mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2024-12-14 11:57:48 +00:00
Code Activity

feat: add support for signature algorithm in cosign cert and kms verification (#10086)

Browse source 
* feat: add support for signature algorithm in cosign cert and kms verification

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>

* feat: add signature algo at attestor level

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>

---------

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>
Co-authored-by: Jim Bugwadia <jim@nirmata.com>
Co-authored-by: Khaled Emara <khaled.emara@nirmata.com>
Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
Vishal Choudhary 2024-09-05 12:27:44 +05:30 committed by GitHub
parent cc966bf7af
commit 903ece34bf
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
13 changed files with 878 additions and 359 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
api/kyverno/v1/image_verification_types.go
View file

@ -179,6 +179,10 @@ type Attestor struct {
// Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
// If specified Repository will override other OCI image repository locations for this Attestor.
Repository string `json:"repository,omitempty" yaml:"repository,omitempty"`
// Specify signature algorithm for public keys. Supported values are sha224, sha256, sha384 and sha512.
// +kubebuilder:default=sha256
SignatureAlgorithm string `json:"signatureAlgorithm,omitempty" yaml:"signatureAlgorithm,omitempty"`
}
type StaticKeyAttestor struct {
@ -192,7 +196,7 @@ type StaticKeyAttestor struct {
// (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
PublicKeys string `json:"publicKeys,omitempty" yaml:"publicKeys,omitempty"`
// Specify signature algorithm for public keys. Supported values are sha224, sha256, sha384 and sha512.
// Deprecated. Use attestor.signatureAlgorithm instead.
// +kubebuilder:default=sha256
SignatureAlgorithm string `json:"signatureAlgorithm,omitempty" yaml:"signatureAlgorithm,omitempty"`

142
charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clusterpolicies.yaml
View file

@ -3906,9 +3906,8 @@ spec:
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and sha512.
description: Deprecated. Use attestor.signatureAlgorithm
instead.
type: string
type: object
repository:
@ -3916,6 +3915,12 @@ spec:
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values are
sha224, sha256, sha384 and sha512.
type: string
type: object
type: array
type: object
@ -4337,10 +4342,8 @@ spec:
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and
sha512.
description: Deprecated. Use attestor.signatureAlgorithm
instead.
type: string
type: object
repository:
@ -4348,6 +4351,12 @@ spec:
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and sha512.
type: string
type: object
type: array
type: object
@ -4722,9 +4731,8 @@ spec:
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values are
sha224, sha256, sha384 and sha512.
description: Deprecated. Use attestor.signatureAlgorithm
instead.
type: string
type: object
repository:
@ -4732,6 +4740,12 @@ spec:
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
signatureAlgorithm:
default: sha256
description: Specify signature algorithm for
public keys. Supported values are sha224,
sha256, sha384 and sha512.
type: string
type: object
type: array
type: object
@ -8848,10 +8862,8 @@ spec:
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and
sha512.
description: Deprecated. Use attestor.signatureAlgorithm
instead.
type: string
type: object
repository:
@ -8859,6 +8871,12 @@ spec:
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and sha512.
type: string
type: object
type: array
type: object
@ -9290,10 +9308,9 @@ spec:
type: object
signatureAlgorithm:
default: sha256
description: Specify signature
algorithm for public keys.
Supported values are sha224,
sha256, sha384 and sha512.
description: Deprecated. Use
attestor.signatureAlgorithm
instead.
type: string
type: object
repository:
@ -9301,6 +9318,13 @@ spec:
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and
sha512.
type: string
type: object
type: array
type: object
@ -9679,9 +9703,8 @@ spec:
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and sha512.
description: Deprecated. Use attestor.signatureAlgorithm
instead.
type: string
type: object
repository:
@ -9689,6 +9712,12 @@ spec:
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values are
sha224, sha256, sha384 and sha512.
type: string
type: object
type: array
type: object
@ -13559,9 +13588,8 @@ spec:
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and sha512.
description: Deprecated. Use attestor.signatureAlgorithm
instead.
type: string
type: object
repository:
@ -13569,6 +13597,12 @@ spec:
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values are
sha224, sha256, sha384 and sha512.
type: string
type: object
type: array
type: object
@ -13979,10 +14013,8 @@ spec:
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and
sha512.
description: Deprecated. Use attestor.signatureAlgorithm
instead.
type: string
type: object
repository:
@ -13990,6 +14022,12 @@ spec:
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and sha512.
type: string
type: object
type: array
type: object
@ -14364,9 +14402,8 @@ spec:
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values are
sha224, sha256, sha384 and sha512.
description: Deprecated. Use attestor.signatureAlgorithm
instead.
type: string
type: object
repository:
@ -14374,6 +14411,12 @@ spec:
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
signatureAlgorithm:
default: sha256
description: Specify signature algorithm for
public keys. Supported values are sha224,
sha256, sha384 and sha512.
type: string
type: object
type: array
type: object
@ -18470,10 +18513,8 @@ spec:
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and
sha512.
description: Deprecated. Use attestor.signatureAlgorithm
instead.
type: string
type: object
repository:
@ -18481,6 +18522,12 @@ spec:
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and sha512.
type: string
type: object
type: array
type: object
@ -18912,10 +18959,9 @@ spec:
type: object
signatureAlgorithm:
default: sha256
description: Specify signature
algorithm for public keys.
Supported values are sha224,
sha256, sha384 and sha512.
description: Deprecated. Use
attestor.signatureAlgorithm
instead.
type: string
type: object
repository:
@ -18923,6 +18969,13 @@ spec:
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and
sha512.
type: string
type: object
type: array
type: object
@ -19301,9 +19354,8 @@ spec:
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and sha512.
description: Deprecated. Use attestor.signatureAlgorithm
instead.
type: string
type: object
repository:
@ -19311,6 +19363,12 @@ spec:
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values are
sha224, sha256, sha384 and sha512.
type: string
type: object
type: array
type: object

142
charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policies.yaml
View file

@ -3907,9 +3907,8 @@ spec:
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and sha512.
description: Deprecated. Use attestor.signatureAlgorithm
instead.
type: string
type: object
repository:
@ -3917,6 +3916,12 @@ spec:
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values are
sha224, sha256, sha384 and sha512.
type: string
type: object
type: array
type: object
@ -4338,10 +4343,8 @@ spec:
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and
sha512.
description: Deprecated. Use attestor.signatureAlgorithm
instead.
type: string
type: object
repository:
@ -4349,6 +4352,12 @@ spec:
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and sha512.
type: string
type: object
type: array
type: object
@ -4723,9 +4732,8 @@ spec:
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values are
sha224, sha256, sha384 and sha512.
description: Deprecated. Use attestor.signatureAlgorithm
instead.
type: string
type: object
repository:
@ -4733,6 +4741,12 @@ spec:
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
signatureAlgorithm:
default: sha256
description: Specify signature algorithm for
public keys. Supported values are sha224,
sha256, sha384 and sha512.
type: string
type: object
type: array
type: object
@ -8850,10 +8864,8 @@ spec:
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and
sha512.
description: Deprecated. Use attestor.signatureAlgorithm
instead.
type: string
type: object
repository:
@ -8861,6 +8873,12 @@ spec:
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and sha512.
type: string
type: object
type: array
type: object
@ -9292,10 +9310,9 @@ spec:
type: object
signatureAlgorithm:
default: sha256
description: Specify signature
algorithm for public keys.
Supported values are sha224,
sha256, sha384 and sha512.
description: Deprecated. Use
attestor.signatureAlgorithm
instead.
type: string
type: object
repository:
@ -9303,6 +9320,13 @@ spec:
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and
sha512.
type: string
type: object
type: array
type: object
@ -9681,9 +9705,8 @@ spec:
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and sha512.
description: Deprecated. Use attestor.signatureAlgorithm
instead.
type: string
type: object
repository:
@ -9691,6 +9714,12 @@ spec:
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values are
sha224, sha256, sha384 and sha512.
type: string
type: object
type: array
type: object
@ -13562,9 +13591,8 @@ spec:
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and sha512.
description: Deprecated. Use attestor.signatureAlgorithm
instead.
type: string
type: object
repository:
@ -13572,6 +13600,12 @@ spec:
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values are
sha224, sha256, sha384 and sha512.
type: string
type: object
type: array
type: object
@ -13982,10 +14016,8 @@ spec:
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and
sha512.
description: Deprecated. Use attestor.signatureAlgorithm
instead.
type: string
type: object
repository:
@ -13993,6 +14025,12 @@ spec:
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and sha512.
type: string
type: object
type: array
type: object
@ -14367,9 +14405,8 @@ spec:
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values are
sha224, sha256, sha384 and sha512.
description: Deprecated. Use attestor.signatureAlgorithm
instead.
type: string
type: object
repository:
@ -14377,6 +14414,12 @@ spec:
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
signatureAlgorithm:
default: sha256
description: Specify signature algorithm for
public keys. Supported values are sha224,
sha256, sha384 and sha512.
type: string
type: object
type: array
type: object
@ -18473,10 +18516,8 @@ spec:
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and
sha512.
description: Deprecated. Use attestor.signatureAlgorithm
instead.
type: string
type: object
repository:
@ -18484,6 +18525,12 @@ spec:
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and sha512.
type: string
type: object
type: array
type: object
@ -18915,10 +18962,9 @@ spec:
type: object
signatureAlgorithm:
default: sha256
description: Specify signature
algorithm for public keys.
Supported values are sha224,
sha256, sha384 and sha512.
description: Deprecated. Use
attestor.signatureAlgorithm
instead.
type: string
type: object
repository:
@ -18926,6 +18972,13 @@ spec:
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and
sha512.
type: string
type: object
type: array
type: object
@ -19304,9 +19357,8 @@ spec:
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and sha512.
description: Deprecated. Use attestor.signatureAlgorithm
instead.
type: string
type: object
repository:
@ -19314,6 +19366,12 @@ spec:
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values are
sha224, sha256, sha384 and sha512.
type: string
type: object
type: array
type: object

