mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-09 17:37:12 +00:00
221c559247
* feat: cosign verifier for new image verifier crd Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * chore(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/gcp (#12170) Bumps [github.com/sigstore/sigstore/pkg/signature/kms/gcp](https://github.com/sigstore/sigstore) from 1.8.12 to 1.8.14. - [Release notes](https://github.com/sigstore/sigstore/releases) - [Commits](https://github.com/sigstore/sigstore/compare/v1.8.12...v1.8.14) --- updated-dependencies: - dependency-name: github.com/sigstore/sigstore/pkg/signature/kms/gcp dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: shuting <shuting@nirmata.com> * feat: add MutatingPolicies CRD (#12150) Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> * README: fix markdown syntax (#12176) Signed-off-by: Koichi Shiraishi <zchee.io@gmail.com> Co-authored-by: shuting <shuting@nirmata.com> * chore(deps): bump sigs.k8s.io/controller-runtime from 0.20.1 to 0.20.2 (#12180) Bumps [sigs.k8s.io/controller-runtime](https://github.com/kubernetes-sigs/controller-runtime) from 0.20.1 to 0.20.2. - [Release notes](https://github.com/kubernetes-sigs/controller-runtime/releases) - [Changelog](https://github.com/kubernetes-sigs/controller-runtime/blob/main/RELEASE.md) - [Commits](https://github.com/kubernetes-sigs/controller-runtime/compare/v0.20.1...v0.20.2) --- updated-dependencies: - dependency-name: sigs.k8s.io/controller-runtime dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: cel policies nits (#12184) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * use serviceAccountName instead of deprecated serviceAccount (#12158) Signed-off-by: Francesco Ilario <filario@redhat.com> Co-authored-by: shuting <shuting@nirmata.com> * chore(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/azure (#12179) Bumps [github.com/sigstore/sigstore/pkg/signature/kms/azure](https://github.com/sigstore/sigstore) from 1.8.12 to 1.8.14. - [Release notes](https://github.com/sigstore/sigstore/releases) - [Commits](https://github.com/sigstore/sigstore/compare/v1.8.12...v1.8.14) --- updated-dependencies: - dependency-name: github.com/sigstore/sigstore/pkg/signature/kms/azure dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * chore(deps): bump github.com/awslabs/amazon-ecr-credential-helper/ecr-login (#12178) Bumps [github.com/awslabs/amazon-ecr-credential-helper/ecr-login](https://github.com/awslabs/amazon-ecr-credential-helper) from 0.0.0-20241227172826-c97b94eac159 to 0.9.1. - [Release notes](https://github.com/awslabs/amazon-ecr-credential-helper/releases) - [Changelog](https://github.com/awslabs/amazon-ecr-credential-helper/blob/main/CHANGELOG.md) - [Commits](https://github.com/awslabs/amazon-ecr-credential-helper/commits/v0.9.1) --- updated-dependencies: - dependency-name: github.com/awslabs/amazon-ecr-credential-helper/ecr-login dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * feat: add notary verifier with tsa support (#12160) * feat: add notary repository Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: add notary verifier Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: tests Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: more tests Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: more tests Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: ci Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: update types Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> --------- Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com> * fix: codegen (#12195) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * feat(gctx): add jmespath caching through projections (#11833) feat(gctx): move ready check to runtime Signed-off-by: Khaled Emara <khaled.emara@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com> * fix: publish codecov reports (#12197) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * chore: format conformance.yaml workflow file (#12194) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix: add result count for VPs in the CLI (#12193) Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * feat: implement functions Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> --------- Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> Signed-off-by: Koichi Shiraishi <zchee.io@gmail.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Francesco Ilario <filario@redhat.com> Signed-off-by: Khaled Emara <khaled.emara@nirmata.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: shuting <shuting@nirmata.com> Co-authored-by: Mariam Fahmy <mariam.fahmy@nirmata.com> Co-authored-by: Koichi Shiraishi <zchee.io@gmail.com> Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Francesco Ilario <filario@redhat.com> Co-authored-by: Khaled Emara <khaled.emara@nirmata.com>
98 lines
2.4 KiB
Go
98 lines
2.4 KiB
Go
package cosign
|
|
|
|
import (
|
|
"bytes"
|
|
"crypto"
|
|
"crypto/x509"
|
|
"encoding/base64"
|
|
"fmt"
|
|
|
|
"github.com/sigstore/cosign/v2/pkg/oci"
|
|
"github.com/sigstore/sigstore/pkg/cryptoutils"
|
|
"github.com/sigstore/sigstore/pkg/signature"
|
|
)
|
|
|
|
var signatureAlgorithmMap = map[string]crypto.Hash{
|
|
"": crypto.SHA256,
|
|
"sha224": crypto.SHA224,
|
|
"sha256": crypto.SHA256,
|
|
"sha384": crypto.SHA384,
|
|
"sha512": crypto.SHA512,
|
|
}
|
|
|
|
func certPoolFromBytes(roots []byte) (*x509.CertPool, error) {
|
|
cp := x509.NewCertPool()
|
|
if !cp.AppendCertsFromPEM(roots) {
|
|
return nil, fmt.Errorf("error creating root cert pool")
|
|
}
|
|
|
|
return cp, nil
|
|
}
|
|
|
|
func certFromBytes(pem []byte) (*x509.Certificate, error) {
|
|
var out []byte
|
|
out, err := base64.StdEncoding.DecodeString(string(pem))
|
|
if err != nil {
|
|
// not a base64
|
|
out = pem
|
|
}
|
|
|
|
certs, err := cryptoutils.UnmarshalCertificatesFromPEM(out)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to unmarshal certificate from PEM format: %w", err)
|
|
}
|
|
if len(certs) == 0 {
|
|
return nil, fmt.Errorf("no certs found in pem file")
|
|
}
|
|
return certs[0], nil
|
|
}
|
|
|
|
func certChainFromBytes(pem []byte) ([]*x509.Certificate, error) {
|
|
return cryptoutils.LoadCertificatesFromPEM(bytes.NewReader(pem))
|
|
}
|
|
|
|
func splitCertChain(pem []byte) (leaves, intermediates, roots []*x509.Certificate, err error) {
|
|
certs, err := cryptoutils.UnmarshalCertificatesFromPEM(pem)
|
|
if err != nil {
|
|
return nil, nil, nil, err
|
|
}
|
|
|
|
for _, cert := range certs {
|
|
if !cert.IsCA {
|
|
leaves = append(leaves, cert)
|
|
} else {
|
|
// root certificates are self-signed
|
|
if bytes.Equal(cert.RawSubject, cert.RawIssuer) {
|
|
roots = append(roots, cert)
|
|
} else {
|
|
intermediates = append(intermediates, cert)
|
|
}
|
|
}
|
|
}
|
|
|
|
return leaves, intermediates, roots, nil
|
|
}
|
|
|
|
func decodePEM(raw []byte, signatureAlgorithm crypto.Hash) (signature.Verifier, error) {
|
|
// PEM encoded file.
|
|
pubKey, err := cryptoutils.UnmarshalPEMToPublicKey(raw)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("pem to public key: %w", err)
|
|
}
|
|
|
|
return signature.LoadVerifier(pubKey, signatureAlgorithm)
|
|
}
|
|
|
|
func checkSignatureAnnotations(sig oci.Signature, annotations map[string]string) error {
|
|
sigAnnotations, err := sig.Annotations()
|
|
if err != nil {
|
|
return fmt.Errorf("failed to fetch annotation from signature")
|
|
}
|
|
for key, val := range annotations {
|
|
if val != sigAnnotations[key] {
|
|
return fmt.Errorf("annotations mismatch: %s does not match expected value %s for key %s",
|
|
sigAnnotations[key], val, key)
|
|
}
|
|
}
|
|
return nil
|
|
}
|