diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 663396627..02782f384 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -37,7 +37,7 @@ jobs: - uses: sigstore/cosign-installer@4079ad3567a89f68395480299c77e40170430341 with: - cosign-release: 'v2.0.0-rc.2' + cosign-release: 'v2.0.0-rc.3' - uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0 with: diff --git a/.github/workflows/kind-cluster-image-policy-no-tuf.yaml b/.github/workflows/kind-cluster-image-policy-no-tuf.yaml index 17b4e6874..705916667 100644 --- a/.github/workflows/kind-cluster-image-policy-no-tuf.yaml +++ b/.github/workflows/kind-cluster-image-policy-no-tuf.yaml @@ -66,7 +66,7 @@ jobs: - uses: sigstore/cosign-installer@4079ad3567a89f68395480299c77e40170430341 with: - cosign-release: 'v2.0.0-rc.2' + cosign-release: 'v2.0.0-rc.3' - name: Install cluster + sigstore uses: sigstore/scaffolding/actions/setup@main diff --git a/.github/workflows/kind-cluster-image-policy-resync-period.yaml b/.github/workflows/kind-cluster-image-policy-resync-period.yaml index 5562f6d17..f76b33a64 100644 --- a/.github/workflows/kind-cluster-image-policy-resync-period.yaml +++ b/.github/workflows/kind-cluster-image-policy-resync-period.yaml @@ -66,7 +66,7 @@ jobs: - uses: sigstore/cosign-installer@4079ad3567a89f68395480299c77e40170430341 with: - cosign-release: 'v2.0.0-rc.2' + cosign-release: 'v2.0.0-rc.3' - name: Install cluster + sigstore uses: sigstore/scaffolding/actions/setup@main diff --git a/.github/workflows/kind-cluster-image-policy-trustroot.yaml b/.github/workflows/kind-cluster-image-policy-trustroot.yaml index 8332533b7..4e80e9c38 100644 --- a/.github/workflows/kind-cluster-image-policy-trustroot.yaml +++ b/.github/workflows/kind-cluster-image-policy-trustroot.yaml @@ -71,7 +71,7 @@ jobs: - uses: sigstore/cosign-installer@4079ad3567a89f68395480299c77e40170430341 with: - cosign-release: 'v2.0.0-rc.2' + cosign-release: 'v2.0.0-rc.3' - name: Install cluster + sigstore uses: sigstore/scaffolding/actions/setup@main diff --git a/.github/workflows/kind-cluster-image-policy-tsa.yaml b/.github/workflows/kind-cluster-image-policy-tsa.yaml index 81187c497..75a155dcf 100644 --- a/.github/workflows/kind-cluster-image-policy-tsa.yaml +++ b/.github/workflows/kind-cluster-image-policy-tsa.yaml @@ -66,7 +66,7 @@ jobs: - uses: sigstore/cosign-installer@4079ad3567a89f68395480299c77e40170430341 # v2 with: - cosign-release: 'v2.0.0-rc.2' + cosign-release: 'v2.0.0-rc.3' - name: Install cluster + sigstore uses: sigstore/scaffolding/actions/setup@v0.5.4 diff --git a/.github/workflows/kind-cluster-image-policy.yaml b/.github/workflows/kind-cluster-image-policy.yaml index 241cba8e9..fafe85b42 100644 --- a/.github/workflows/kind-cluster-image-policy.yaml +++ b/.github/workflows/kind-cluster-image-policy.yaml @@ -80,7 +80,7 @@ jobs: - uses: sigstore/cosign-installer@4079ad3567a89f68395480299c77e40170430341 with: - cosign-release: 'v2.0.0-rc.2' + cosign-release: 'v2.0.0-rc.3' - name: Install cluster + sigstore uses: sigstore/scaffolding/actions/setup@main diff --git a/.github/workflows/kind-e2e-cosigned.yaml b/.github/workflows/kind-e2e-cosigned.yaml index 173fba784..81dec27ec 100644 --- a/.github/workflows/kind-e2e-cosigned.yaml +++ b/.github/workflows/kind-e2e-cosigned.yaml @@ -59,7 +59,7 @@ jobs: - uses: sigstore/cosign-installer@4079ad3567a89f68395480299c77e40170430341 with: - cosign-release: 'v2.0.0-rc.2' + cosign-release: 'v2.0.0-rc.3' - name: Setup mirror uses: chainguard-dev/actions/setup-mirror@main diff --git a/.github/workflows/kind-e2e-trustroot-crd.yaml b/.github/workflows/kind-e2e-trustroot-crd.yaml index a00ddf972..27f5e1ea6 100644 --- a/.github/workflows/kind-e2e-trustroot-crd.yaml +++ b/.github/workflows/kind-e2e-trustroot-crd.yaml @@ -59,7 +59,7 @@ jobs: - uses: sigstore/cosign-installer@4079ad3567a89f68395480299c77e40170430341 with: - cosign-release: 'v2.0.0-rc.2' + cosign-release: 'v2.0.0-rc.3' - name: Setup mirror uses: chainguard-dev/actions/setup-mirror@main diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 4990c70b4..7da004c78 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -27,7 +27,7 @@ jobs: - uses: sigstore/cosign-installer@4079ad3567a89f68395480299c77e40170430341 with: - cosign-release: 'v2.0.0-rc.2' + cosign-release: 'v2.0.0-rc.3' - uses: anchore/sbom-action/download-syft@07978da4bdb4faa726e52dfc6b1bed63d4b56479 # v0.13.3 diff --git a/go.mod b/go.mod index 4e554bfe7..e2ffa1ed1 100644 --- a/go.mod +++ b/go.mod @@ -11,7 +11,7 @@ require ( github.com/golang/protobuf v1.5.2 github.com/golang/snappy v0.0.4 github.com/google/go-cmp v0.5.9 - github.com/google/go-containerregistry v0.13.0 + github.com/google/go-containerregistry v0.13.1-0.20230203223142-b3c23b4c3f28 github.com/google/go-containerregistry/pkg/authn/k8schain v0.0.0-20221114162634-781782aa2757 github.com/google/go-containerregistry/pkg/authn/kubernetes v0.0.0-20221114162634-781782aa2757 github.com/hashicorp/errwrap v1.1.0 @@ -41,7 +41,7 @@ require ( github.com/oklog/run v1.1.0 github.com/pierrec/lz4 v2.6.1+incompatible github.com/ryanuber/go-glob v1.0.0 - github.com/sigstore/cosign/v2 v2.0.0-rc.2 + github.com/sigstore/cosign/v2 v2.0.0-rc.3 github.com/sigstore/rekor v1.0.1 github.com/sigstore/sigstore v1.5.1 github.com/stretchr/testify v1.8.1 @@ -72,7 +72,7 @@ require ( require github.com/hashicorp/go-kms-wrapping/v2 v2.0.8 require ( - cloud.google.com/go/compute v1.15.1 // indirect + cloud.google.com/go/compute v1.18.0 // indirect cloud.google.com/go/compute/metadata v0.2.3 // indirect cloud.google.com/go/iam v0.8.0 // indirect cloud.google.com/go/kms v1.8.0 // indirect @@ -178,7 +178,7 @@ require ( github.com/google/gofuzz v1.2.0 // indirect github.com/google/trillian v1.5.1-0.20220819043421-0a389c4bb8d9 // indirect github.com/google/uuid v1.3.0 // indirect - github.com/googleapis/enterprise-certificate-proxy v0.2.1 // indirect + github.com/googleapis/enterprise-certificate-proxy v0.2.3 // indirect github.com/googleapis/gax-go/v2 v2.7.0 // indirect github.com/grpc-ecosystem/grpc-gateway/v2 v2.12.0 // indirect github.com/hashicorp/vault/api v1.8.2 // indirect @@ -237,7 +237,7 @@ require ( github.com/tjfoc/gmsm v1.4.1 // indirect github.com/transparency-dev/merkle v0.0.1 // indirect github.com/vbatts/tar-split v0.11.2 // indirect - github.com/xanzy/go-gitlab v0.79.1 // indirect + github.com/xanzy/go-gitlab v0.80.2 // indirect github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect github.com/yashtewari/glob-intersection v0.1.0 // indirect @@ -255,9 +255,9 @@ require ( golang.org/x/text v0.7.0 // indirect golang.org/x/tools v0.5.0 // indirect gomodules.xyz/jsonpatch/v2 v2.2.0 // indirect - google.golang.org/api v0.109.0 // indirect + google.golang.org/api v0.110.0 // indirect google.golang.org/appengine v1.6.7 // indirect - google.golang.org/genproto v0.0.0-20230110181048-76db0878b65f // indirect + google.golang.org/genproto v0.0.0-20230209215440-0dfe4f8abfcc // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/ini.v1 v1.67.0 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect diff --git a/go.sum b/go.sum index 1a8d524cb..5a1f708a2 100644 --- a/go.sum +++ b/go.sum @@ -24,8 +24,8 @@ cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvf cloud.google.com/go/bigquery v1.5.0/go.mod h1:snEHRnqQbz117VIFhE8bmtwIDY80NLUZUMb4Nv6dBIg= cloud.google.com/go/bigquery v1.7.0/go.mod h1://okPTzCYNXSlb24MZs83e2Do+h+VXtc4gLoIoXIAPc= cloud.google.com/go/bigquery