify signature algorithm for public keys. Supported values - are sha256 and sha512. + are sha224, sha256, sha384 and + sha512. type: string type: object repository: @@ -19281,7 +19284,7 @@ spec: default: sha256 description: Specify signature algorithm for public keys. Supported values are - sha256 and sha512. + sha224, sha256, sha384 and sha512. type: string type: object repository: @@ -22885,7 +22888,8 @@ spec: default: sha256 description: Specify signature algorithm for public keys. Supported values - are sha256 and sha512. + are sha224, sha256, sha384 and + sha512. type: string type: object repository: @@ -23371,8 +23375,8 @@ spec: default: sha256 description: Specify signature algorithm for public keys. - Supported values are sha256 - and sha512. + Supported values are sha224, + sha256, sha384 and sha512. type: string type: object repository: @@ -23810,7 +23814,7 @@ spec: default: sha256 description: Specify signature algorithm for public keys. Supported values - are sha256 and sha512. + are sha224, sha256, sha384 and sha512. type: string type: object repository: @@ -27423,7 +27427,7 @@ spec: default: sha256 description: Specify signature algorithm for public keys. Supported values - are sha256 and sha512. + are sha224, sha256, sha384 and sha512. type: string type: object repository: @@ -27880,7 +27884,8 @@ spec: default: sha256 description: Specify signature algorithm for public keys. Supported values - are sha256 and sha512. + are sha224, sha256, sha384 and + sha512. type: string type: object repository: @@ -28296,7 +28301,7 @@ spec: default: sha256 description: Specify signature algorithm for public keys. Supported values are - sha256 and sha512. + sha224, sha256, sha384 and sha512. type: string type: object repository: @@ -31916,7 +31921,8 @@ spec: default: sha256 description: Specify signature algorithm for public keys. Supported values - are sha256 and sha512. + are sha224, sha256, sha384 and + sha512. type: string type: object repository: @@ -32402,8 +32408,8 @@ spec: default: sha256 description: Specify signature algorithm for public keys. - Supported values are sha256 - and sha512. + Supported values are sha224, + sha256, sha384 and sha512. type: string type: object repository: @@ -32841,7 +32847,7 @@ spec: default: sha256 description: Specify signature algorithm for public keys. Supported values - are sha256 and sha512. + are sha224, sha256, sha384 and sha512. type: string type: object repository: @@ -36181,7 +36187,7 @@ spec: default: sha256 description: Specify signature algorithm for public keys. Supported values - are sha256 and sha512. + are sha224, sha256, sha384 and sha512. type: string type: object repository: @@ -36627,7 +36633,8 @@ spec: default: sha256 description: Specify signature algorithm for public keys. Supported values - are sha256 and sha512. + are sha224, sha256, sha384 and + sha512. type: string type: object repository: @@ -37043,7 +37050,7 @@ spec: default: sha256 description: Specify signature algorithm for public keys. Supported values are - sha256 and sha512. + sha224, sha256, sha384 and sha512. type: string type: object repository: @@ -40647,7 +40654,8 @@ spec: default: sha256 description: Specify signature algorithm for public keys. Supported values - are sha256 and sha512. + are sha224, sha256, sha384 and + sha512. type: string type: object repository: @@ -41133,8 +41141,8 @@ spec: default: sha256 description: Specify signature algorithm for public keys. - Supported values are sha256 - and sha512. + Supported values are sha224, + sha256, sha384 and sha512. type: string type: object repository: @@ -41572,7 +41580,7 @@ spec: default: sha256 description: Specify signature algorithm for public keys. Supported values - are sha256 and sha512. + are sha224, sha256, sha384 and sha512. type: string type: object repository: diff --git a/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_clusterpolicies.yaml b/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_clusterpolicies.yaml index 8f0fea113c..c3d65ec6fc 100644 --- a/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_clusterpolicies.yaml +++ b/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_clusterpolicies.yaml @@ -3367,7 +3367,7 @@ spec: default: sha256 description: Specify signature algorithm for public keys. Supported values - are sha256 and sha512. + are sha224, sha256, sha384 and