diff --git a/pkg/cosign/cosign.go b/pkg/cosign/cosign.go index 818342806d..24f51b4416 100644 --- a/pkg/cosign/cosign.go +++ b/pkg/cosign/cosign.go @@ -5,6 +5,7 @@ import ( "crypto" "encoding/json" "fmt" + "github.com/gardener/controller-manager-library/pkg/logger" "github.com/go-logr/logr" "github.com/google/go-containerregistry/pkg/authn" "github.com/google/go-containerregistry/pkg/authn/k8schain" @@ -13,6 +14,7 @@ import ( "github.com/sigstore/cosign/pkg/cosign" "github.com/sigstore/sigstore/pkg/signature" "k8s.io/client-go/kubernetes" + "strings" ) // Initialize loads the image pull secrets and initializes the default auth method for container registry API calls @@ -54,6 +56,14 @@ func Verify(imageRef string, key []byte, log logr.Logger) (digest string, err er verified, err := cosign.Verify(context.Background(), ref, cosignOpts, "https://rekor.sigstore.dev") if err != nil { + msg := err.Error() + logger.Info("image verification failed", "error", msg) + if strings.Contains(msg, "NAME_UNKNOWN: repository name not known to registry") { + return "", fmt.Errorf("signature not found") + } else if strings.Contains(msg, "no matching signatures") { + return "", fmt.Errorf("invalid signature") + } + return "", errors.Wrap(err, "failed to verify image") } diff --git a/pkg/engine/context/evaluate.go b/pkg/engine/context/evaluate.go index 7dcfc84540..d102fd7703 100644 --- a/pkg/engine/context/evaluate.go +++ b/pkg/engine/context/evaluate.go @@ -66,11 +66,10 @@ func (ctx *Context) isBuiltInVariable(variable string) bool { return false } - func (ctx *Context) HasChanged(jmespath string) (bool, error) { objData, err := ctx.Query("request.object." + jmespath) if err != nil { - return false, errors.Wrap(err,"failed to query request.object") + return false, errors.Wrap(err, "failed to query request.object") } if objData == nil { @@ -79,7 +78,7 @@ func (ctx *Context) HasChanged(jmespath string) (bool, error) { oldObjData, err := ctx.Query("request.oldObject." + jmespath) if err != nil { - return false, errors.Wrap(err,"failed to query request.object") + return false, errors.Wrap(err, "failed to query request.object") } if oldObjData == nil { @@ -92,4 +91,3 @@ func (ctx *Context) HasChanged(jmespath string) (bool, error) { return true, nil } - diff --git a/pkg/engine/utils/utils.go b/pkg/engine/utils/utils.go index 6d2b0f82f6..f9b621060d 100644 --- a/pkg/engine/utils/utils.go +++ b/pkg/engine/utils/utils.go @@ -116,7 +116,7 @@ func JsonPointerToJMESPath(jsonPointer string) string { tokens := strings.Split(jsonPointer, "/") i := 0 for _, t := range tokens { - if t == ""{ + if t == "" { continue } @@ -134,4 +134,4 @@ func JsonPointerToJMESPath(jsonPointer string) string { } return sb.String() -} \ No newline at end of file +} diff --git a/pkg/engine/utils/utils_test.go b/pkg/engine/utils/utils_test.go index 01e7982fd6..536780fb29 100644 --- a/pkg/engine/utils/utils_test.go +++ b/pkg/engine/utils/utils_test.go @@ -29,9 +29,9 @@ func TestGetAnchorsFromMap_ThereAreNoAnchors(t *testing.T) { } func Test_JsonPointerToJMESPath(t *testing.T) { - assert.Equal(t, "a.b.c[1].d", JsonPointerToJMESPath("a/b/c/1//d"), ) - assert.Equal(t, "a.b.c[1].d", JsonPointerToJMESPath("/a/b/c/1/d"), ) - assert.Equal(t, "a.b.c[1].d", JsonPointerToJMESPath("/a/b/c/1/d/"), ) - assert.Equal(t, "a[1].b.c[1].d", JsonPointerToJMESPath("a/1/b/c/1/d"), ) - assert.Equal(t, "a[1].b.c[1].d[2]", JsonPointerToJMESPath("/a/1/b/c/1/d/2/"), ) -} \ No newline at end of file + assert.Equal(t, "a.b.c[1].d", JsonPointerToJMESPath("a/b/c/1//d")) + assert.Equal(t, "a.b.c[1].d", JsonPointerToJMESPath("/a/b/c/1/d")) + assert.Equal(t, "a.b.c[1].d", JsonPointerToJMESPath("/a/b/c/1/d/")) + assert.Equal(t, "a[1].b.c[1].d", JsonPointerToJMESPath("a/1/b/c/1/d")) + assert.Equal(t, "a[1].b.c[1].d[2]", JsonPointerToJMESPath("/a/1/b/c/1/d/2/")) +}