v1.8.0/go.mod h1:J5hqkt3O0uAFnINi6JXValWIb1v0goeZM77hZzJN/fQ= -cloud.google.com/go/compute v1.15.1 h1:7UGq3QknM33pw5xATlpzeoomNxsacIVvTqTTvbfajmE= -cloud.google.com/go/compute v1.15.1/go.mod h1:bjjoF/NtFUrkD/urWfdHaKuOPDR5nWIs63rR+SXhcpA= +cloud.google.com/go/compute v1.18.0 h1:FEigFqoDbys2cvFkZ9Fjq4gnHBP55anJ0yQyau2f9oY= +cloud.google.com/go/compute v1.18.0/go.mod h1:1X7yHxec2Ga+Ss6jPyjxRxpu2uu7PLgsOVXvgU0yacs= cloud.google.com/go/compute/metadata v0.2.3 h1:mg4jlk7mCAj6xXp9UJ4fjI9VUI5rubuGBW5aJ7UnBMY= cloud.google.com/go/compute/metadata v0.2.3/go.mod h1:VAV5nSsACxMJvgaAuX6Pk2AawlZn8kiOGuCv6gTkwuA= cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE= @@ -481,8 +481,8 @@ github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/ github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38= github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= -github.com/google/go-containerregistry v0.13.0 h1:y1C7Z3e149OJbOPDBxLYR8ITPz8dTKqQwjErKVHJC8k= -github.com/google/go-containerregistry v0.13.0/go.mod h1:J9FQ+eSS4a1aC2GNZxvNpbWhgp0487v+cgiilB4FqDo= +github.com/google/go-containerregistry v0.13.1-0.20230203223142-b3c23b4c3f28 h1:gFDKHwyCxpzgUozSOM8eLCx0V7muSr30QYU2QH+p48E= +github.com/google/go-containerregistry v0.13.1-0.20230203223142-b3c23b4c3f28/go.mod h1:J9FQ+eSS4a1aC2GNZxvNpbWhgp0487v+cgiilB4FqDo= github.com/google/go-containerregistry/pkg/authn/k8schain v0.0.0-20221114162634-781782aa2757 h1:1qKTXnWK6DsOFFfjakWJKMlpfAwmykw6Jjk9SLBsZmI= github.com/google/go-containerregistry/pkg/authn/k8schain v0.0.0-20221114162634-781782aa2757/go.mod h1:7QLaBZxN+nMCx82XO5R7qPHq0m61liEg8yca68zymHo= github.com/google/go-containerregistry/pkg/authn/kubernetes v0.0.0-20221114162634-781782aa2757 h1:FsE9anmDCfnvZBx/PxdW8JDVJrAtx8zkWkQyHoxA3Jc= @@ -517,8 +517,8 @@ github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+ github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I= github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= -github.com/googleapis/enterprise-certificate-proxy v0.2.1 h1:RY7tHKZcRlk788d5WSo/e83gOyyy742E8GSs771ySpg= -github.com/googleapis/enterprise-certificate-proxy v0.2.1/go.mod h1:AwSRAtLfXpU5Nm3pW+v7rGDHp09LsPtGY9MduiEsR9k= +github.com/googleapis/enterprise-certificate-proxy v0.2.3 h1:yk9/cqRKtT9wXZSsRH9aurXEpJX+U6FLtpYTdC3R06k= +github.com/googleapis/enterprise-certificate-proxy v0.2.3/go.mod h1:AwSRAtLfXpU5Nm3pW+v7rGDHp09LsPtGY9MduiEsR9k= github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg= github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk= github.com/googleapis/gax-go/v2 v2.7.0 h1:IcsPKeInNvYi7eqSaDjiZqDDKu5rsmunY0Y1YupQSSQ= @@ -828,8 +828,8 @@ github.com/secure-systems-lab/go-securesystemslib v0.4.0/go.mod h1:FGBZgq2tXWICs github.com/shibumi/go-pathspec v1.3.0 h1:QUyMZhFo0Md5B8zV8x2tesohbb5kfbpTi9rBnKh5dkI= github.com/shibumi/go-pathspec v1.3.0/go.mod h1:Xutfslp817l2I1cZvgcfeMQJG5QnU2lh5tVaaMCl3jE= github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc= -github.com/sigstore/cosign/v2 v2.0.0-rc.2 h1:LDSSQYzThg7uKHJqFBp03kaObTDuWfifJqBiAK1elUU= -github.com/sigstore/cosign/v2 v2.0.0-rc.2/go.mod h1:oKIsv9cCwtfakSd64Rzief3Izk/cPSkougoWU/F3OBI= +github.com/sigstore/cosign/v2 v2.0.0-rc.3 h1:Px8xCvmHeDuxqw1AV8kPIczYWu6liWjHANdqimEQvi8= +github.com/sigstore/cosign/v2 v2.0.0-rc.3/go.mod h1:/+OqaKtAGnfljXeKhNd7fupG1kWX6HgBSxQiEp4gIyw= github.com/sigstore/rekor v1.0.1 h1:rcESXSNkAPRWFYZel9rarspdvneET60F2ngNkadi89c= github.com/sigstore/rekor v1.0.1/go.mod h1:ecTKdZWGWqE1pl3U1m1JebQJLU/hSjD9vYHOmHQ7w4g= github.com/sigstore/sigstore v1.5.1 h1:iUou0QJW8eQKMUkTXbFyof9ZOblDtfaW2Sn2+QI8Tcs= @@ -917,8 +917,8 @@ github.com/vbatts/tar-split v0.11.2 h1:Via6XqJr0hceW4wff3QRzD5gAk/tatMw/4ZA7cTlI