sha512. type: string type: object repository: @@ -3824,7 +3824,8 @@ spec: default: sha256 description: Specify signature algorithm for public keys. Supported values - are sha256 and sha512. + are sha224, sha256, sha384 and + sha512. type: string type: object repository: @@ -4240,7 +4241,7 @@ spec: default: sha256 description: Specify signature algorithm for public keys. Supported values are - sha256 and sha512. + sha224, sha256, sha384 and sha512. type: string type: object repository: @@ -7859,7 +7860,8 @@ spec: default: sha256 description: Specify signature algorithm for public keys. Supported values - are sha256 and sha512. + are sha224, sha256, sha384 and + sha512. type: string type: object repository: @@ -8345,8 +8347,8 @@ spec: default: sha256 description: Specify signature algorithm for public keys. - Supported values are sha256 - and sha512. + Supported values are sha224, + sha256, sha384 and sha512. type: string type: object repository: @@ -8784,7 +8786,7 @@ spec: default: sha256 description: Specify signature algorithm for public keys. Supported values - are sha256 and sha512. + are sha224, sha256, sha384 and sha512. type: string type: object repository: @@ -12123,7 +12125,7 @@ spec: default: sha256 description: Specify signature algorithm for public keys. Supported values - are sha256 and sha512. + are sha224, sha256, sha384 and sha512. type: string type: object repository: @@ -12569,7 +12571,8 @@ spec: default: sha256 description: Specify signature algorithm for public keys. Supported values - are sha256 and sha512. + are sha224, sha256, sha384 and + sha512. type: string type: object repository: @@ -12985,7 +12988,7 @@ spec: default: sha256 description: Specify signature algorithm for public keys. Supported values are - sha256 and sha512. + sha224, sha256, sha384 and sha512. type: string type: object repository: @@ -16589,7 +16592,8 @@ spec: default: sha256 description: Specify signature algorithm for public keys. Supported values - are sha256 and sha512. + are sha224, sha256, sha384 and + sha512. type: string type: object repository: @@ -17075,8 +17079,8 @@ spec: default: sha256 description: Specify signature algorithm for public keys. - Supported values are sha256 - and sha512. + Supported values are sha224, + sha256, sha384 and sha512. type: string type: object repository: @@ -17514,7 +17518,7 @@ spec: default: sha256 description: Specify signature algorithm for public keys. Supported values - are sha256 and sha512. + are sha224, sha256, sha384 and sha512. type: string type: object repository: diff --git a/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policies.yaml b/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policies.yaml index cf03f69018..65fd1ef08d 100644 --- a/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policies.yaml +++ b/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policies.yaml @@ -3368,7 +3368,7 @@ spec: default: sha256 description: Specify signature algorithm for public keys. Supported values - are sha256 and sha512. + are sha224, sha256, sha384 and sha512. type: string type: object repository: @@ -3825,7 +3825,8 @@ spec: default: sha256 description: Specify signature algorithm for public keys. Supported values - are sha256 and sha512. + are sha224, sha256, sha384 and + sha512. type: string type: object repository: @@ -4241,7 +4242,7 @@ spec: default: sha256 description: Specify signature algorithm for public keys. Supported values are - sha256 and sha512. + sha224, sha256, sha384 and sha512. type: string type: object repository: @@ -7861,7 +7862,8 @@ spec: default: sha256 description: Specify signature algorithm for public keys. Supported values - are sha256 and sha512. + are sha224, sha256, sha384 and + sha512. type: string type: object repository: @@ -8347,8 +8349,8 @@ spec: default: sha256 description: Specify signature algorithm for public keys. - Supported values are sha256 - and sha512. + Supported values are sha224, + sha256, sha384 and sha512. type: string type: object repository: @@ -8786,7 +8788,7 @@ spec: default: sha256 description: Specify signature algorithm for public keys. Supported values - are sha256 and sha512. + are sha224, sha256, sha384 and sha512. type: string type: object repository: @@ -12126,7 +12128,7 @@ spec: default: sha256 description: Specify signature algorithm for public keys. Supported values - are sha256 