Cherry-pick commits and release 1.6.0-rc2 (#3123)

* Add KYVERNO_DEPLOYMENT to initContainer (#3086) Signed-off-by: Kumar Mallikarjuna <kumarmallikarjuna1@gmail.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> * Updates Changelog to add note for anyPattern issue due to k8s v1.23 (#3045) * adds notes for anyPattern issue due to k8s v1.23 Signed-off-by: Mritunjay Sharma <mritunjaysharma394@gmail.com> * updates changelog Signed-off-by: Mritunjay Sharma <mritunjaysharma394@gmail.com> * updates changelog for any/all Signed-off-by: Mritunjay Sharma <mritunjaysharma394@gmail.com> * Update CHANGELOG.md Co-authored-by: Jordan Liggitt <jordan@liggitt.net> Co-authored-by: shuting <shuting@nirmata.com> Co-authored-by: shuting <shutting06@gmail.com> Co-authored-by: Jordan Liggitt <jordan@liggitt.net> Signed-off-by: ShutingZhao <shuting@nirmata.com> * fix mutating ownerReferenecs (#3061) Signed-off-by: ShutingZhao <shuting@nirmata.com> * Fix CLI test/apply when any/all use namespaceSelector (#3050) * Fix CLI test/apply when any/all use namespaceSelector Fixes #3047 Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * gofmt fix Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> * apply patches cumulatively (#3083) * apply patches cumulatively Signed-off-by: Jim Bugwadia <jim@nirmata.com> * handle skipped rules Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add test files Signed-off-by: Jim Bugwadia <jim@nirmata.com> Signed-off-by: ShutingZhao <shuting@nirmata.com> * Support registry keychain from cloud providers (#3036) * Enable cloud provider registry keychains It's desirable that Kyverno supports using workload identity and other cloud provider metadata services for registry credentials. Signed-off-by: Rob Best <robertbest89@gmail.com> * Always initialize registry keychain This supports using docker configuration on disk and credentials from cloud providers without having to specify image pull secrets. Signed-off-by: Rob Best <robertbest89@gmail.com> * Get pull secrets from kyverno service account It was previously using 'default'. I think it makes more sense to use the service account that Kyverno actually runs with. Signed-off-by: Rob Best <robertbest89@gmail.com> * Don't split empty pull secrets list Signed-off-by: Rob Best <robertbest89@gmail.com> * Add KYVERNO_SVC_ACCOUNT to config manifests Signed-off-by: Rob Best <robertbest89@gmail.com> * Don't retrieve secrets from service account Signed-off-by: Rob Best <robertbest89@gmail.com> * Reduce scope of keychain changes Just enable cloud provider keychains. Signed-off-by: Rob Best <robertbest89@gmail.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com> * Fix memory leak when updating ggcr keychain (#3088) Signed-off-by: Sambhav Kothari <sambhavs.email@gmail.com> * update cosign to 1.5.0 and fix issuer and subject for keyless (#3089) * update cosign to 1.5.0 and add checks Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix subject and issuer checks Signed-off-by: Jim Bugwadia <jim@nirmata.com> * make fmt Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix tests Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fixing and adding tests (#3112) Signed-off-by: Naman Lakhwani <namanlakhwani@gmail.com> Co-authored-by: Kumar Mallikarjuna <kumarmallikarjuna1@gmail.com> Co-authored-by: Mritunjay Kumar Sharma <mritunjaysharma394@gmail.com> Co-authored-by: Jordan Liggitt <jordan@liggitt.net> Co-authored-by: treydock <tdockendorf@osc.edu> Co-authored-by: Vyankatesh Kudtarkar <vyankateshkd@gmail.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com> Co-authored-by: Rob Best <robertbest89@gmail.com> Co-authored-by: Sambhav Kothari <sambhavs.email@gmail.com> Co-authored-by: Naman Lakhwani <namanlakhwani@gmail.com>
2025-01-20 18:52:16 +00:00 · 2022-01-29 14:51:55 +08:00 · 2022-01-29 14:51:55 +08:00 · abfeb5f8e2
commit abfeb5f8e2
parent 9ae346b3d5
12 changed files with 773 additions and 534 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,7 +1,8 @@
 ## v1.6.0-rc1
 ### Note
 - Helm charts are changed to enforce PodDisruptionBudget for multi-replica clusters and PDB is removed from install manifests.
-
+- `anyPattern` for Kyverno validate policies breaks in Kubernetes `v1.23.0`-`v1.23.2`, and the fix is being tracked by this [PR](https://github.com/kubernetes/kubernetes/pull/107688) and will be available in `v1.23.3`.
+- To use `any/all` conditions for policies that use `preconditons` and `deny.conditions`, the user can go to this [resource](https://kyverno.io/docs/writing-policies/preconditions/#any-and-all-statements) as a good starting point.
 ## v1.5.0-rc1
 ### Note
 - The Helm CRDs was switched back to kyverno chart. To upgrade using Helm, please refer to https://github.com/kyverno/website/pull/304.
--- a/26
+++ b/26
@ -27,10 +27,6 @@ PACKAGE ?=github.com/kyverno/kyverno
 LD_FLAGS="-s -w -X $(PACKAGE)/pkg/version.BuildVersion=$(GIT_VERSION) -X $(PACKAGE)/pkg/version.BuildHash=$(GIT_HASH) -X $(PACKAGE)/pkg/version.BuildTime=$(TIMESTAMP)"
 LD_FLAGS_DEV="-s -w -X $(PACKAGE)/pkg/version.BuildVersion=$(GIT_VERSION_DEV) -X $(PACKAGE)/pkg/version.BuildHash=$(GIT_HASH) -X $(PACKAGE)/pkg/version.BuildTime=$(TIMESTAMP)"

-# Used to disable inclusion of cloud provider code in k8schain
-# https://github.com/google/go-containerregistry/tree/main/pkg/authn/k8schain
-TAGS=disable_aws,disable_azure,disable_gcp
-
 ##################################
 # KYVERNO
 ##################################
@ -112,7 +108,7 @@ docker-get-initContainer-digest:
 	@docker buildx imagetools inspect --raw $(REPO)/$(INITC_IMAGE):$(IMAGE_TAG) | perl -pe 'chomp if eof' | openssl dgst -sha256 | sed 's/^.* //'

 docker-build-initContainer-local:
-	CGO_ENABLED=0 GOOS=linux go build -o $(PWD)/$(INITC_PATH)/kyvernopre -tags $(TAGS) -ldflags=$(LD_FLAGS) $(PWD)/$(INITC_PATH)/main.go
+	CGO_ENABLED=0 GOOS=linux go build -o $(PWD)/$(INITC_PATH)/kyvernopre -ldflags=$(LD_FLAGS) $(PWD)/$(INITC_PATH)/main.go
 	@docker build -f $(PWD)/$(INITC_PATH)/localDockerfile -t $(REPO)/$(INITC_IMAGE):$(IMAGE_TAG) $(PWD)/$(INITC_PATH)
 	@docker tag $(REPO)/$(INITC_IMAGE):$(IMAGE_TAG) $(REPO)/$(INITC_IMAGE):latest

@ -132,28 +128,28 @@ KYVERNO_PATH := cmd/kyverno
 KYVERNO_IMAGE := kyverno

 local:
-	go build -tags $(TAGS) -ldflags=$(LD_FLAGS) $(PWD)/$(KYVERNO_PATH)
-	go build -tags $(TAGS) -ldflags=$(LD_FLAGS) $(PWD)/$(CLI_PATH)
+	go build -ldflags=$(LD_FLAGS) $(PWD)/$(KYVERNO_PATH)
+	go build -ldflags=$(LD_FLAGS) $(PWD)/$(CLI_PATH)

 kyverno: fmt vet
-	GOOS=$(GOOS) go build -o $(PWD)/$(KYVERNO_PATH)/kyverno -tags $(TAGS) -ldflags=$(LD_FLAGS) $(PWD)/$(KYVERNO_PATH)/main.go
+	GOOS=$(GOOS) go build -o $(PWD)/$(KYVERNO_PATH)/kyverno -ldflags=$(LD_FLAGS) $(PWD)/$(KYVERNO_PATH)/main.go

 docker-publish-kyverno: docker-buildx-builder docker-build-kyverno docker-push-kyverno

 docker-build-kyverno: docker-buildx-builder
-	@docker buildx build --file $(PWD)/$(KYVERNO_PATH)/Dockerfile --progress plane --platform linux/arm64,linux/amd64 --tag $(REPO)/$(KYVERNO_IMAGE):$(IMAGE_TAG) . --build-arg LD_FLAGS=$(LD_FLAGS) --build-arg TAGS=$(TAGS)
+	@docker buildx build --file $(PWD)/$(KYVERNO_PATH)/Dockerfile --progress plane --platform linux/arm64,linux/amd64 --tag $(REPO)/$(KYVERNO_IMAGE):$(IMAGE_TAG) . --build-arg LD_FLAGS=$(LD_FLAGS)

 docker-build-kyverno-local:
-	CGO_ENABLED=0 GOOS=linux go build -o $(PWD)/$(KYVERNO_PATH)/kyverno -tags $(TAGS) -ldflags=$(LD_FLAGS_DEV) $(PWD)/$(KYVERNO_PATH)/main.go
+	CGO_ENABLED=0 GOOS=linux go build -o $(PWD)/$(KYVERNO_PATH)/kyverno -ldflags=$(LD_FLAGS_DEV) $(PWD)/$(KYVERNO_PATH)/main.go
 	@docker build -f $(PWD)/$(KYVERNO_PATH)/localDockerfile -t $(REPO)/$(KYVERNO_IMAGE):$(IMAGE_TAG_DEV) -t $(REPO)/$(KYVERNO_IMAGE):latest $(PWD)/$(KYVERNO_PATH)
 	@docker tag $(REPO)/$(KYVERNO_IMAGE):$(IMAGE_TAG_DEV) $(REPO)/$(KYVERNO_IMAGE):$(IMAGE_TAG_LATEST_DEV)-latest

 docker-build-kyverno-amd64:
-	@docker build -f $(PWD)/$(KYVERNO_PATH)/Dockerfile -t $(REPO)/$(KYVERNO_IMAGE):$(IMAGE_TAG) . --build-arg LD_FLAGS=$(LD_FLAGS) --build-arg TARGETPLATFORM="linux/amd64" --build-arg TAGS=$(TAGS)
+	@docker build -f $(PWD)/$(KYVERNO_PATH)/Dockerfile -t $(REPO)/$(KYVERNO_IMAGE):$(IMAGE_TAG) . --build-arg LD_FLAGS=$(LD_FLAGS) --build-arg TARGETPLATFORM="linux/amd64"

 docker-push-kyverno: docker-buildx-builder
-	@docker buildx build --file $(PWD)/$(KYVERNO_PATH)/Dockerfile --progress plane --push --platform linux/arm64,linux/amd64 --tag $(REPO)/$(KYVERNO_IMAGE):$(IMAGE_TAG) . --build-arg LD_FLAGS=$(LD_FLAGS) --build-arg TAGS=$(TAGS)
-	@docker buildx build --file $(PWD)/$(KYVERNO_PATH)/Dockerfile --progress plane --push --platform linux/arm64,linux/amd64 --tag $(REPO)/$(KYVERNO_IMAGE):latest . --build-arg LD_FLAGS=$(LD_FLAGS) --build-arg TAGS=$(TAGS)
+	@docker buildx build --file $(PWD)/$(KYVERNO_PATH)/Dockerfile --progress plane --push --platform linux/arm64,linux/amd64 --tag $(REPO)/$(KYVERNO_IMAGE):$(IMAGE_TAG) . --build-arg LD_FLAGS=$(LD_FLAGS)
+	@docker buildx build --file $(PWD)/$(KYVERNO_PATH)/Dockerfile --progress plane --push --platform linux/arm64,linux/amd64 --tag $(REPO)/$(KYVERNO_IMAGE):latest . --build-arg LD_FLAGS=$(LD_FLAGS)

 docker-get-kyverno-digest:
 	@docker buildx imagetools inspect --raw $(REPO)/$(KYVERNO_IMAGE):$(IMAGE_TAG) | perl -pe 'chomp if eof' | openssl dgst -sha256 | sed 's/^.* //'
@ -161,8 +157,8 @@ docker-get-kyverno-digest:
 docker-publish-kyverno-dev: docker-buildx-builder docker-push-kyverno-dev

 docker-push-kyverno-dev: docker-buildx-builder
-	@docker buildx build --file $(PWD)/$(KYVERNO_PATH)/Dockerfile --progress plane --push --platform linux/arm64,linux/amd64 --tag $(REPO)/$(KYVERNO_IMAGE):$(IMAGE_TAG_DEV) . --build-arg LD_FLAGS=$(LD_FLAGS_DEV) --build-arg TAGS=$(TAGS)
-	@docker buildx build --file $(PWD)/$(KYVERNO_PATH)/Dockerfile --progress plane --push --platform linux/arm64,linux/amd64 --tag $(REPO)/$(KYVERNO_IMAGE):$(IMAGE_TAG_LATEST_DEV)-latest . --build-arg LD_FLAGS=$(LD_FLAGS_DEV) --build-arg TAGS=$(TAGS)
+	@docker buildx build --file $(PWD)/$(KYVERNO_PATH)/Dockerfile --progress plane --push --platform linux/arm64,linux/amd64 --tag $(REPO)/$(KYVERNO_IMAGE):$(IMAGE_TAG_DEV) . --build-arg LD_FLAGS=$(LD_FLAGS_DEV)
+	@docker buildx build --file $(PWD)/$(KYVERNO_PATH)/Dockerfile --progress plane --push --platform linux/arm64,linux/amd64 --tag $(REPO)/$(KYVERNO_IMAGE):$(IMAGE_TAG_LATEST_DEV)-latest . --build-arg LD_FLAGS=$(LD_FLAGS_DEV)

 docker-get-kyverno-dev-digest:
 	@docker buildx imagetools inspect --raw $(REPO)/$(KYVERNO_IMAGE):$(IMAGE_TAG_DEV) | perl -pe 'chomp if eof' | openssl dgst -sha256 | sed 's/^.* //'
--- a/charts/kyverno/templates/deployment.yaml
+++ b/charts/kyverno/templates/deployment.yaml
@ -75,6 +75,8 @@ spec:
            valueFrom:
              fieldRef:
                fieldPath: metadata.namespace
+          - name: KYVERNO_DEPLOYMENT
+            value: {{ template "kyverno.fullname" . }}
          {{- with .Values.envVarsInit }}
          {{- toYaml . | nindent 10 }}
          {{- end }}
--- a/cmd/kyverno/Dockerfile
+++ b/cmd/kyverno/Dockerfile
@ -7,7 +7,6 @@ LABEL maintainer="Kyverno"
 # LD_FLAGS is passed as argument from Makefile. It will be empty, if no argument passed
 ARG LD_FLAGS
 ARG TARGETPLATFORM
-ARG TAGS

 ADD . /kyverno
 WORKDIR /kyverno
@ -17,7 +16,7 @@ RUN export GOOS=$(echo ${TARGETPLATFORM} | cut -d / -f1) && \

 RUN go env

-RUN CGO_ENABLED=0 go build -o /output/kyverno -tags "${TAGS}" -ldflags="${LD_FLAGS}" -v ./cmd/kyverno/
+RUN CGO_ENABLED=0 go build -o /output/kyverno -ldflags="${LD_FLAGS}" -v ./cmd/kyverno/

 # Packaging stage
 FROM scratch
--- a/go.mod
+++ b/go.mod
@ -7,18 +7,18 @@ require (
 	github.com/cornelk/hashmap v1.0.1
 	github.com/dchest/siphash v1.2.1 // indirect
 	github.com/distribution/distribution v2.7.1+incompatible
-	github.com/evanphx/json-patch/v5 v5.5.0
-	github.com/fatih/color v1.12.0
+	github.com/evanphx/json-patch/v5 v5.6.0
+	github.com/fatih/color v1.13.0
 	github.com/gardener/controller-manager-library v0.2.0
 	github.com/ghodss/yaml v1.0.1-0.20190212211648-25d852aebe32
 	github.com/go-git/go-billy/v5 v5.0.0
 	github.com/go-git/go-git/v5 v5.2.0
-	github.com/go-logr/logr v1.2.0
-	github.com/google/go-containerregistry v0.6.1-0.20210922191434-34b7f00d7a60
-	github.com/google/go-containerregistry/pkg/authn/k8schain v0.0.0-20211004163346-9ae11fe20941
+	github.com/go-logr/logr v1.2.2
+	github.com/google/go-containerregistry v0.8.1-0.20220125170349-50dfc2733d10
+	github.com/google/go-containerregistry/pkg/authn/k8schain v0.0.0-20220125170349-50dfc2733d10
 	github.com/googleapis/gnostic v0.5.5
 	github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 // indirect
-	github.com/in-toto/in-toto-golang v0.3.3
+	github.com/in-toto/in-toto-golang v0.3.4-0.20211211042327-af1f9fb822bf
 	github.com/jmespath/go-jmespath v0.4.0
 	github.com/julienschmidt/httprouter v1.3.0
 	github.com/kataras/tablewriter v0.0.0-20180708051242-e063d29b7c23
@ -32,9 +32,9 @@ require (
 	github.com/pkg/errors v0.9.1
 	github.com/prometheus/client_golang v1.11.0
 	github.com/robfig/cron/v3 v3.0.1
-	github.com/sigstore/cosign v1.3.0
-	github.com/sigstore/sigstore v1.0.0
-	github.com/spf13/cobra v1.2.1
+	github.com/sigstore/cosign v1.5.1-0.20220125213308-79012c354c4d
+	github.com/sigstore/sigstore v1.1.1-0.20220115165716-9f61ddc98390
+	github.com/spf13/cobra v1.3.0
 	github.com/stretchr/testify v1.7.0
 	github.com/xanzy/ssh-agent v0.3.0 // indirect
 	gopkg.in/yaml.v2 v2.4.0
@ -46,7 +46,7 @@ require (
 	k8s.io/cli-runtime v0.23.2
 	k8s.io/client-go v0.23.2
 	k8s.io/klog/v2 v2.40.1
-	k8s.io/kube-openapi v0.0.0-20211115234752-e816edb12b65
+	k8s.io/kube-openapi v0.0.0-20220124234850-424119656bbf
 	sigs.k8s.io/controller-runtime v0.11.0
 	sigs.k8s.io/kustomize/api v0.10.1
 	sigs.k8s.io/kustomize/kyaml v0.13.0
@ -60,49 +60,65 @@ require (
 )

 require (
-	cloud.google.com/go v0.97.0 // indirect
-	cloud.google.com/go/kms v1.0.0 // indirect
+	cloud.google.com/go v0.100.2 // indirect
+	cloud.google.com/go/compute v1.1.0 // indirect
+	cloud.google.com/go/iam v0.1.1 // indirect
+	cloud.google.com/go/kms v1.1.0 // indirect
 	cloud.google.com/go/storage v1.18.2 // indirect
-	github.com/Azure/azure-sdk-for-go v55.8.0+incompatible // indirect
+	github.com/Azure/azure-sdk-for-go v61.3.0+incompatible // indirect
 	github.com/Azure/go-autorest v14.2.0+incompatible // indirect
-	github.com/Azure/go-autorest/autorest v0.11.19 // indirect
-	github.com/Azure/go-autorest/autorest/adal v0.9.13 // indirect
-	github.com/Azure/go-autorest/autorest/azure/auth v0.5.8 // indirect
-	github.com/Azure/go-autorest/autorest/azure/cli v0.4.2 // indirect
+	github.com/Azure/go-autorest/autorest v0.11.24 // indirect
+	github.com/Azure/go-autorest/autorest/adal v0.9.18 // indirect
+	github.com/Azure/go-autorest/autorest/azure/auth v0.5.11 // indirect
+	github.com/Azure/go-autorest/autorest/azure/cli v0.4.5 // indirect
 	github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect
 	github.com/Azure/go-autorest/autorest/to v0.4.0 // indirect
 	github.com/Azure/go-autorest/autorest/validation v0.3.1 // indirect
 	github.com/Azure/go-autorest/logger v0.2.1 // indirect
 	github.com/Azure/go-autorest/tracing v0.6.0 // indirect
 	github.com/Masterminds/semver v1.5.0 // indirect
-	github.com/Microsoft/go-winio v0.5.0 // indirect
+	github.com/Microsoft/go-winio v0.5.1 // indirect
+	github.com/PaesslerAG/gval v1.0.0 // indirect
+	github.com/PaesslerAG/jsonpath v0.1.1 // indirect
 	github.com/PuerkitoBio/purell v1.1.1 // indirect
 	github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect
-	github.com/ReneKroon/ttlcache/v2 v2.7.0 // indirect
+	github.com/ReneKroon/ttlcache/v2 v2.11.0 // indirect
+	github.com/ThalesIgnite/crypto11 v1.2.5 // indirect
+	github.com/armon/go-metrics v0.3.10 // indirect
+	github.com/armon/go-radix v1.0.0 // indirect
 	github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d // indirect
-	github.com/aws/aws-sdk-go v1.40.7 // indirect
+	github.com/aws/aws-sdk-go v1.42.34 // indirect
+	github.com/aws/aws-sdk-go-v2 v1.13.0 // indirect
+	github.com/aws/aws-sdk-go-v2/config v1.13.0 // indirect
+	github.com/aws/aws-sdk-go-v2/credentials v1.8.0 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.10.0 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.4 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.2.0 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.3.4 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ecr v1.14.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.11.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.7.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.9.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.14.0 // indirect
+	github.com/aws/smithy-go v1.10.0 // indirect
+	github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20211215200129-69c85dc22db6 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/blang/semver v3.5.1+incompatible // indirect
-	github.com/cenkalti/backoff/v3 v3.0.0 // indirect
-	github.com/census-instrumentation/opencensus-proto v0.3.0 // indirect
+	github.com/cenkalti/backoff/v3 v3.2.2 // indirect
 	github.com/cespare/xxhash/v2 v2.1.2 // indirect
-	github.com/cncf/udpa/go v0.0.0-20210930031921-04548b0d99d4 // indirect
-	github.com/cncf/xds/go v0.0.0-20210922020428-25de7278fc84 // indirect
-	github.com/containerd/stargz-snapshotter/estargz v0.8.0 // indirect
-	github.com/coreos/go-oidc/v3 v3.0.0 // indirect
+	github.com/chrismellard/docker-credential-acr-env v0.0.0-20220119192733-fe33c00cee21 // indirect
+	github.com/containerd/stargz-snapshotter/estargz v0.10.1 // indirect
+	github.com/coreos/go-oidc/v3 v3.1.0 // indirect
 	github.com/cyberphone/json-canonicalization v0.0.0-20210823021906-dc406ceaf94b // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/dimchansky/utfbom v1.1.1 // indirect
-	github.com/docker/cli v20.10.8+incompatible // indirect
+	github.com/docker/cli v20.10.12+incompatible // indirect
 	github.com/docker/distribution v2.7.1+incompatible // indirect
-	github.com/docker/docker v20.10.8+incompatible // indirect
-	github.com/docker/docker-credential-helpers v0.6.3 // indirect
+	github.com/docker/docker v20.10.12+incompatible // indirect
+	github.com/docker/docker-credential-helpers v0.6.4 // indirect
 	github.com/dustin/go-humanize v1.0.0 // indirect
 	github.com/emirpasic/gods v1.12.0 // indirect
-	github.com/envoyproxy/go-control-plane v0.9.10-0.20210907150352-cf90f659a021 // indirect
-	github.com/envoyproxy/protoc-gen-validate v0.6.1 // indirect
 	github.com/evanphx/json-patch v4.12.0+incompatible // indirect
-	github.com/form3tech-oss/jwt-go v3.2.5+incompatible // indirect
 	github.com/fsnotify/fsnotify v1.5.1 // indirect
 	github.com/go-chi/chi v4.1.2+incompatible // indirect
 	github.com/go-errors/errors v1.0.1 // indirect
@ -111,38 +127,50 @@ require (
 	github.com/go-openapi/errors v0.20.1 // indirect
 	github.com/go-openapi/jsonpointer v0.19.5 // indirect
 	github.com/go-openapi/jsonreference v0.19.6 // indirect
-	github.com/go-openapi/loads v0.20.2 // indirect
-	github.com/go-openapi/runtime v0.20.0 // indirect
-	github.com/go-openapi/spec v0.20.3 // indirect
-	github.com/go-openapi/strfmt v0.21.0 // indirect
+	github.com/go-openapi/loads v0.21.0 // indirect
+	github.com/go-openapi/runtime v0.21.1 // indirect
+	github.com/go-openapi/spec v0.20.4 // indirect
+	github.com/go-openapi/strfmt v0.21.1 // indirect
 	github.com/go-openapi/swag v0.19.15 // indirect
-	github.com/go-openapi/validate v0.20.2 // indirect
-	github.com/go-playground/locales v0.13.0 // indirect
-	github.com/go-playground/universal-translator v0.17.0 // indirect
-	github.com/go-playground/validator v9.31.0+incompatible // indirect
+	github.com/go-openapi/validate v0.20.3 // indirect
+	github.com/go-playground/locales v0.14.0 // indirect
+	github.com/go-playground/universal-translator v0.18.0 // indirect
+	github.com/go-playground/validator/v10 v10.10.0 // indirect
 	github.com/go-stack/stack v1.8.0 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/golang-jwt/jwt/v4 v4.2.0 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.2 // indirect
 	github.com/golang/snappy v0.0.4 // indirect
 	github.com/google/btree v1.0.1 // indirect
-	github.com/google/go-cmp v0.5.6 // indirect
-	github.com/google/go-github/v39 v39.2.0 // indirect
+	github.com/google/go-cmp v0.5.7 // indirect
+	github.com/google/go-containerregistry/pkg/authn/kubernetes v0.0.0-20220125170349-50dfc2733d10 // indirect
+	github.com/google/go-github/v42 v42.0.0 // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
-	github.com/google/trillian v1.3.14-0.20210713114448-df474653733c // indirect
+	github.com/google/trillian v1.4.0 // indirect
 	github.com/google/uuid v1.3.0 // indirect
 	github.com/googleapis/gax-go/v2 v2.1.1 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
+	github.com/hashicorp/go-hclog v1.0.0 // indirect
+	github.com/hashicorp/go-immutable-radix v1.3.1 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
+	github.com/hashicorp/go-plugin v1.4.3 // indirect
 	github.com/hashicorp/go-retryablehttp v0.7.0 // indirect
 	github.com/hashicorp/go-rootcerts v1.0.2 // indirect
+	github.com/hashicorp/go-secure-stdlib/mlock v0.1.2 // indirect
+	github.com/hashicorp/go-secure-stdlib/parseutil v0.1.2 // indirect
+	github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 // indirect
 	github.com/hashicorp/go-sockaddr v1.0.2 // indirect
+	github.com/hashicorp/go-uuid v1.0.2 // indirect
+	github.com/hashicorp/go-version v1.3.0 // indirect
+	github.com/hashicorp/golang-lru v0.5.4 // indirect
 	github.com/hashicorp/hcl v1.0.0 // indirect
-	github.com/hashicorp/vault/api v1.1.1 // indirect
-	github.com/hashicorp/vault/sdk v0.2.1 // indirect
+	github.com/hashicorp/vault/api v1.3.1 // indirect
+	github.com/hashicorp/vault/sdk v0.3.0 // indirect
+	github.com/hashicorp/yamux v0.0.0-20211028200310-0bc27b27de87 // indirect
 	github.com/imdario/mergo v0.3.12 // indirect
 	github.com/inconshreveable/mousetrap v1.0.0 // indirect
 	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
@ -155,81 +183,84 @@ require (
 	github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect
 	github.com/magiconair/properties v1.8.5 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
-	github.com/mattn/go-colorable v0.1.8 // indirect
-	github.com/mattn/go-isatty v0.0.13 // indirect
+	github.com/mattn/go-colorable v0.1.12 // indirect
+	github.com/mattn/go-isatty v0.0.14 // indirect
 	github.com/mattn/go-runewidth v0.0.13 // indirect
 	github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 // indirect
+	github.com/miekg/pkcs11 v1.1.1 // indirect
+	github.com/mitchellh/copystructure v1.2.0 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
-	github.com/mitchellh/mapstructure v1.4.1 // indirect
+	github.com/mitchellh/go-testing-interface v1.14.1 // indirect
+	github.com/mitchellh/mapstructure v1.4.3 // indirect
+	github.com/mitchellh/reflectwalk v1.0.2 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 // indirect
 	github.com/nxadm/tail v1.4.8 // indirect
+	github.com/oklog/run v1.1.0 // indirect
 	github.com/oklog/ulid v1.3.1 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.0.2 // indirect
 	github.com/opentracing/opentracing-go v1.2.0 // indirect
-	github.com/pelletier/go-toml v1.9.3 // indirect
+	github.com/pelletier/go-toml v1.9.4 // indirect
 	github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
 	github.com/pierrec/lz4 v2.6.1+incompatible // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/prometheus/client_model v0.2.0 // indirect
-	github.com/prometheus/common v0.31.1 // indirect
+	github.com/prometheus/common v0.32.1 // indirect
 	github.com/prometheus/procfs v0.7.3 // indirect
 	github.com/rivo/uniseg v0.2.0 // indirect
 	github.com/ryanuber/go-glob v1.0.0 // indirect
 	github.com/sassoftware/relic v0.0.0-20210427151427-dfb082b79b74 // indirect
-	github.com/secure-systems-lab/go-securesystemslib v0.1.0 // indirect
+	github.com/secure-systems-lab/go-securesystemslib v0.3.0 // indirect
 	github.com/segmentio/ksuid v1.0.4 // indirect
 	github.com/sergi/go-diff v1.2.0 // indirect
-	github.com/shibumi/go-pathspec v1.2.0 // indirect
-	github.com/sigstore/fulcio v0.1.2-0.20210831152525-42f7422734bb // indirect
-	github.com/sigstore/rekor v0.3.0 // indirect
+	github.com/shibumi/go-pathspec v1.3.0 // indirect
+	github.com/sigstore/fulcio v0.1.2-0.20220114150912-86a2036f9bc7 // indirect
+	github.com/sigstore/rekor v0.4.1-0.20220114213500-23f583409af3 // indirect
 	github.com/sirupsen/logrus v1.8.1 // indirect
 	github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 // indirect
-	github.com/spf13/afero v1.6.0 // indirect
-	github.com/spf13/cast v1.3.1 // indirect
+	github.com/spf13/afero v1.8.0 // indirect
+	github.com/spf13/cast v1.4.1 // indirect
 	github.com/spf13/jwalterweatherman v1.1.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
-	github.com/spf13/viper v1.8.1 // indirect
+	github.com/spf13/viper v1.10.1 // indirect
 	github.com/subosito/gotenv v1.2.0 // indirect
 	github.com/syndtr/goleveldb v1.0.0 // indirect
 	github.com/tent/canonical-json-go v0.0.0-20130607151641-96e4ba3a7613 // indirect
-	github.com/theupdateframework/go-tuf v0.0.0-20210722233521-90e262754396 // indirect
-	github.com/vdemeester/k8s-pkg-credentialprovider v1.21.0-1 // indirect
-	github.com/xanzy/go-gitlab v0.51.1 // indirect
+	github.com/thales-e-security/pool v0.0.2 // indirect
+	github.com/theupdateframework/go-tuf v0.0.0-20220124194755-2c5d73bebc1c // indirect
+	github.com/vbatts/tar-split v0.11.2 // indirect
+	github.com/xanzy/go-gitlab v0.54.3 // indirect
 	github.com/xlab/treeprint v0.0.0-20181112141820-a009c3971eca // indirect
-	go.mongodb.org/mongo-driver v1.7.3 // indirect
+	go.mongodb.org/mongo-driver v1.7.5 // indirect
 	go.opencensus.io v0.23.0 // indirect
 	go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 // indirect
 	go.uber.org/atomic v1.9.0 // indirect
 	go.uber.org/multierr v1.7.0 // indirect
-	go.uber.org/zap v1.19.1 // indirect
-	golang.org/x/crypto v0.0.0-20210817164053-32db794688a5 // indirect
+	go.uber.org/zap v1.20.0 // indirect
+	golang.org/x/crypto v0.0.0-20220112180741-5e0467b6c7ce // indirect
 	golang.org/x/mod v0.5.1 // indirect
-	golang.org/x/net v0.0.0-20211209124913-491a49abca63 // indirect
-	golang.org/x/oauth2 v0.0.0-20211005180243-6b3c2da341f1 // indirect
+	golang.org/x/net v0.0.0-20220121210141-e204ce36a2ba // indirect
+	golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8 // indirect
 	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c // indirect
-	golang.org/x/sys v0.0.0-20211029165221-6e7872819dc8 // indirect
+	golang.org/x/sys v0.0.0-20220114195835-da31bd327af9 // indirect
 	golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 // indirect
 	golang.org/x/text v0.3.7 // indirect
-	golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac // indirect
+	golang.org/x/time v0.0.0-20211116232009-f0f3c7e86c11 // indirect
 	golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect
-	google.golang.org/api v0.60.0 // indirect
+	google.golang.org/api v0.65.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
-	google.golang.org/genproto v0.0.0-20211021150943-2b146023228c // indirect
-	google.golang.org/grpc v1.41.0 // indirect
+	google.golang.org/genproto v0.0.0-20220111164026-67b88f271998 // indirect
+	google.golang.org/grpc v1.43.0 // indirect
 	google.golang.org/protobuf v1.27.1 // indirect
-	gopkg.in/ini.v1 v1.62.0 // indirect
+	gopkg.in/ini.v1 v1.66.2 // indirect
 	gopkg.in/square/go-jose.v2 v2.6.0 // indirect
 	gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
-	k8s.io/cloud-provider v0.21.0 // indirect
-	k8s.io/component-base v0.23.2 // indirect
-	k8s.io/legacy-cloud-providers v0.21.0 // indirect
-	k8s.io/utils v0.0.0-20210930125809-cb0fa318a74b // indirect
-	knative.dev/pkg v0.0.0-20211004133827-74ac82a333a4 // indirect
-	sigs.k8s.io/json v0.0.0-20211020170558-c049b76a60c6 // indirect
+	k8s.io/utils v0.0.0-20211208161948-7d6a63dca704 // indirect
+	knative.dev/pkg v0.0.0-20220121092305-3ba5d72e310a // indirect
+	sigs.k8s.io/json v0.0.0-20211208200746-9f7c6b3444d2 // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.2.1 // indirect
 )

--- a/go.sum
+++ b/go.sum
--- a/pkg/cosign/client.go
+++ b/pkg/cosign/client.go
@ -11,12 +11,18 @@ import (
 var client Cosign = &driver{}

 type Cosign interface {
-	Verify(ctx context.Context, signedImgRef name.Reference, accessor cosign.Accessor, co *cosign.CheckOpts) ([]oci.Signature, bool, error)
+	VerifyImageSignatures(ctx context.Context, signedImgRef name.Reference, co *cosign.CheckOpts) ([]oci.Signature, bool, error)
+
+	VerifyImageAttestations(ctx context.Context, signedImgRef name.Reference, co *cosign.CheckOpts) (checkedAttestations []oci.Signature, bundleVerified bool, err error)
 }

 type driver struct {
 }

-func (d *driver) Verify(ctx context.Context, signedImgRef name.Reference, accessor cosign.Accessor, co *cosign.CheckOpts) ([]oci.Signature, bool, error) {
-	return cosign.Verify(ctx, signedImgRef, accessor, co)
+func (d *driver) VerifyImageSignatures(ctx context.Context, signedImgRef name.Reference, co *cosign.CheckOpts) ([]oci.Signature, bool, error) {
+	return cosign.VerifyImageSignatures(ctx, signedImgRef, co)
+}
+
+func (d *driver) VerifyImageAttestations(ctx context.Context, signedImgRef name.Reference, co *cosign.CheckOpts) (checkedAttestations []oci.Signature, bundleVerified bool, err error) {
+	return cosign.VerifyImageAttestations(ctx, signedImgRef, co)
 }
--- a/pkg/cosign/cosign.go
+++ b/pkg/cosign/cosign.go
@ -9,6 +9,8 @@ import (
 	"fmt"
 	"strings"

+	"github.com/sigstore/cosign/cmd/cosign/cli/rekor"
+
 	"github.com/sigstore/cosign/cmd/cosign/cli/fulcio"
 	"github.com/sigstore/cosign/pkg/oci/remote"

@ -57,6 +59,7 @@ func VerifySignature(opts Options) (digest string, err error) {
 	cosignOpts := &cosign.CheckOpts{
 		Annotations:        map[string]interface{}{},
 		RegistryClientOpts: remoteOpts,
+		ClaimVerifier:      cosign.SimpleClaimVerifier,
 	}

 	if opts.Key != "" {
@ -67,7 +70,10 @@ func VerifySignature(opts Options) (digest string, err error) {
 		}
 	} else {
 		cosignOpts.CertEmail = ""
-		cosignOpts.RootCerts, err = getX509CertPool(opts.Roots)
+		cosignOpts.RootCerts, err = getFulcioRoots(opts.Roots)
+		if err == nil {
+			cosignOpts.RekorClient, err = rekor.NewClient("https://rekor.sigstore.dev")
+		}
 	}

 	if err != nil {
@ -88,7 +94,7 @@ func VerifySignature(opts Options) (digest string, err error) {
 		return "", errors.Wrap(err, "failed to parse image")
 	}

-	verified, _, err := client.Verify(ctx, ref, cosign.SignaturesAccessor, cosignOpts)
+	signatures, bundleVerified, err := client.VerifyImageSignatures(ctx, ref, cosignOpts)
 	if err != nil {
 		msg := err.Error()
 		log.Info("image verification failed", "error", msg)
@ -101,35 +107,22 @@ func VerifySignature(opts Options) (digest string, err error) {
 		return "", err
 	}

-	payload, err := extractPayload(opts.ImageRef, verified, log)
+	log.V(3).Info("verified image", "count", len(signatures), "bundleVerified", bundleVerified)
+	pld, err := extractPayload(signatures)
 	if err != nil {
-		return "", errors.Wrap(err, "failed to get payload")
+		return "", errors.Wrap(err, "failed to get pld")
 	}

-	if opts.Issuer != "" {
-		issuer, err := extractIssuer(opts.ImageRef, payload, log)
-		if err == nil && (issuer != opts.Issuer) {
-			return "", errors.Wrap(err, "issuer mismatch")
-		}
-
-		return "", errors.Wrap(err, "issuer not found")
+	if err := matchSubjectAndIssuer(signatures, opts.Subject, opts.Issuer); err != nil {
+		return "", err
 	}

-	if opts.Subject != "" {
-		subject, err := extractSubject(opts.ImageRef, payload, log)
-		if err == nil && wildcard.Match(opts.Subject, subject) {
-			return "", errors.Wrap(err, "subject mismatch")
-		}
-
-		return "", errors.Wrap(err, "subject not found")
-	}
-
-	err = checkAnnotations(payload, opts.Annotations, log)
+	err = checkAnnotations(pld, opts.Annotations)
 	if err != nil {
 		return "", errors.Wrap(err, "annotation mismatch")
 	}

-	digest, err = extractDigest(opts.ImageRef, payload, log)
+	digest, err = extractDigest(opts.ImageRef, pld, log)
 	if err != nil {
 		return "", errors.Wrap(err, "failed to get digest")
 	}
@ -137,8 +130,8 @@ func VerifySignature(opts Options) (digest string, err error) {
 	return digest, nil
 }

-func getX509CertPool(roots []byte) (*x509.CertPool, error) {
-	if roots == nil {
+func getFulcioRoots(roots []byte) (*x509.CertPool, error) {
+	if len(roots) == 0 {
 		return fulcio.GetRoots(), nil
 	}

@ -196,7 +189,7 @@ func FetchAttestations(imageRef string, key string, repository string, log logr.
 		return nil, errors.Wrap(err, "failed to parse image")
 	}

-	verified, _, err := client.Verify(context.Background(), ref, cosign.AttestationsAccessor, cosignOpts)
+	signatures, bundleVerified, err := client.VerifyImageAttestations(context.Background(), ref, cosignOpts)
 	if err != nil {
 		msg := err.Error()
 		log.Info("failed to fetch attestations", "error", msg)
@ -207,7 +200,8 @@ func FetchAttestations(imageRef string, key string, repository string, log logr.
 		return nil, err
 	}

-	inTotoStatements, err := decodeStatements(verified)
+	log.V(3).Info("verified images", "count", len(signatures), "bundleVerified", bundleVerified)
+	inTotoStatements, err := decodeStatements(signatures)
 	if err != nil {
 		return nil, err
 	}
@ -222,20 +216,26 @@ func decodeStatements(sigs []oci.Signature) ([]map[string]interface{}, error) {

 	decodedStatements := make([]map[string]interface{}, len(sigs))
 	for i, sig := range sigs {
-		payload, err := sig.Payload()
+		pld, err := sig.Payload()
 		if err != nil {
-			return nil, errors.Wrap(err, "failed to get payload")
-		}
-		data := make(map[string]interface{})
-		if err := json.Unmarshal(payload, &data); err != nil {
-			return nil, errors.Wrapf(err, "failed to unmarshal JSON payload: %v", sig)
-		}
-		decodedStatement, err := decodeStatement(data["payload"].(string))
-		if err != nil {
-			return nil, errors.Wrapf(err, "failed to decode statement %s", string(payload))
+			return nil, errors.Wrap(err, "failed to decode payload")
 		}

-		decodedStatements[i] = decodedStatement
+		data := make(map[string]interface{})
+		if err := json.Unmarshal(pld, &data); err != nil {
+			return nil, errors.Wrapf(err, "failed to unmarshal JSON payload: %v", sig)
+		}
+
+		if dataPayload, ok := data["payload"]; !ok {
+			return nil, fmt.Errorf("missing payload in %v", data)
+		} else {
+			decodedStatement, err := decodeStatement(dataPayload.(string))
+			if err != nil {
+				return nil, errors.Wrapf(err, "failed to decode statement %s", string(pld))
+			}
+
+			decodedStatements[i] = decodedStatement
+		}
 	}

 	return decodedStatements, nil
@ -313,50 +313,22 @@ func decodePEM(raw []byte) (signature.Verifier, error) {
 	return signature.LoadECDSAVerifier(ed, crypto.SHA256)
 }

-func extractPayload(imgRef string, verified []oci.Signature, log logr.Logger) ([]payload.SimpleContainerImage, error) {
-	var sigPayload []payload.SimpleContainerImage
+func extractPayload(verified []oci.Signature) ([]payload.SimpleContainerImage, error) {
+	var sigPayloads []payload.SimpleContainerImage
 	for _, sig := range verified {
-		p, err := sig.Payload()
+		pld, err := sig.Payload()
 		if err != nil {
 			return nil, errors.Wrap(err, "failed to get payload")
 		}

-		ss := payload.SimpleContainerImage{}
-		if err := json.Unmarshal(p, &ss); err != nil {
+		sci := payload.SimpleContainerImage{}
+		if err := json.Unmarshal(pld, &sci); err != nil {
 			return nil, errors.Wrap(err, "error decoding the payload")
 		}

-		log.V(3).Info("image verification response", "image", imgRef, "payload", ss)
-		// The expected payload is in one of these JSON formats:
-		// {
-		//   "critical": {
-		// 	   "identity": {
-		// 	     "docker-reference": "registry-v2.nirmata.io/pause"
-		// 	    },
-		//   	"image": {
-		// 	     "docker-manifest-digest": "sha256:4a1c4b21597c1b4415bdbecb28a3296c6b5e23ca4f9feeb599860a1dac6a0108"
-		// 	    },
-		// 	    "type": "cosign container image signature"
-		//    },
-		//    "optional": null
-		// }
-		//
-		// {
-		//   "Critical": {
-		//     "Identity": {
-		//       "docker-reference": "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/nop"
-		//     },
-		//     "Image": {
-		//       "Docker-manifest-digest": "sha256:6a037d5ba27d9c6be32a9038bfe676fb67d2e4145b4f53e9c61fb3e69f06e816"
-		//     },
-		//     "Type": "Tekton container signature"
-		//   },
-		//   "Optional": {}
-		// }
-
-		sigPayload = append(sigPayload, ss)
+		sigPayloads = append(sigPayloads, sci)
 	}
-	return sigPayload, nil
+	return sigPayloads, nil
 }

 func extractDigest(imgRef string, payload []payload.SimpleContainerImage, log logr.Logger) (string, error) {
@ -371,35 +343,40 @@ func extractDigest(imgRef string, payload []payload.SimpleContainerImage, log lo
 	return "", fmt.Errorf("digest not found for " + imgRef)
 }

-func extractIssuer(imgRef string, payload []payload.SimpleContainerImage, log logr.Logger) (string, error) {
-	for _, p := range payload {
-		if issuer := p.Optional["Issuer"]; issuer != nil {
-			return issuer.(string), nil
-		} else {
-			log.V(3).Info("failed to extract image issuer from verification response", "image", imgRef, "payload", p)
-			return "", fmt.Errorf("unknown image response for " + imgRef)
+func matchSubjectAndIssuer(signatures []oci.Signature, subject, issuer string) error {
+	if subject == "" && issuer == "" {
+		return nil
+	}
+	var s string
+	for _, sig := range signatures {
+		cert, err := sig.Cert()
+		if err != nil {
+			return errors.Wrap(err, "failed to read certificate")
+		}
+
+		if cert == nil {
+			return errors.Wrap(err, "certificate not found")
+		}
+
+		s = sigs.CertSubject(cert)
+		i := sigs.CertIssuerExtension(cert)
+		if subject == "" || wildcard.Match(subject, s) {
+			if issuer == "" || (issuer == i) {
+				return nil
+			} else {
+				return fmt.Errorf("issuer mismatch: expected %s, got %s", i, issuer)
+			}
 		}
 	}
-	return "", fmt.Errorf("issuer not found for " + imgRef)
+
+	return fmt.Errorf("subject mismatch: expected %s, got %s", s, subject)
 }

-func extractSubject(imgRef string, payload []payload.SimpleContainerImage, log logr.Logger) (string, error) {
-	for _, p := range payload {
-		if subject := p.Optional["Subject"]; subject != nil {
-			return subject.(string), nil
-		} else {
-			log.V(3).Info("failed to extract image subject from verification response", "image", imgRef, "payload", p)
-			return "", fmt.Errorf("unknown image response for " + imgRef)
-		}
-	}
-	return "", fmt.Errorf("image subject not found for " + imgRef)
-}
-
-func checkAnnotations(payload []payload.SimpleContainerImage, annotations map[string]string, log logr.Logger) error {
+func checkAnnotations(payload []payload.SimpleContainerImage, annotations map[string]string) error {
 	for _, p := range payload {
 		for key, val := range annotations {
 			if val != p.Optional[key] {
-				return fmt.Errorf("value of " + key + " does not match")
+				return fmt.Errorf("annotation value for %s does not match", key)
 			}
 		}
 	}
--- a/pkg/cosign/cosign_test.go
+++ b/pkg/cosign/cosign_test.go
@ -6,7 +6,6 @@ import (
 	"github.com/sigstore/cosign/pkg/oci"

 	"github.com/go-logr/logr"
-	"github.com/minio/pkg/wildcard"
 	"github.com/sigstore/cosign/pkg/cosign"
 	"gotest.tools/assert"
 )
@ -47,10 +46,10 @@ func TestCosignPayload(t *testing.T) {
 	var log logr.Logger = logr.Discard()
 	image := "registry-v2.nirmata.io/pause"
 	signedPayloads := cosign.SignedPayload{Payload: []byte(cosignPayload)}
-	p, err := extractPayload(image, []oci.Signature{&sig{cosignPayload: signedPayloads}}, log)
+	p, err := extractPayload([]oci.Signature{&sig{cosignPayload: signedPayloads}})
 	assert.NilError(t, err)
 	a := map[string]string{"foo": "bar"}
-	err = checkAnnotations(p, a, log)
+	err = checkAnnotations(p, a)
 	assert.NilError(t, err)
 	d, err := extractDigest(image, p, log)
 	assert.NilError(t, err)
@ -58,15 +57,33 @@ func TestCosignPayload(t *testing.T) {

 	image2 := "gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/nop"
 	signedPayloads2 := cosign.SignedPayload{Payload: []byte(tektonPayload)}
-	p2, err := extractPayload(image2, []oci.Signature{&sig{cosignPayload: signedPayloads2}}, log)
+	signatures2 := []oci.Signature{&sig{cosignPayload: signedPayloads2}}
+	p2, err := extractPayload(signatures2)
 	assert.NilError(t, err)
-	i2, err := extractIssuer(image2, p2, log)
-	assert.NilError(t, err)
-	assert.Equal(t, i2, "https://github.com/login/oauth")
-	s2, err := extractSubject(image2, p2, log)
-	assert.NilError(t, err)
-	assert.Assert(t, wildcard.Match("https://github.com/mycompany/*/.github/workflows/*.yml@refs/heads/main", s2))
+
 	d2, err := extractDigest(image2, p2, log)
 	assert.NilError(t, err)
 	assert.Equal(t, d2, "sha256:6a037d5ba27d9c6be32a9038bfe676fb67d2e4145b4f53e9c61fb3e69f06e816")
 }
+
+func TestCosignKeyless(t *testing.T) {
+	var log logr.Logger = logr.Discard()
+	opts := Options{
+		ImageRef: "ghcr.io/jimbugwadia/pause2",
+		Issuer:   "https://github.com/",
+		Subject:  "jim",
+		Log:      log,
+	}
+
+	_, err := VerifySignature(opts)
+	assert.Error(t, err, "subject mismatch: expected jim@nirmata.com, got jim")
+
+	opts.Subject = "jim@nirmata.com"
+	_, err = VerifySignature(opts)
+	assert.Error(t, err, "issuer mismatch: expected https://github.com/login/oauth, got https://github.com/")
+
+	opts.Issuer = "https://github.com/login/oauth"
+	_, err = VerifySignature(opts)
+	assert.NilError(t, err)
+
+}
--- a/pkg/cosign/mock.go
+++ b/pkg/cosign/mock.go
@ -33,7 +33,15 @@ type mock struct {
 	data map[string][]cosign.SignedPayload
 }

-func (m *mock) Verify(_ context.Context, signedImgRef name.Reference, accessor cosign.Accessor, _ *cosign.CheckOpts) ([]oci.Signature, bool, error) {
+func (m *mock) VerifyImageSignatures(_ context.Context, signedImgRef name.Reference, _ *cosign.CheckOpts) ([]oci.Signature, bool, error) {
+	return m.getSignatures(signedImgRef)
+}
+
+func (m *mock) VerifyImageAttestations(ctx context.Context, signedImgRef name.Reference, co *cosign.CheckOpts) (checkedAttestations []oci.Signature, bundleVerified bool, err error) {
+	return m.getSignatures(signedImgRef)
+}
+
+func (m *mock) getSignatures(signedImgRef name.Reference) ([]oci.Signature, bool, error) {
 	results, ok := m.data[signedImgRef.String()]
 	if !ok {
 		return nil, false, fmt.Errorf("failed to find mock data for %s", signedImgRef.String())
--- a/pkg/engine/imageVerify.go
+++ b/pkg/engine/imageVerify.go
@ -203,9 +203,9 @@ func (iv *imageVerifier) verifySignature(imageVerify *v1.ImageVerification, imag
 	start := time.Now()
 	digest, err := cosign.VerifySignature(opts)
 	if err != nil {
-		iv.logger.Info("failed to verify image signature", "image", image, "error", err, "duration", time.Since(start).Seconds())
+		iv.logger.Info("failed to verify image", "image", image, "error", err, "duration", time.Since(start).Seconds())
 		ruleResp.Status = response.RuleStatusFail
-		ruleResp.Message = fmt.Sprintf("image signature verification failed for %s: %v", image, err)
+		ruleResp.Message = fmt.Sprintf("image verification failed for %s: %v", image, err)
 		return ruleResp, ""
 	}

--- a/pkg/kyverno/validate/commmand_test.go
+++ b/pkg/kyverno/validate/commmand_test.go
@ -57,7 +57,7 @@ func Test_validateUsingPolicyCRD(t *testing.T) {
 			}
 		  }
 		`),
-			errorDetail: "spec.rules.name in body should be at most 63 chars long",
+			errorDetail: "spec.rules[0].name in body should be at most 63 chars long",
 			detail:      "Test: char count for rule name",
 		},