github.com/vbatts/tar-split v0.11.2/go.mod h1:vV3ZuO2yWSVsz+pfFzDG/upWH1JhjOiEaWq6kXyQ3VI= github.com/vmihailenco/msgpack/v5 v5.3.5 h1:5gO0H1iULLWGhs2H5tbAHIZTV8/cYafcFOr9znI5mJU= github.com/vmihailenco/tagparser/v2 v2.0.0 h1:y09buUbR+b5aycVFQs/g70pqKVZNBmxwAhO7/IwNM9g= -github.com/xanzy/go-gitlab v0.79.1 h1:ZmEei8RZYlqk4D7nYrWWZqywmKBOd7vmPMlJbueZXUU= -github.com/xanzy/go-gitlab v0.79.1/go.mod h1:DlByVTSXhPsJMYL6+cm8e8fTJjeBmhrXdC/yvkKKt6M= +github.com/xanzy/go-gitlab v0.80.2 h1:CH1Q7NDklqZllox4ICVF4PwlhQGfPtE+w08Jsb74ZX0= +github.com/xanzy/go-gitlab v0.80.2/go.mod h1:DlByVTSXhPsJMYL6+cm8e8fTJjeBmhrXdC/yvkKKt6M= github.com/xdg-go/pbkdf2 v1.0.0/go.mod h1:jrpuAogTd400dnrH08LKmI/xc1MbPOebTwRqcT5RDeI= github.com/xdg-go/scram v1.0.2/go.mod h1:1WAq6h33pAW+iRreB34OORO2Nf7qel3VV3fjBj+hCSs= github.com/xdg-go/scram v1.1.1/go.mod h1:RaEWvsqvNKKvBPvcKeFjrG2cJqOkHTiyTpzz23ni57g= @@ -964,7 +964,7 @@ go.opentelemetry.io/otel/sdk v1.11.1 h1:F7KmQgoHljhUuJyA+9BiU+EkJfyX5nVVF4wyzWZp go.opentelemetry.io/otel/trace v1.11.2 h1:Xf7hWSF2Glv0DE3MH7fBHvtpSBsjcBUe5MYAmZM/+y0= go.opentelemetry.io/otel/trace v1.11.2/go.mod h1:4N+yC7QEz7TTsG9BSRLNAa63eg5E06ObSbKPmxQ/pKA= go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI= -go.step.sm/crypto v0.24.0 h1:9qzl0cQWHvKxajHLyVrJET+dauYzoVB3PVQDLMYs+HE= +go.step.sm/crypto v0.25.0 h1:a+7sKyozZH9B30s0dHluygxreUxI1NtCBEmuNXx7a4k= go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc= go.uber.org/atomic v1.10.0 h1:9qC72Qh0+3MqyJbAn8YU5xVq1frD8bn3JtD2oXtafVQ= @@ -1312,8 +1312,8 @@ google.golang.org/api v0.30.0/go.mod h1:QGmEvQ87FHZNiUVJkT14jQNYJ4ZJjdRF23ZXz513 google.golang.org/api v0.35.0/go.mod h1:/XrVsuzM0rZmrsbjJutiuftIzeuTQcEeaYcSk/mQ1dg= google.golang.org/api v0.36.0/go.mod h1:+z5ficQTmoYpPn8LCUNVpK5I7hwkpjbcgqA7I34qYtE= google.golang.org/api v0.40.0/go.mod h1:fYKFpnQN0DsDSKRVRcQSDQNtqWPfM9i+zNPxepjRCQ8= -google.golang.org/api v0.109.0 h1:sW9hgHyX497PP5//NUM7nqfV8D0iDfBApqq7sOh1XR8= -google.golang.org/api v0.109.0/go.mod h1:2Ts0XTHNVWxypznxWOYUeI4g3WdP9Pk2Qk58+a/O9MY= +google.golang.org/api v0.110.0 h1:l+rh0KYUooe9JGbGVx71tbFo4SMbMTXK3I3ia2QSEeU= +google.golang.org/api v0.110.0/go.mod h1:7FC4Vvx1Mooxh8C5HWjzZHcavuS2f6pmJpZx60ca7iI= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= @@ -1361,8 +1361,8 @@ google.golang.org/genproto v0.0.0-20201214200347-8c77b98c765d/go.mod h1:FWY/as6D google.golang.org/genproto v0.0.0-20210108203827-ffc7fda8c3d7/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20210226172003-ab064af71705/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20220107163113-42d7afdf6368/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= -google.golang.org/genproto v0.0.0-20230110181048-76db0878b65f h1:BWUVssLB0HVOSY78gIdvk1dTVYtT1y8SBWtPYuTJ/6w= -google.golang.org/genproto v0.0.0-20230110181048-76db0878b65f/go.mod h1:RGgjbofJ8xD9Sq1VVhDM1Vok1vRONV+rg+CjzG4SZKM= +google.golang.org/genproto v0.0.0-20230209215440-0dfe4f8abfcc h1:ijGwO+0vL2hJt5gaygqP2j6PfflOBrRot0IczKbmtio= +google.golang.org/genproto v0.0.0-20230209215440-0dfe4f8abfcc/go.mod h1:RGgjbofJ8xD9Sq1VVhDM1Vok1vRONV+rg+CjzG4SZKM= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38= google.golang.org/grpc v1.21.0/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= diff --git a/pkg/webhook/validator.go b/pkg/webhook/validator.go index 82aff535b..2d6e6512a 100644 --- a/pkg/webhook/validator.go +++ b/pkg/webhook/validator.go @@ -832,7 +832,7 @@ func ValidatePolicyAttestationsForAuthority(ctx context.Context, ref name.Refere // path, then error out if len(verifiedAttestations) == 0 { logging.FromContext(ctx).Errorf("no valid attestations found for authority %s for %s", name, ref.Name()) - return nil, fmt.Errorf("%w for authority %s for %s", cosign.ErrNoMatchingAttestations, name, ref.Name()) + return nil, fmt.Errorf("%s for authority %s for %s", cosign.ErrNoMatchingAttestationsMessage, name, ref.Name()) } logging.FromContext(ctx).Debugf("Found %d valid attestations, validating policies for them", len(verifiedAttestations)) @@ -894,7 +894,7 @@ func ValidatePolicyAttestationsForAuthority(ctx context.Context, ref name.Refere // generic 'no matching attestations'. return nil, reterror } - return nil, fmt.Errorf("%w with type %s", cosign.ErrNoMatchingAttestations, wantedAttestation.PredicateType) + return nil, fmt.Errorf("%s with type %s", cosign.ErrNoMatchingAttestationsMessage, wantedAttestation.PredicateType) } ret[wantedAttestation.Name] = attestationToPolicyAttestations(ctx, checkedAttestations) } diff --git a/pkg/webhook/validator_test.go b/pkg/webhook/validator_test.go index e2ef30c85..74db1f9b0 100644 --- a/pkg/webhook/validator_test.go +++ b/pkg/webhook/validator_test.go @@ -1553,7 +1553,7 @@ func TestValidatePolicy(t *testing.T) { passKeyless := func(_ context.Context, _ name.Reference, _ *cosign.CheckOpts) (checkedSignatures []oci.Signature, bundleVerified bool, err error) { // This is from 2022/07/29 // ghcr.io/distroless/static@sha256:a1e82f6a5f6dfc735165d3442e7cc5a615f72abac3db19452481f5f3c90fbfa8 - payload := []byte(`{"payloadType":"application/vnd.in-toto+json","payload":"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInByZWRpY2F0ZVR5cGUiOiJjb3NpZ24uc2lnc3RvcmUuZGV2L2F0dGVzdGF0aW9uL3Z1bG4vdjEiLCJzdWJqZWN0IjpbeyJuYW1lIjoiZ2hjci5pby9kaXN0cm9sZXNzL3N0YXRpYyIsImRpZ2VzdCI6eyJzaGEyNTYiOiJhMWU4MmY2YTVmNmRmYzczNTE2NWQzNDQyZTdjYzVhNjE1ZjcyYWJhYzNkYjE5NDUyNDgxZjVmM2M5MGZiZmE4In19XSwicHJlZGljYXRlIjp7Imludm9jYXRpb24iOnsicGFyYW1ldGVycyI6bnVsbCwidXJpIjoiaHR0cHM6Ly9naXRodWIuY29tL2Rpc3Ryb2xlc3Mvc3RhdGljL2FjdGlvbnMvcnVucy8yNzU3OTUzMTM5IiwiZXZlbnRfaWQiOiIyNzU3OTUzMTM5IiwiYnVpbGRlci5pZCI6IkNyZWF0ZSBSZWxlYXNlIn0sInNjYW5uZXIiOnsidXJpIjoiaHR0cHM6Ly9naXRodWIuY29tL2FxdWFzZWN1cml0eS90cml2eSIsInZlcnNpb24iOiIwLjI5LjIiLCJkYiI6eyJ1cmkiOiIiLCJ2ZXJzaW9uIjoiIn0sInJlc3VsdCI6eyIkc2NoZW1hIjoiaHR0cHM6Ly9qc29uLnNjaGVtYXN0b3JlLm9yZy9zYXJpZi0yLjEuMC1ydG0uNS5qc29uIiwicnVucyI6W3siY29sdW1uS2luZCI6InV0ZjE2Q29kZVVuaXRzIiwib3JpZ2luYWxVcmlCYXNlSWRzIjp7IlJPT1RQQVRIIjp7InVyaSI6ImZpbGU6Ly8vIn19LCJyZXN1bHRzIjpbXSwidG9vbCI6eyJkcml2ZXIiOnsiZnVsbE5hbWUiOiJUcml2eSBWdWxuZXJhYmlsaXR5IFNjYW5uZXIiLCJpbmZvcm1hdGlvblVyaSI6Imh0dHBzOi8vZ2l0aHViLmNvbS9hcXVhc2VjdXJpdHkvdHJpdnkiLCJuYW1lIjoiVHJpdnkiLCJydWxlcyI6W10sInZlcnNpb24iOiIwLjI5LjIifX19XSwidmVyc2lvbiI6IjIuMS4wIn19LCJtZXRhZGF0YSI6eyJzY2FuU3RhcnRlZE9uIjoiMjAyMi0wNy0yOVQwMjoyODo0MloiLCJzY2FuRmluaXNoZWRPbiI6IjIwMjItMDctMjlUMDI6Mjg6NDhaIn19fQ==","signatures":[{"keyid":"","sig":"MEYCIQDeQXMMojIpNvxEDLDXUC5aAwCbPPr/0uckP8TCcdTLjgIhAJG6M00kY40bz/C90W0FeUc2YcWY+txD4BPXhzd8E+tP"}]}`) + payload := []byte(`{"payloadType":"application/vnd.in-toto+json","payload":"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInByZWRpY2F0ZVR5cGUiOiJodHRwczovL2Nvc2lnbi5zaWdzdG9yZS5kZXYvYXR0ZXN0YXRpb24vdnVsbi92MSIsInN1YmplY3QiOlt7Im5hbWUiOiJnaGNyLmlvL2Rpc3Ryb2xlc3Mvc3RhdGljIiwiZGlnZXN0Ijp7InNoYTI1NiI6ImExZTgyZjZhNWY2ZGZjNzM1MTY1ZDM0NDJlN2NjNWE2MTVmNzJhYmFjM2RiMTk0NTI0ODFmNWYzYzkwZmJmYTgifX1dLCJwcmVkaWNhdGUiOnsiaW52b2NhdGlvbiI6eyJwYXJhbWV0ZXJzIjpudWxsLCJ1cmkiOiJodHRwczovL2dpdGh1Yi5jb20vZGlzdHJvbGVzcy9zdGF0aWMvYWN0aW9ucy9ydW5zLzI3NTc5NTMxMzkiLCJldmVudF9pZCI6IjI3NTc5NTMxMzkiLCJidWlsZGVyLmlkIjoiQ3JlYXRlIFJlbGVhc2UifSwic2Nhbm5lciI6eyJ1cmkiOiJodHRwczovL2dpdGh1Yi5jb20vYXF1YXNlY3VyaXR5L3RyaXZ5IiwidmVyc2lvbiI6IjAuMjkuMiIsImRiIjp7InVyaSI6IiIsInZlcnNpb24iOiIifSwicmVzdWx0Ijp7IiRzY2hlbWEiOiJodHRwczovL2pzb24uc2NoZW1hc3RvcmUub3JnL3NhcmlmLTIuMS4wLXJ0bS41Lmpzb24iLCJydW5zIjpbeyJjb2x1bW5LaW5kIjoidXRmMTZDb2RlVW5pdHMiLCJvcmlnaW5hbFVyaUJhc2VJZHMiOnsiUk9PVFBBVEgiOnsidXJpIjoiZmlsZTovLy8ifX0sInJlc3VsdHMiOltdLCJ0b29sIjp7ImRyaXZlciI6eyJmdWxsTmFtZSI6IlRyaXZ5IFZ1bG5lcmFiaWxpdHkgU2Nhbm5lciIsImluZm9ybWF0aW9uVXJpIjoiaHR0cHM6Ly9naXRodWIuY29tL2FxdWFzZWN1cml0eS90cml2eSIsIm5hbWUiOiJUcml2eSIsInJ1bGVzIjpbXSwidmVyc2lvbiI6IjAuMjkuMiJ9fX1dLCJ2ZXJzaW9uIjoiMi4xLjAifX0sIm1ldGFkYXRhIjp7InNjYW5TdGFydGVkT24iOiIyMDIyLTA3LTI5VDAyOjI4OjQyWiIsInNjYW5GaW5pc2hlZE9uIjoiMjAyMi0wNy0yOVQwMjoyODo0OFoifX19","signatures":[{"keyid":"","sig":"MEYCIQDeQXMMojIpNvxEDLDXUC5aAwCbPPr/0uckP8TCcdTLjgIhAJG6M00kY40bz/C90W0FeUc2YcWY+txD4BPXhzd8E+tP"}]}`) set, err := base64.StdEncoding.DecodeString("MEQCIDBYWwwDW+nH+1vFoTOqHS4jAtVm4Yezq2nAy7vjcV8zAiBkznmgMrz9em4NuB/hl5X/umubhLgwoXgUAY2NJJwu5A==") if err != nil { return nil, false, err @@ -1752,7 +1752,7 @@ func TestValidatePolicy(t *testing.T) { Attestations: map[string][]PolicyAttestation{ "test-att": {{ PolicySignature: PolicySignature{ - ID: "2b65cbf0e7901ba31d55b12d319bca39420af4388d3e5714d16f2019d74e3ab7", + ID: "01bd6aec99ad7c5d045d9aab649fd95b7af2b3b23887d34d7fce8b2e3c38ca0e", Subject: "https://github.com/distroless/static/.github/workflows/release.yaml@refs/heads/main", Issuer: "https://token.actions.githubusercontent.com", GithubExtensions: GithubExtensions{ @@ -1764,13 +1764,30 @@ func TestValidatePolicy(t *testing.T) { }, }, PredicateType: "vuln", - Payload: []byte(`{"_type":"https://in-toto.io/Statement/v0.1","predicateType":"cosign.sigstore.dev/attestation/vuln/v1","subject":[{"name":"ghcr.io/distroless/static","digest":{"sha256":"a1e82f6a5f6dfc735165d3442e7cc5a615f72abac3db19452481f5f3c90fbfa8"}}],"predicate":{"invocation":{"parameters":null,"uri":"https://github.com/distroless/static/actions/runs/2757953139","event_id":"2757953139","builder.id":"Create Release"},"scanner":{"uri":"https://github.com/aquasecurity/trivy","version":"0.29.2","db":{"uri":"","version":""},"result":{"$schema":"https://json.schemastore.org/sarif-2.1.0-rtm.5.json","runs":[{"columnKind":"utf16CodeUnits","originalUriBaseIds":{"ROOTPATH":{"uri":"file:///"}},"results":[],"tool":{"driver":{"fullName":"Trivy Vulnerability Scanner","informationUri":"https://github.com/aquasecurity/trivy","name":"Trivy","rules":[],"version":"0.29.2"}}}],"version":"2.1.0"}},"metadata":{"scanStartedOn":"2022-07-29T02:28:42Z","scanFinishedOn":"2022-07-29T02:28:48Z"}}}`), + Payload: []byte(`{"_type":"https://in-toto.io/Statement/v0.1","predicateType":"https://cosign.sigstore.dev/attestation/vuln/v1","subject":[{"name":"ghcr.io/distroless/static","digest":{"sha256":"a1e82f6a5f6dfc735165d3442e7cc5a615f72abac3db19452481f5f3c90fbfa8"}}],"predicate":{"invocation":{"parameters":null,"uri":"https://github.com/distroless/static/actions/runs/2757953139","event_id":"2757953139","builder.id":"Create Release"},"scanner":{"uri":"https://github.com/aquasecurity/trivy","version":"0.29.2","db":{"uri":"","version":""},"result":{"$schema":"https://json.schemastore.org/sarif-2.1.0-rtm.5.json","runs":[{"columnKind":"utf16CodeUnits","originalUriBaseIds":{"ROOTPATH":{"uri":"file:///"}},"results":[],"tool":{"driver":{"fullName":"Trivy Vulnerability Scanner","informationUri":"https://github.com/aquasecurity/trivy","name":"Trivy","rules":[],"version":"0.29.2"}}}],"version":"2.1.0"}},"metadata":{"scanStartedOn":"2022-07-29T02:28:42Z","scanFinishedOn":"2022-07-29T02:28:48Z"}}}`), }}, }, }, }, }, cva: passKeyless, + }, { + name: "simple, wrong predicate keyless attestation, error", + policy: webhookcip.ClusterImagePolicy{ + Authorities: []webhookcip.Authority{{ + Name: "authority-0", + Keyless: &webhookcip.KeylessRef{ + URL: fulcioURL, + }, + Attestations: []webhookcip.AttestationPolicy{{ + Name: "test-att", + PredicateType: "custom", // attestation with predicate type vuln + }}, + }, + }, + }, + wantErrs: []string{"no matching attestations with type custom"}, + cva: passKeyless, }} for _, test := range tests { diff --git a/test/e2e_test_cluster_image_policy_with_tsa.sh b/test/e2e_test_cluster_image_policy_with_tsa.sh index cd8cf8225..1a6dc682e 100755 --- a/test/e2e_test_cluster_image_policy_with_tsa.sh +++ b/test/e2e_test_cluster_image_policy_with_tsa.sh @@ -113,6 +113,7 @@ echo '::endgroup::' # Sign it with key echo '::group:: Sign demoimage with key, and add to rekor and TSA' export TSA_URL=`kubectl -n tsa-system get ksvc tsa -ojsonpath='{.status.url}'` +export TSA_URL="${TSA_URL}/api/v1/timestamp" COSIGN_YES="true" COSIGN_PASSWORD="" cosign sign --key cosign.key --allow-insecure-registry --rekor-url ${REKOR_URL} --timestamp-server-url ${TSA_URL} ${demoimage} echo '::endgroup::' @@ -171,6 +172,8 @@ echo '::endgroup::' # Sign it with key echo '::group:: Sign demoimage2 with key, and add to rekor and TSA' export TSA_URL=`kubectl -n tsa-system get ksvc tsa -ojsonpath='{.status.url}'` +# Cosign TSA integration now requires passing the API endpoint URL +export TSA_URL="${TSA_URL}/api/v1/timestamp" COSIGN_YES="true" COSIGN_PASSWORD="" cosign sign --key cosign.key --allow-insecure-registry --rekor-url ${REKOR_URL} --timestamp-server-url ${TSA_URL} ${demoimage2} echo '::endgroup::' diff --git a/test/testdata/policy-controller/e2e/cip-key-with-attestations-no-rekor.yaml b/test/testdata/policy-controller/e2e/cip-key-with-attestations-no-rekor.yaml index 2fe3ec005..c370e02e8 100644 --- a/test/testdata/policy-controller/e2e/cip-key-with-attestations-no-rekor.yaml +++ b/test/testdata/policy-controller/e2e/cip-key-with-attestations-no-rekor.yaml @@ -33,5 +33,5 @@ spec: policy: type: cue data: | - predicateType: "cosign.sigstore.dev/attestation/v1" + predicateType: "https://cosign.sigstore.dev/attestation/v1" predicate: Data: "foobar key e2e test" diff --git a/test/testdata/policy-controller/e2e/cip-key-with-attestations-rego.yaml b/test/testdata/policy-controller/e2e/cip-key-with-attestations-rego.yaml index 92d5f7ecb..eff023b6d 100644 --- a/test/testdata/policy-controller/e2e/cip-key-with-attestations-rego.yaml +++ b/test/testdata/policy-controller/e2e/cip-key-with-attestations-rego.yaml @@ -35,5 +35,5 @@ spec: policy: type: cue data: | - predicateType: "cosign.sigstore.dev/attestation/v1" + predicateType: "https://cosign.sigstore.dev/attestation/v1" predicate: Data: "foobar key e2e test" diff --git a/test/testdata/policy-controller/e2e/cip-key-with-attestations.yaml b/test/testdata/policy-controller/e2e/cip-key-with-attestations.yaml index 43abf2021..e31e8218f 100644 --- a/test/testdata/policy-controller/e2e/cip-key-with-attestations.yaml +++ b/test/testdata/policy-controller/e2e/cip-key-with-attestations.yaml @@ -35,5 +35,5 @@ spec: policy: type: cue data: | - predicateType: "cosign.sigstore.dev/attestation/v1" + predicateType: "https://cosign.sigstore.dev/attestation/v1" predicate: Data: "foobar key e2e test" diff --git a/test/testdata/policy-controller/e2e/cip-keyless-with-attestations-rego.yaml b/test/testdata/policy-controller/e2e/cip-keyless-with-attestations-rego.yaml index ac089b72f..e87b69b09 100644 --- a/test/testdata/policy-controller/e2e/cip-keyless-with-attestations-rego.yaml +++ b/test/testdata/policy-controller/e2e/cip-keyless-with-attestations-rego.yaml @@ -37,7 +37,7 @@ spec: package sigstore default isCompliant = false isCompliant { - input.predicateType == "cosign.sigstore.dev/attestation/v1" + input.predicateType == "https://cosign.sigstore.dev/attestation/v1" input.predicate.Data == "foobar e2e test" } diff --git