142
cmd/cli/kubectl-kyverno/data/crds/kyverno.io_clusterpolicies.yaml
View file

@ -3900,9 +3900,8 @@ spec:
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and sha512.
description: Deprecated. Use attestor.signatureAlgorithm
instead.
type: string
type: object
repository:
@ -3910,6 +3909,12 @@ spec:
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values are
sha224, sha256, sha384 and sha512.
type: string
type: object
type: array
type: object
@ -4331,10 +4336,8 @@ spec:
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and
sha512.
description: Deprecated. Use attestor.signatureAlgorithm
instead.
type: string
type: object
repository:
@ -4342,6 +4345,12 @@ spec:
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and sha512.
type: string
type: object
type: array
type: object
@ -4716,9 +4725,8 @@ spec:
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values are
sha224, sha256, sha384 and sha512.
description: Deprecated. Use attestor.signatureAlgorithm
instead.
type: string
type: object
repository:
@ -4726,6 +4734,12 @@ spec:
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
signatureAlgorithm:
default: sha256
description: Specify signature algorithm for
public keys. Supported values are sha224,
sha256, sha384 and sha512.
type: string
type: object
type: array
type: object
@ -8842,10 +8856,8 @@ spec:
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and
sha512.
description: Deprecated. Use attestor.signatureAlgorithm
instead.
type: string
type: object
repository:
@ -8853,6 +8865,12 @@ spec:
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and sha512.
type: string
type: object
type: array
type: object
@ -9284,10 +9302,9 @@ spec:
type: object
signatureAlgorithm:
default: sha256
description: Specify signature
algorithm for public keys.
Supported values are sha224,
sha256, sha384 and sha512.
description: Deprecated. Use
attestor.signatureAlgorithm
instead.
type: string
type: object
repository:
@ -9295,6 +9312,13 @@ spec:
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and
sha512.
type: string
type: object
type: array
type: object
@ -9673,9 +9697,8 @@ spec:
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and sha512.
description: Deprecated. Use attestor.signatureAlgorithm
instead.
type: string
type: object
repository:
@ -9683,6 +9706,12 @@ spec:
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values are
sha224, sha256, sha384 and sha512.
type: string
type: object
type: array
type: object
@ -13553,9 +13582,8 @@ spec:
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and sha512.
description: Deprecated. Use attestor.signatureAlgorithm
instead.
type: string
type: object
repository:
@ -13563,6 +13591,12 @@ spec:
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values are
sha224, sha256, sha384 and sha512.
type: string
type: object
type: array
type: object
@ -13973,10 +14007,8 @@ spec:
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and
sha512.
description: Deprecated. Use attestor.signatureAlgorithm
instead.
type: string
type: object
repository:
@ -13984,6 +14016,12 @@ spec:
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and sha512.
type: string
type: object
type: array
type: object
@ -14358,9 +14396,8 @@ spec:
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values are
sha224, sha256, sha384 and sha512.
description: Deprecated. Use attestor.signatureAlgorithm
instead.
type: string
type: object
repository:
@ -14368,6 +14405,12 @@ spec:
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
signatureAlgorithm:
default: sha256
description: Specify signature algorithm for
public keys. Supported values are sha224,
sha256, sha384 and sha512.
type: string
type: object
type: array
type: object
@ -18464,10 +18507,8 @@ spec:
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and
sha512.
description: Deprecated. Use attestor.signatureAlgorithm
instead.
type: string
type: object
repository:
@ -18475,6 +18516,12 @@ spec:
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and sha512.
type: string
type: object
type: array
type: object
@ -18906,10 +18953,9 @@ spec:
type: object
signatureAlgorithm:
default: sha256
description: Specify signature
algorithm for public keys.
Supported values are sha224,
sha256, sha384 and sha512.
description: Deprecated. Use
attestor.signatureAlgorithm
instead.
type: string
type: object
repository:
@ -18917,6 +18963,13 @@ spec:
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and
sha512.
type: string
type: object
type: array
type: object
@ -19295,9 +19348,8 @@ spec:
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and sha512.
description: Deprecated. Use attestor.signatureAlgorithm
instead.
type: string
type: object
repository:
@ -19305,6 +19357,12 @@ spec:
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values are
sha224, sha256, sha384 and sha512.
type: string
type: object
type: array
type: object

142
cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policies.yaml
View file

@ -3901,9 +3901,8 @@ spec:
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and sha512.
description: Deprecated. Use attestor.signatureAlgorithm
instead.
type: string
type: object
repository:
@ -3911,6 +3910,12 @@ spec:
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values are
sha224, sha256, sha384 and sha512.
type: string
type: object
type: array
type: object
@ -4332,10 +4337,8 @@ spec:
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and
sha512.
description: Deprecated. Use attestor.signatureAlgorithm
instead.
type: string
type: object
repository:
@ -4343,6 +4346,12 @@ spec:
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and sha512.
type: string
type: object
type: array
type: object
@ -4717,9 +4726,8 @@ spec:
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values are
sha224, sha256, sha384 and sha512.
description: Deprecated. Use attestor.signatureAlgorithm
instead.
type: string
type: object
repository:
@ -4727,6 +4735,12 @@ spec:
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
signatureAlgorithm:
default: sha256
description: Specify signature algorithm for
public keys. Supported values are sha224,
sha256, sha384 and sha512.
type: string
type: object
type: array
type: object
@ -8844,10 +8858,8 @@ spec:
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and
sha512.
description: Deprecated. Use attestor.signatureAlgorithm
instead.
type: string
type: object
repository:
@ -8855,6 +8867,12 @@ spec:
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and sha512.
type: string
type: object
type: array
type: object
@ -9286,10 +9304,9 @@ spec:
type: object
signatureAlgorithm:
default: sha256
description: Specify signature
algorithm for public keys.
Supported values are sha224,
sha256, sha384 and sha512.
description: Deprecated. Use
attestor.signatureAlgorithm
instead.
type: string
type: object
repository:
@ -9297,6 +9314,13 @@ spec:
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and
sha512.
type: string
type: object
type: array
type: object
@ -9675,9 +9699,8 @@ spec:
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and sha512.
description: Deprecated. Use attestor.signatureAlgorithm
instead.
type: string
type: object
repository:
@ -9685,6 +9708,12 @@ spec:
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values are
sha224, sha256, sha384 and sha512.
type: string
type: object
type: array
type: object
@ -13556,9 +13585,8 @@ spec:
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and sha512.
description: Deprecated. Use attestor.signatureAlgorithm
instead.
type: string
type: object
repository:
@ -13566,6 +13594,12 @@ spec:
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values are
sha224, sha256, sha384 and sha512.
type: string
type: object
type: array
type: object
@ -13976,10 +14010,8 @@ spec:
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and
sha512.
description: Deprecated. Use attestor.signatureAlgorithm
instead.
type: string
type: object
repository:
@ -13987,6 +14019,12 @@ spec:
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and sha512.
type: string
type: object
type: array
type: object
@ -14361,9 +14399,8 @@ spec:
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values are
sha224, sha256, sha384 and sha512.
description: Deprecated. Use attestor.signatureAlgorithm
instead.
type: string
type: object
repository:
@ -14371,6 +14408,12 @@ spec:
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
signatureAlgorithm:
default: sha256
description: Specify signature algorithm for
public keys. Supported values are sha224,
sha256, sha384 and sha512.
type: string
type: object
type: array
type: object
@ -18467,10 +18510,8 @@ spec:
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and
sha512.
description: Deprecated. Use attestor.signatureAlgorithm
instead.
type: string
type: object
repository:
@ -18478,6 +18519,12 @@ spec:
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and sha512.
type: string
type: object
type: array
type: object
@ -18909,10 +18956,9 @@ spec:
type: object
signatureAlgorithm:
default: sha256
description: Specify signature
algorithm for public keys.
Supported values are sha224,
sha256, sha384 and sha512.
description: Deprecated. Use
attestor.signatureAlgorithm
instead.
type: string
type: object
repository:
@ -18920,6 +18966,13 @@ spec:
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and
sha512.
type: string
type: object
type: array
type: object
@ -19298,9 +19351,8 @@ spec:
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and sha512.
description: Deprecated. Use attestor.signatureAlgorithm
instead.
type: string
type: object
repository:
@ -19308,6 +19360,12 @@ spec:
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values are
sha224, sha256, sha384 and sha512.
type: string
type: object
type: array
type: object

142
config/crds/kyverno/kyverno.io_clusterpolicies.yaml
View file

@ -3900,9 +3900,8 @@ spec:
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and sha512.
description: Deprecated. Use attestor.signatureAlgorithm
instead.
type: string
type: object
repository:
@ -3910,6 +3909,12 @@ spec:
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values are
sha224, sha256, sha384 and sha512.
type: string
type: object
type: array
type: object
@ -4331,10 +4336,8 @@ spec:
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and
sha512.
description: Deprecated. Use attestor.signatureAlgorithm
instead.
type: string
type: object
repository:
@ -4342,6 +4345,12 @@ spec:
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and sha512.
type: string
type: object
type: array
type: object
@ -4716,9 +4725,8 @@ spec:
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values are
sha224, sha256, sha384 and sha512.
description: Deprecated. Use attestor.signatureAlgorithm
instead.
type: string
type: object
repository:
@ -4726,6 +4734,12 @@ spec:
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
signatureAlgorithm:
default: sha256
description: Specify signature algorithm for
public keys. Supported values are sha224,
sha256, sha384 and sha512.
type: string
type: object
type: array
type: object
@ -8842,10 +8856,8 @@ spec:
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and
sha512.
description: Deprecated. Use attestor.signatureAlgorithm
instead.
type: string
type: object
repository:
@ -8853,6 +8865,12 @@ spec:
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and sha512.
type: string
type: object
type: array
type: object
@ -9284,10 +9302,9 @@ spec:
type: object
signatureAlgorithm:
default: sha256
description: Specify signature
algorithm for public keys.
Supported values are sha224,
sha256, sha384 and sha512.
description: Deprecated. Use
attestor.signatureAlgorithm
instead.
type: string
type: object
repository:
@ -9295,6 +9312,13 @@ spec:
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and
sha512.
type: string
type: object
type: array
type: object
@ -9673,9 +9697,8 @@ spec:
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and sha512.
description: Deprecated. Use attestor.signatureAlgorithm
instead.
type: string
type: object
repository:
@ -9683,6 +9706,12 @@ spec:
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values are
sha224, sha256, sha384 and sha512.
type: string
type: object
type: array
type: object
@ -13553,9 +13582,8 @@ spec:
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and sha512.
description: Deprecated. Use attestor.signatureAlgorithm
instead.
type: string
type: object
repository:
@ -13563,6 +13591,12 @@ spec:
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values are
sha224, sha256, sha384 and sha512.
type: string
type: object
type: array
type: object
@ -13973,10 +14007,8 @@ spec:
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and
sha512.
description: Deprecated. Use attestor.signatureAlgorithm
instead.
type: string
type: object
repository:
@ -13984,6 +14016,12 @@ spec:
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and sha512.
type: string
type: object
type: array
type: object
@ -14358,9 +14396,8 @@ spec:
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values are
sha224, sha256, sha384 and sha512.
description: Deprecated. Use attestor.signatureAlgorithm
instead.
type: string
type: object
repository:
@ -14368,6 +14405,12 @@ spec:
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
signatureAlgorithm:
default: sha256
description: Specify signature algorithm for
public keys. Supported values are sha224,
sha256, sha384 and sha512.
type: string
type: object
type: array
type: object
@ -18464,10 +18507,8 @@ spec:
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and
sha512.
description: Deprecated. Use attestor.signatureAlgorithm
instead.
type: string
type: object
repository:
@ -18475,6 +18516,12 @@ spec:
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and sha512.
type: string
type: object
type: array
type: object
@ -18906,10 +18953,9 @@ spec:
type: object
signatureAlgorithm:
default: sha256
description: Specify signature
algorithm for public keys.
Supported values are sha224,
sha256, sha384 and sha512.
description: Deprecated. Use
attestor.signatureAlgorithm
instead.
type: string
type: object
repository:
@ -18917,6 +18963,13 @@ spec:
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and
sha512.
type: string
type: object
type: array
type: object
@ -19295,9 +19348,8 @@ spec:
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and sha512.
description: Deprecated. Use attestor.signatureAlgorithm
instead.
type: string
type: object
repository:
@ -19305,6 +19357,12 @@ spec:
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values are
sha224, sha256, sha384 and sha512.
type: string
type: object
type: array
type: object

142
config/crds/kyverno/kyverno.io_policies.yaml
View file

@ -3901,9 +3901,8 @@ spec:
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and sha512.
description: Deprecated. Use attestor.signatureAlgorithm
instead.
type: string
type: object
repository:
@ -3911,6 +3910,12 @@ spec:
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values are
sha224, sha256, sha384 and sha512.
type: string
type: object
type: array
type: object
@ -4332,10 +4337,8 @@ spec:
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and
sha512.
description: Deprecated. Use attestor.signatureAlgorithm
instead.
type: string
type: object
repository:
@ -4343,6 +4346,12 @@ spec:
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and sha512.
type: string
type: object
type: array
type: object
@ -4717,9 +4726,8 @@ spec:
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values are
sha224, sha256, sha384 and sha512.
description: Deprecated. Use attestor.signatureAlgorithm
instead.
type: string
type: object
repository:
@ -4727,6 +4735,12 @@ spec:
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
signatureAlgorithm:
default: sha256
description: Specify signature algorithm for
public keys. Supported values are sha224,
sha256, sha384 and sha512.
type: string
type: object
type: array
type: object
@ -8844,10 +8858,8 @@ spec:
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and
sha512.
description: Deprecated. Use attestor.signatureAlgorithm
instead.
type: string
type: object
repository:
@ -8855,6 +8867,12 @@ spec:
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and sha512.
type: string
type: object
type: array
type: object
@ -9286,10 +9304,9 @@ spec:
type: object
signatureAlgorithm:
default: sha256
description: Specify signature
algorithm for public keys.
Supported values are sha224,
sha256, sha384 and sha512.
description: Deprecated. Use
attestor.signatureAlgorithm
instead.
type: string
type: object
repository:
@ -9297,6 +9314,13 @@ spec:
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and
sha512.
type: string
type: object
type: array
type: object
@ -9675,9 +9699,8 @@ spec:
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and sha512.
description: Deprecated. Use attestor.signatureAlgorithm
instead.
type: string
type: object
repository:
@ -9685,6 +9708,12 @@ spec:
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values are
sha224, sha256, sha384 and sha512.
type: string
type: object
type: array
type: object
@ -13556,9 +13585,8 @@ spec:
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and sha512.
description: Deprecated. Use attestor.signatureAlgorithm
instead.
type: string
type: object
repository:
@ -13566,6 +13594,12 @@ spec:
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values are
sha224, sha256, sha384 and sha512.
type: string
type: object
type: array
type: object
@ -13976,10 +14010,8 @@ spec:
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and
sha512.
description: Deprecated. Use attestor.signatureAlgorithm
instead.
type: string
type: object
repository:
@ -13987,6 +14019,12 @@ spec:
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and sha512.
type: string
type: object
type: array
type: object
@ -14361,9 +14399,8 @@ spec:
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values are
sha224, sha256, sha384 and sha512.
description: Deprecated. Use attestor.signatureAlgorithm
instead.
type: string
type: object
repository:
@ -14371,6 +14408,12 @@ spec:
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
signatureAlgorithm:
default: sha256
description: Specify signature algorithm for
public keys. Supported values are sha224,
sha256, sha384 and sha512.
type: string
type: object
type: array
type: object
@ -18467,10 +18510,8 @@ spec:
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and
sha512.
description: Deprecated. Use attestor.signatureAlgorithm
instead.
type: string
type: object
repository:
@ -18478,6 +18519,12 @@ spec:
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and sha512.
type: string
type: object
type: array
type: object
@ -18909,10 +18956,9 @@ spec:
type: object
signatureAlgorithm:
default: sha256
description: Specify signature
algorithm for public keys.
Supported values are sha224,
sha256, sha384 and sha512.
description: Deprecated. Use
attestor.signatureAlgorithm
instead.
type: string
type: object
repository:
@ -18920,6 +18966,13 @@ spec:
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and
sha512.
type: string
type: object
type: array
type: object
@ -19298,9 +19351,8 @@ spec:
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and sha512.
description: Deprecated. Use attestor.signatureAlgorithm
instead.
type: string
type: object
repository:
@ -19308,6 +19360,12 @@ spec:
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values are
sha224, sha256, sha384 and sha512.
type: string
type: object
type: array
type: object

284
config/install-latest-testing.yaml
View file

@ -9223,9 +9223,8 @@ spec:
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and sha512.
description: Deprecated. Use attestor.signatureAlgorithm
instead.
type: string
type: object
repository:
@ -9233,6 +9232,12 @@ spec:
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values are
sha224, sha256, sha384 and sha512.
type: string
type: object
type: array
type: object
@ -9654,10 +9659,8 @@ spec:
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and
sha512.
description: Deprecated. Use attestor.signatureAlgorithm
instead.
type: string
type: object
repository:
@ -9665,6 +9668,12 @@ spec:
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and sha512.
type: string
type: object
type: array
type: object
@ -10039,9 +10048,8 @@ spec:
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values are
sha224, sha256, sha384 and sha512.
description: Deprecated. Use attestor.signatureAlgorithm
instead.
type: string
type: object
repository:
@ -10049,6 +10057,12 @@ spec:
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
signatureAlgorithm:
default: sha256
description: Specify signature algorithm for
public keys. Supported values are sha224,
sha256, sha384 and sha512.
type: string
type: object
type: array
type: object
@ -14165,10 +14179,8 @@ spec:
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and
sha512.
description: Deprecated. Use attestor.signatureAlgorithm
instead.
type: string
type: object
repository:
@ -14176,6 +14188,12 @@ spec:
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and sha512.
type: string
type: object
type: array
type: object
@ -14607,10 +14625,9 @@ spec:
type: object
signatureAlgorithm:
default: sha256
description: Specify signature
algorithm for public keys.
Supported values are sha224,
sha256, sha384 and sha512.
description: Deprecated. Use
attestor.signatureAlgorithm
instead.
type: string
type: object
repository:
@ -14618,6 +14635,13 @@ spec:
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and
sha512.
type: string
type: object
type: array
type: object
@ -14996,9 +15020,8 @@ spec:
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and sha512.
description: Deprecated. Use attestor.signatureAlgorithm
instead.
type: string
type: object
repository:
@ -15006,6 +15029,12 @@ spec:
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values are
sha224, sha256, sha384 and sha512.
type: string
type: object
type: array
type: object
@ -18876,9 +18905,8 @@ spec:
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and sha512.
description: Deprecated. Use attestor.signatureAlgorithm
instead.
type: string
type: object
repository:
@ -18886,6 +18914,12 @@ spec:
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values are
sha224, sha256, sha384 and sha512.
type: string
type: object
type: array
type: object
@ -19296,10 +19330,8 @@ spec:
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and
sha512.
description: Deprecated. Use attestor.signatureAlgorithm
instead.
type: string
type: object
repository:
@ -19307,6 +19339,12 @@ spec:
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and sha512.
type: string
type: object
type: array
type: object
@ -19681,9 +19719,8 @@ spec:
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values are
sha224, sha256, sha384 and sha512.
description: Deprecated. Use attestor.signatureAlgorithm
instead.
type: string
type: object
repository:
@ -19691,6 +19728,12 @@ spec:
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
signatureAlgorithm:
default: sha256
description: Specify signature algorithm for
public keys. Supported values are sha224,
sha256, sha384 and sha512.
type: string
type: object
type: array
type: object
@ -23787,10 +23830,8 @@ spec:
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and
sha512.
description: Deprecated. Use attestor.signatureAlgorithm
instead.
type: string
type: object
repository:
@ -23798,6 +23839,12 @@ spec:
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and sha512.
type: string
type: object
type: array
type: object
@ -24229,10 +24276,9 @@ spec:
type: object
signatureAlgorithm:
default: sha256
description: Specify signature
algorithm for public keys.
Supported values are sha224,
sha256, sha384 and sha512.
description: Deprecated. Use
attestor.signatureAlgorithm
instead.
type: string
type: object
repository:
@ -24240,6 +24286,13 @@ spec:
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and
sha512.
type: string
type: object
type: array
type: object
@ -24618,9 +24671,8 @@ spec:
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and sha512.
description: Deprecated. Use attestor.signatureAlgorithm
instead.
type: string
type: object
repository:
@ -24628,6 +24680,12 @@ spec:
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values are
sha224, sha256, sha384 and sha512.
type: string
type: object
type: array
type: object
@ -29017,9 +29075,8 @@ spec:
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and sha512.
description: Deprecated. Use attestor.signatureAlgorithm
instead.
type: string
type: object
repository:
@ -29027,6 +29084,12 @@ spec:
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values are
sha224, sha256, sha384 and sha512.
type: string
type: object
type: array
type: object
@ -29448,10 +29511,8 @@ spec:
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and
sha512.
description: Deprecated. Use attestor.signatureAlgorithm
instead.
type: string
type: object
repository:
@ -29459,6 +29520,12 @@ spec:
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and sha512.
type: string
type: object
type: array
type: object
@ -29833,9 +29900,8 @@ spec:
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values are
sha224, sha256, sha384 and sha512.
description: Deprecated. Use attestor.signatureAlgorithm
instead.
type: string
type: object
repository:
@ -29843,6 +29909,12 @@ spec:
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
signatureAlgorithm:
default: sha256
description: Specify signature algorithm for
public keys. Supported values are sha224,
sha256, sha384 and sha512.
type: string
type: object
type: array
type: object
@ -33960,10 +34032,8 @@ spec:
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and
sha512.
description: Deprecated. Use attestor.signatureAlgorithm
instead.
type: string
type: object
repository:
@ -33971,6 +34041,12 @@ spec:
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and sha512.
type: string
type: object
type: array
type: object
@ -34402,10 +34478,9 @@ spec:
type: object
signatureAlgorithm:
default: sha256
description: Specify signature
algorithm for public keys.
Supported values are sha224,
sha256, sha384 and sha512.
description: Deprecated. Use
attestor.signatureAlgorithm
instead.
type: string
type: object
repository:
@ -34413,6 +34488,13 @@ spec:
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and
sha512.
type: string
type: object
type: array
type: object
@ -34791,9 +34873,8 @@ spec:
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and sha512.
description: Deprecated. Use attestor.signatureAlgorithm
instead.
type: string
type: object
repository:
@ -34801,6 +34882,12 @@ spec:
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values are
sha224, sha256, sha384 and sha512.
type: string
type: object
type: array
type: object
@ -38672,9 +38759,8 @@ spec:
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and sha512.
description: Deprecated. Use attestor.signatureAlgorithm
instead.
type: string
type: object
repository:
@ -38682,6 +38768,12 @@ spec:
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values are
sha224, sha256, sha384 and sha512.
type: string
type: object
type: array
type: object
@ -39092,10 +39184,8 @@ spec:
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and
sha512.
description: Deprecated. Use attestor.signatureAlgorithm
instead.
type: string
type: object
repository:
@ -39103,6 +39193,12 @@ spec:
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and sha512.
type: string
type: object
type: array
type: object
@ -39477,9 +39573,8 @@ spec:
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values are
sha224, sha256, sha384 and sha512.
description: Deprecated. Use attestor.signatureAlgorithm
instead.
type: string
type: object
repository:
@ -39487,6 +39582,12 @@ spec:
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
signatureAlgorithm:
default: sha256
description: Specify signature algorithm for
public keys. Supported values are sha224,
sha256, sha384 and sha512.
type: string
type: object
type: array
type: object
@ -43583,10 +43684,8 @@ spec:
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and
sha512.
description: Deprecated. Use attestor.signatureAlgorithm
instead.
type: string
type: object
repository:
@ -43594,6 +43693,12 @@ spec:
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and sha512.
type: string
type: object
type: array
type: object
@ -44025,10 +44130,9 @@ spec:
type: object
signatureAlgorithm:
default: sha256
description: Specify signature
algorithm for public keys.
Supported values are sha224,
sha256, sha384 and sha512.
description: Deprecated. Use
attestor.signatureAlgorithm
instead.
type: string
type: object
repository:
@ -44036,6 +44140,13 @@ spec:
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and
sha512.
type: string
type: object
type: array
type: object
@ -44414,9 +44525,8 @@ spec:
type: object
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha224, sha256, sha384 and sha512.
description: Deprecated. Use attestor.signatureAlgorithm
instead.
type: string
type: object
repository:
@ -44424,6 +44534,12 @@ spec:
Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
If specified Repository will override other OCI image repository locations for this Attestor.
type: string
signatureAlgorithm:
default: sha256
description: Specify signature algorithm
for public keys. Supported values are
sha224, sha256, sha384 and sha512.
type: string
type: object
type: array
type: object

13
docs/user/crd/index.html
View file

@ -894,6 +894,17 @@ string
If specified Repository will override other OCI image repository locations for this Attestor.</p>
</td>
</tr>
<tr>
<td>
<code>signatureAlgorithm</code><br/>
<em>
string
</em>
</td>
<td>
<p>Specify signature algorithm for public keys. Supported values are sha224, sha256, sha384 and sha512.</p>
</td>
</tr>
</tbody>
</table>
<hr />
@ -4400,7 +4411,7 @@ string
</em>
</td>
<td>
<p>Specify signature algorithm for public keys. Supported values are sha224, sha256, sha384 and sha512.</p>
<p>Deprecated. Use attestor.signatureAlgorithm instead.</p>
</td>
</tr>
<tr>

31
docs/user/crd/kyverno.v1.html
View file

@ -1817,6 +1817,35 @@ If specified Repository will override other OCI image repository locations for t
</tr>
<tr>
<td><code>signatureAlgorithm</code>
<span style="color:blue;"> *</span>
</br>
<span style="font-family: monospace">string</span>
</td>
<td>
<p>Specify signature algorithm for public keys. Supported values are sha224, sha256, sha384 and sha512.</p>
</td>
</tr>
</tbody>
@ -8825,7 +8854,7 @@ When multiple keys are specified each key is processed as a separate staticKey e
<td>
<p>Specify signature algorithm for public keys. Supported values are sha224, sha256, sha384 and sha512.</p>
<p>Deprecated. Use attestor.signatureAlgorithm instead.</p>

21
pkg/client/applyconfigurations/kyverno/v1/attestor.go
View file

@ -25,12 +25,13 @@ import (
// AttestorApplyConfiguration represents an declarative configuration of the Attestor type for use
// with apply.
type AttestorApplyConfiguration struct {
Keys *StaticKeyAttestorApplyConfiguration `json:"keys,omitempty"`
Certificates *CertificateAttestorApplyConfiguration `json:"certificates,omitempty"`
Keyless *KeylessAttestorApplyConfiguration `json:"keyless,omitempty"`
Attestor *apiextensionsv1.JSON `json:"attestor,omitempty"`
Annotations map[string]string `json:"annotations,omitempty"`
Repository *string `json:"repository,omitempty"`
Keys *StaticKeyAttestorApplyConfiguration `json:"keys,omitempty"`
Certificates *CertificateAttestorApplyConfiguration `json:"certificates,omitempty"`
Keyless *KeylessAttestorApplyConfiguration `json:"keyless,omitempty"`
Attestor *apiextensionsv1.JSON `json:"attestor,omitempty"`
Annotations map[string]string `json:"annotations,omitempty"`
Repository *string `json:"repository,omitempty"`
SignatureAlgorithm *string `json:"signatureAlgorithm,omitempty"`
}
// AttestorApplyConfiguration constructs an declarative configuration of the Attestor type for use with
@ -92,3 +93,11 @@ func (b *AttestorApplyConfiguration) WithRepository(value string) *AttestorApply
b.Repository = &value
return b
}
// WithSignatureAlgorithm sets the SignatureAlgorithm field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the SignatureAlgorithm field is set to the value of the last call.
func (b *AttestorApplyConfiguration) WithSignatureAlgorithm(value string) *AttestorApplyConfiguration {
b.SignatureAlgorithm = &value
return b
}

19
pkg/cosign/cosign.go
View file

@ -135,19 +135,20 @@ func buildCosignOptions(ctx context.Context, opts images.Options) (*cosign.Check
cosignOpts.RootCerts = cp
}
signatureAlgorithm, ok := signatureAlgorithmMap[opts.SignatureAlgorithm]
if !ok {
return nil, fmt.Errorf("invalid signature algorithm provided %s", opts.SignatureAlgorithm)
}
if opts.Key != "" {
if strings.HasPrefix(strings.TrimSpace(opts.Key), "-----BEGIN PUBLIC KEY-----") {
if signatureAlgorithm, ok := signatureAlgorithmMap[opts.SignatureAlgorithm]; ok {
cosignOpts.SigVerifier, err = decodePEM([]byte(opts.Key), signatureAlgorithm)
if err != nil {
return nil, fmt.Errorf("failed to load public key from PEM: %w", err)
}
} else {
return nil, fmt.Errorf("invalid signature algorithm provided %s", opts.SignatureAlgorithm)
cosignOpts.SigVerifier, err = decodePEM([]byte(opts.Key), signatureAlgorithm)
if err != nil {
return nil, fmt.Errorf("failed to load public key from PEM: %w", err)
}
} else {
// this supports Kubernetes secrets and KMS
cosignOpts.SigVerifier, err = sigs.PublicKeyFromKeyRef(ctx, opts.Key)
cosignOpts.SigVerifier, err = sigs.PublicKeyFromKeyRefWithHashAlgo(ctx, opts.Key, signatureAlgorithm)
if err != nil {
return nil, fmt.Errorf("failed to load public key from %s: %w", opts.Key, err)
}
@ -161,7 +162,7 @@ func buildCosignOptions(ctx context.Context, opts images.Options) (*cosign.Check
}
if opts.CertChain == "" {
cosignOpts.SigVerifier, err = signature.LoadVerifier(cert.PublicKey, crypto.SHA256)
cosignOpts.SigVerifier, err = signature.LoadVerifier(cert.PublicKey, signatureAlgorithm)
if err != nil {
return nil, fmt.Errorf("failed to load signature from certificate: %w", err)
}

11
pkg/engine/internal/imageverifier.go
View file

@ -549,11 +549,12 @@ func (iv *ImageVerifier) buildCosignVerifier(
) (images.ImageVerifier, *images.Options, string) {
path := ""
opts := &images.Options{
ImageRef: image,
Repository: imageVerify.Repository,
CosignOCI11: imageVerify.CosignOCI11,
Annotations: imageVerify.Annotations,
Client: iv.rclient,
ImageRef: image,
Repository: imageVerify.Repository,
CosignOCI11: imageVerify.CosignOCI11,
Annotations: imageVerify.Annotations,
SignatureAlgorithm: attestor.SignatureAlgorithm,
Client: iv.rclient,
}
if imageVerify.Type == kyvernov1.SigstoreBundle {