and sha512. + are sha224, sha256, sha384 and sha512. type: string type: object repository: @@ -12572,7 +12574,8 @@ spec: default: sha256 description: Specify signature algorithm for public keys. Supported values - are sha256 and sha512. + are sha224, sha256, sha384 and + sha512. type: string type: object repository: @@ -12988,7 +12991,7 @@ spec: default: sha256 description: Specify signature algorithm for public keys. Supported values are - sha256 and sha512. + sha224, sha256, sha384 and sha512. type: string type: object repository: @@ -16592,7 +16595,8 @@ spec: default: sha256 description: Specify signature algorithm for public keys. Supported values - are sha256 and sha512. + are sha224, sha256, sha384 and + sha512. type: string type: object repository: @@ -17078,8 +17082,8 @@ spec: default: sha256 description: Specify signature algorithm for public keys. - Supported values are sha256 - and sha512. + Supported values are sha224, + sha256, sha384 and sha512. type: string type: object repository: @@ -17517,7 +17521,7 @@ spec: default: sha256 description: Specify signature algorithm for public keys. Supported values - are sha256 and sha512. + are sha224, sha256, sha384 and sha512. type: string type: object repository: diff --git a/config/crds/kyverno.io_clusterpolicies.yaml b/config/crds/kyverno.io_clusterpolicies.yaml index 8f0fea113c..c3d65ec6fc 100644 --- a/config/crds/kyverno.io_clusterpolicies.yaml +++ b/config/crds/kyverno.io_clusterpolicies.yaml @@ -3367,7 +3367,7 @@ spec: default: sha256 description: Specify signature algorithm for public keys. Supported values - are sha256 and sha512. + are sha224, sha256, sha384 and sha512. type: string type: object repository: @@ -3824,7 +3824,8 @@ spec: default: sha256 description: Specify signature algorithm for public keys. Supported values - are sha256 and sha512. + are sha224, sha256, sha384 and + sha512. type: string type: object repository: @@ -4240,7 +4241,7 @@ spec: default: sha256 description: Specify signature algorithm for public keys. Supported values are - sha256 and sha512. + sha224, sha256, sha384 and sha512. type: string type: object repository: @@ -7859,7 +7860,8 @@ spec: default: sha256 description: Specify signature algorithm for public keys. Supported values - are sha256 and sha512. + are sha224, sha256, sha384 and + sha512. type: string type: object repository: @@ -8345,8 +8347,8 @@ spec: default: sha256 description: Specify signature algorithm for public keys. - Supported values are sha256 - and sha512. + Supported values are sha224, + sha256, sha384 and sha512. type: string type: object repository: @@ -8784,7 +8786,7 @@ spec: default: sha256 description: Specify signature algorithm for public keys. Supported values - are sha256 and sha512. + are sha224, sha256, sha384 and sha512. type: string type: object repository: @@ -12123,7 +12125,7 @@ spec: default: sha256 description: Specify signature algorithm for public keys. Supported values - are sha256 and sha512. + are sha224, sha256, sha384 and sha512. type: string type: object repository: @@ -12569,7 +12571,8 @@ spec: default: sha256 description: Specify signature algorithm for public keys. Supported values - are sha256 and sha512. + are sha224, sha256, sha384 and + sha512. type: string type: object repository: @@ -12985,7 +12988,7 @@ spec: default: sha256 description: Specify signature algorithm for public keys. Supported values are - sha256 and sha512. + sha224, sha256, sha384 and sha512. type: string type: object repository: @@ -16589,7 +16592,8 @@ spec: default: sha256 description: Specify signature algorithm for public keys. Supported values - are sha256 and sha512. + are sha224, sha256, sha384 and + sha512. type: string type: object repository: @@ -17075,8 +17079,8 @@ spec: default: sha256 description: Specify signature algorithm for public keys. - Supported values are sha256 - and sha512. + Supported values are sha224, + sha256, sha384 and sha512. type: string type: object repository: @@ -17514,7 +17518,7 @@ spec: default: sha256 description: Specify signature algorithm for public keys. Supported values - are sha256 and sha512. + are sha224, sha256, sha384 and sha512. type: string type: object repository: diff --git a/config/crds/kyverno.io_policies.yaml b/config/crds/kyverno.io_policies.yaml index cf03f69018..65fd1ef08d 100644 --- a/config/crds/kyverno.io_policies.yaml +++ b/config/crds/kyverno.io_policies.yaml @@ -3368,7 +3368,7 @@ spec: default: sha256 description: Specify signature algorithm for public keys. Supported values - are sha256 and sha512. + are sha224, sha256, sha384 and sha512. type: string type: object repository: @@ -3825,7 +3825,8 @@ spec: default: sha256 description: Specify signature algorithm for public keys. Supported values - are sha256 and sha512. + are sha224, sha256, sha384 and + sha512. type: string type: object repository: @@ -4241,7 +4242,7 @@ spec: default: sha256 description: Specify signature algorithm for public keys. Supported values are - sha256 and sha512. + sha224, sha256, sha384 and sha512. type: string type: object repository: @@ -7861,7 +7862,8 @@ spec: default: sha256 description: Specify signature algorithm for public keys. Supported values - are sha256 and sha512. + are sha224, sha256, sha384 and + sha512. type: string type: object repository: @@ -8347,8 +8349,8 @@ spec: default: sha256 description: Specify signature algorithm for public keys. - Supported values are sha256 - and sha512. + Supported values are sha224, + sha256, sha384 and sha512. type: string type: object repository: @@ -8786,7 +8788,7 @@ spec: default: sha256 description: Specify signature algorithm for public keys. Supported values - are sha256 and sha512. + are sha224, sha256, sha384 and sha512. type: string type: object repository: @@ -12126,7 +12128,7 @@ spec: default: sha256 description: Specify signature algorithm for public keys. Supported values - are sha256 and sha512. + are sha224, sha256, sha384 and sha512. type: string type: object repository: @@ -12572,7 +12574,8 @@ spec: default: sha256 description: Specify signature algorithm for public keys. Supported values - are sha256 and sha512. + are sha224, sha256, sha384 and + sha512. type: string type: object repository: @@ -12988,7 +12991,7 @@ spec: default: sha256 description: Specify signature algorithm for public keys. Supported values are - sha256 and sha512. + sha224, sha256, sha384 and sha512. type: string type: object repository: @@ -16592,7 +16595,8 @@ spec: default: sha256 description: Specify signature algorithm for public keys. Supported values - are sha256 and sha512. + are sha224, sha256, sha384 and + sha512. type: string type: object repository: @@ -17078,8 +17082,8 @@ spec: default: sha256 description: Specify signature algorithm for public keys. - Supported values are sha256 - and sha512. + Supported values are sha224, + sha256, sha384 and sha512. type: string type: object repository: @@ -17517,7 +17521,7 @@ spec: default: sha256 description: Specify signature algorithm for public keys. Supported values - are sha256 and sha512. + are sha224, sha256, sha384 and sha512. type: string type: object repository: diff --git a/config/install-latest-testing.yaml b/config/install-latest-testing.yaml index cdf0a2b267..bb4eaeb02d 100644 --- a/config/install-latest-testing.yaml +++ b/config/install-latest-testing.yaml @@ -9882,7 +9882,7 @@ spec: default: sha256 description: Specify signature algorithm for public keys. Supported values - are sha256 and sha512. + are sha224, sha256, sha384 and sha512. type: string type: object repository: @@ -10339,7 +10339,8 @@ spec: default: sha256 description: Specify signature algorithm for public keys. Supported values - are sha256 and sha512. + are sha224, sha256, sha384 and + sha512. type: string type: object repository: @@ -10755,7 +10756,7 @@ spec: default: sha256 description: Specify signature algorithm for public keys. Supported values are - sha256 and sha512. + sha224, sha256, sha384 and sha512. type: string type: object repository: @@ -14374,7 +14375,8 @@ spec: default: sha256 description: Specify signature algorithm for public keys. Supported values - are sha256 and sha512. + are sha224, sha256, sha384 and + sha512. type: string type: object repository: @@ -14860,8 +14862,8 @@ spec: default: sha256 description: Specify signature algorithm for public keys. - Supported values are sha256 - and sha512. + Supported values are sha224, + sha256, sha384 and sha512. type: string type: object repository: @@ -15299,7 +15301,7 @@ spec: default: sha256 description: Specify signature algorithm for public keys. Supported values - are sha256 and sha512. + are sha224, sha256, sha384 and sha512. type: string type: object repository: @@ -18638,7 +18640,7 @@ spec: default: sha256 description: Specify signature algorithm for public keys. Supported values - are sha256 and sha512. + are sha224, sha256, sha384 and sha512. type: string type: object repository: @@ -19084,7 +19086,8 @@ spec: default: sha256 description: Specify signature algorithm for public keys. Supported values - are sha256 and sha512. + are sha224, sha256, sha384 and + sha512. type: string type: object repository: @@ -19500,7 +19503,7 @@ spec: default: sha256 description: Specify signature algorithm for public keys. Supported values are - sha256 and sha512. + sha224, sha256, sha384 and sha512. type: string type: object repository: @@ -23104,7 +23107,8 @@ spec: default: sha256 description: Specify signature algorithm for public keys. Supported values - are sha256 and sha512. + are sha224, sha256, sha384 and + sha512. type: string type: object repository: @@ -23590,8 +23594,8 @@ spec: default: sha256 description: Specify signature algorithm for public keys. - Supported values are sha256 - and sha512. + Supported values are sha224, + sha256, sha384 and sha512. type: string type: object repository: @@ -24029,7 +24033,7 @@ spec: default: sha256 description: Specify signature algorithm for public keys. Supported values - are sha256 and sha512. + are sha224, sha256, sha384 and sha512. type: string type: object repository: @@ -27644,7 +27648,7 @@ spec: default: sha256 description: Specify signature algorithm for public keys. Supported values - are sha256 and sha512. + are sha224, sha256, sha384 and sha512. type: string type: object repository: @@ -28101,7 +28105,8 @@ spec: default: sha256 description: Specify signature algorithm for public keys. Supported values - are sha256 and sha512. + are sha224, sha256, sha384 and + sha512. type: string type: object repository: @@ -28517,7 +28522,7 @@ spec: default: sha256 description: Specify signature algorithm for public keys. Supported values are - sha256 and sha512. + sha224, sha256, sha384 and sha512. type: string type: object repository: @@ -32137,7 +32142,8 @@ spec: default: sha256 description: Specify signature algorithm for public keys. Supported values - are sha256 and sha512. + are sha224, sha256, sha384 and + sha512. type: string type: object repository: @@ -32623,8 +32629,8 @@ spec: default: sha256 description: Specify signature algorithm for public keys. - Supported values are sha256 - and sha512. + Supported values are sha224, + sha256, sha384 and sha512. type: string type: object repository: @@ -33062,7 +33068,7 @@ spec: default: sha256 description: Specify signature algorithm for public keys. Supported values - are sha256 and sha512. + are sha224, sha256, sha384 and sha512. type: string type: object repository: @@ -36402,7 +36408,7 @@ spec: default: sha256 description: Specify signature algorithm for public keys. Supported values - are sha256 and sha512. + are sha224, sha256, sha384 and sha512. type: string type: object repository: @@ -36848,7 +36854,8 @@ spec: default: sha256 description: Specify signature algorithm for public keys. Supported values - are sha256 and sha512. + are sha224, sha256, sha384 and + sha512. type: string type: object repository: @@ -37264,7 +37271,7 @@ spec: default: sha256 description: Specify signature algorithm for public keys. Supported values are - sha256 and sha512. + sha224, sha256, sha384 and sha512. type: string type: object repository: @@ -40868,7 +40875,8 @@ spec: default: sha256 description: Specify signature algorithm for public keys. Supported values - are sha256 and sha512. + are sha224, sha256, sha384 and + sha512. type: string type: object repository: @@ -41354,8 +41362,8 @@ spec: default: sha256 description: Specify signature algorithm for public keys. - Supported values are sha256 - and sha512. + Supported values are sha224, + sha256, sha384 and sha512. type: string type: object repository: @@ -41793,7 +41801,7 @@ spec: default: sha256 description: Specify signature algorithm for public keys. Supported values - are sha256 and sha512. + are sha224, sha256, sha384 and sha512. type: string type: object repository: diff --git a/docs/user/crd/index.html b/docs/user/crd/index.html index 52bf1f66f2..9436bab50b 100644 --- a/docs/user/crd/index.html +++ b/docs/user/crd/index.html @@ -3910,7 +3910,7 @@ string -

Specify signature algorithm for public keys. Supported values are sha256 and sha512.

+

Specify signature algorithm for public keys. Supported values are sha224, sha256, sha384 and sha512.

diff --git a/pkg/cosign/cosign.go b/pkg/cosign/cosign.go index 44aaf855f4..7a26e3a61f 100644 --- a/pkg/cosign/cosign.go +++ b/pkg/cosign/cosign.go @@ -31,6 +31,14 @@ import ( "go.uber.org/multierr" ) +var signatureAlgorithmMap = map[string]crypto.Hash{ + "": crypto.SHA256, + "sha224": crypto.SHA224, + "sha256": crypto.SHA256, + "sha384": crypto.SHA384, + "sha512": crypto.SHA512, +} + func NewVerifier() images.ImageVerifier { return &cosignVerifier{} } @@ -89,11 +97,6 @@ func (v *cosignVerifier) VerifySignature(ctx context.Context, opts images.Option func buildCosignOptions(ctx context.Context, opts images.Options) (*cosign.CheckOpts, error) { var remoteOpts []remote.Option var err error - signatureAlgorithmMap := map[string]crypto.Hash{ - "": crypto.SHA256, - "sha256": crypto.SHA256, - "sha512": crypto.SHA512, - } cosignRemoteOpts, err := opts.Client.BuildCosignRemoteOption(ctx) if err != nil { @@ -121,9 +124,13 @@ func buildCosignOptions(ctx context.Context, opts images.Options) (*cosign.Check if opts.Key != "" { if strings.HasPrefix(strings.TrimSpace(opts.Key), "-----BEGIN PUBLIC KEY-----") { - cosignOpts.SigVerifier, err = decodePEM([]byte(opts.Key), signatureAlgorithmMap[opts.SignatureAlgorithm]) - if err != nil { - return nil, fmt.Errorf("failed to load public key from PEM: %w", err) + if signatureAlgorithm, ok := signatureAlgorithmMap[opts.SignatureAlgorithm]; ok { + cosignOpts.SigVerifier, err = decodePEM([]byte(opts.Key), signatureAlgorithm) + if err != nil { + return nil, fmt.Errorf("failed to load public key from PEM: %w", err) + } + } else { + return nil, fmt.Errorf("invalid signature algorithm provided %s", opts.SignatureAlgorithm) } } else { // this supports Kubernetes secrets and KMS diff --git a/pkg/cosign/cosign_test.go b/pkg/cosign/cosign_test.go index d0f0662609..9d00e850b9 100644 --- a/pkg/cosign/cosign_test.go +++ b/pkg/cosign/cosign_test.go @@ -96,6 +96,24 @@ func TestCosignPayload(t *testing.T) { assert.Equal(t, d2, "sha256:ee53528c4e3c723945cf870d73702b76135955a218dd7497bf344aa73ebb4227") } +func TestCosignInvalidSignatureAlgorithm(t *testing.T) { + opts := images.Options{ + ImageRef: "ghcr.io/jimbugwadia/pause2", + Client: nil, + FetchAttestations: false, + Key: globalRekorPubKey, + SignatureAlgorithm: "sha1", + } + + rc, err := registryclient.New() + assert.NilError(t, err) + opts.Client = rc + + verifier := &cosignVerifier{} + _, err = verifier.VerifySignature(context.TODO(), opts) + assert.ErrorContains(t, err, "invalid signature algorithm provided sha1") +} + func TestCosignKeyless(t *testing.T) { opts := images.Options{ ImageRef: "ghcr.io/jimbugwadia/pause2",