a/test/testdata/policy-controller/e2e/cip-keyless-with-attestations.yaml b/test/testdata/policy-controller/e2e/cip-keyless-with-attestations.yaml index b690fe778..7521d0e18 100644 --- a/test/testdata/policy-controller/e2e/cip-keyless-with-attestations.yaml +++ b/test/testdata/policy-controller/e2e/cip-keyless-with-attestations.yaml @@ -34,5 +34,5 @@ spec: policy: type: cue data: | - predicateType: "cosign.sigstore.dev/attestation/v1" + predicateType: "https://cosign.sigstore.dev/attestation/v1" predicate: Data: "foobar e2e test" diff --git a/test/testdata/policy-controller/e2e/cip-keyless-with-source-prefix-tag.yaml b/test/testdata/policy-controller/e2e/cip-keyless-with-source-prefix-tag.yaml index 55b72b460..bdcad680c 100644 --- a/test/testdata/policy-controller/e2e/cip-keyless-with-source-prefix-tag.yaml +++ b/test/testdata/policy-controller/e2e/cip-keyless-with-source-prefix-tag.yaml @@ -35,6 +35,6 @@ spec: policy: type: cue data: | - predicateType: "cosign.sigstore.dev/attestation/v1" + predicateType: "https://cosign.sigstore.dev/attestation/v1" predicate: Data: "foobar prefix e2e test" diff --git a/test/testdata/policy-controller/e2e/cip-keyless-with-trustroot-remote-with-attestations.yaml b/test/testdata/policy-controller/e2e/cip-keyless-with-trustroot-remote-with-attestations.yaml index 44545d3c3..d750a8226 100644 --- a/test/testdata/policy-controller/e2e/cip-keyless-with-trustroot-remote-with-attestations.yaml +++ b/test/testdata/policy-controller/e2e/cip-keyless-with-trustroot-remote-with-attestations.yaml @@ -36,5 +36,5 @@ spec: policy: type: cue data: | - predicateType: "cosign.sigstore.dev/attestation/v1" + predicateType: "https://cosign.sigstore.dev/attestation/v1" predicate: Data: "foobar e2e test" diff --git a/test/testdata/policy-controller/e2e/cip-keyless-with-trustroot-repository-with-attestations.yaml b/test/testdata/policy-controller/e2e/cip-keyless-with-trustroot-repository-with-attestations.yaml index 8f1c258d4..a4c7f77cf 100644 --- a/test/testdata/policy-controller/e2e/cip-keyless-with-trustroot-repository-with-attestations.yaml +++ b/test/testdata/policy-controller/e2e/cip-keyless-with-trustroot-repository-with-attestations.yaml @@ -36,5 +36,5 @@ spec: policy: type: cue data: | - predicateType: "cosign.sigstore.dev/attestation/v1" + predicateType: "https://cosign.sigstore.dev/attestation/v1" predicate: Data: "foobar e2e test" diff --git a/test/testdata/policy-controller/e2e/cip-keyless-with-trustroot-with-attestations.yaml b/test/testdata/policy-controller/e2e/cip-keyless-with-trustroot-with-attestations.yaml index 008413ec3..86801347a 100644 --- a/test/testdata/policy-controller/e2e/cip-keyless-with-trustroot-with-attestations.yaml +++ b/test/testdata/policy-controller/e2e/cip-keyless-with-trustroot-with-attestations.yaml @@ -36,5 +36,5 @@ spec: policy: type: cue data: | - predicateType: "cosign.sigstore.dev/attestation/v1" + predicateType: "https://cosign.sigstore.dev/attestation/v1" predicate: Data: "foobar e2e test" diff --git a/test/testdata/policy-controller/e2e/cip-requires-two-signatures-and-two-attestations-rego.yaml b/test/testdata/policy-controller/e2e/cip-requires-two-signatures-and-two-attestations-rego.yaml index d49475c61..01b45d6d8 100644 --- a/test/testdata/policy-controller/e2e/cip-requires-two-signatures-and-two-attestations-rego.yaml +++ b/test/testdata/policy-controller/e2e/cip-requires-two-signatures-and-two-attestations-rego.yaml @@ -36,7 +36,7 @@ spec: data: | import "time" before: time.Parse(time.RFC3339, "2049-10-09T17:10:27Z") - predicateType: "cosign.sigstore.dev/attestation/v1" + predicateType: "https://cosign.sigstore.dev/attestation/v1" predicate: { Data: "foobar e2e test" Timestamp: