{{ message }}
Support Sigstore bundle verification for cosign v3#3
Merged
Conversation
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
…st to c7d4414 Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
Add log.WithField("function", ...) to PURL and sigstore custom Rego
builtin functions to ease troubleshooting. This follows the same
pattern already used in the OCI builtin functions.
Functions updated:
- ec.purl.is_valid
- ec.purl.parse
- ec.sigstore.verify_image
- ec.sigstore.verify_attestation
Ref: EC-1668
Resolves: conforma#1361
Signed-off-by: Rob Nester <rnester@redhat.com>
add structured logging to PURL and sigstore Rego builtins
Not related to, but done in the PR for... Ref: https://issues.redhat.com/browse/EC-1647
This adds a --skip-image-sig-check flag to ec validate image. It defaults to false currently so we're not changing the default behavior. Motivation: It's been suggested that the image signing that Tekton Chains does is low value, since it will sign whatever image ref is found in a task or pipeline result. See tektoncd/chains#1346 which suggests it should stop doing it. (Attestation signing remains crucial though since Chains is the thing creating those.) Additionally, we need to support verifying "keyless" signatures in our Tekton task, which IIUC will require providing different oidc identities for each component image, since in Konflux the service account is different for different components, and a different identity to verify the attestation signature. Conforma doesn't support this currently. We could implement support for providing multiple oidc identities, but being able to skip the image signature check means we can more quickly support verifying keylessly signed attestations. Ref: https://issues.redhat.com/browse/EC-1647 Co-authored-by: Claude Code <noreply@anthropic.com>
Covers scenarios where the image sig is valid, and also when it is invalid. Ref: https://issues.redhat.com/browse/EC-1647
…mages Update registry.access.redhat.com/ubi9/ubi-minimal:latest Docker digest to c7d4414 (main)
…registry Bump conforma/go-containerregistry
Update Konflux references (main)
…-main/docker-images Update registry.access.redhat.com/ubi9/ubi-minimal:latest Docker digest to c7d4414 (main)
…b.com-sigstore-rekor-vulnerability Update module github.com/sigstore/rekor to v1.5.0 [SECURITY] (main)
…thub-actions Update github/codeql-action action to v4.32.4 (main)
…ctions Update github actions (main) (minor)
I guess our Renovate PRs don't do this. Unrelated cleanup while working on the PR for.... Ref: https://issues.redhat.com/browse/EC-1681
The goal is to be able to access the task definitions inside a Tekton task bundle, so we can then apply task definition related policy checks to them, but I think this is a generally useful addition to our custom oci functions. Ref: https://issues.redhat.com/browse/EC-1681 Co-authored-by: Claude Code <noreply@anthropic.com>
Introduce a limit to avoid potential memory exhaustion attacks. Honestly I'm not sure how important this is, but I guess it's fine. It was suggested by in code review by Qodo. We actually did have a limit in the past, but it was too small, and caused problems with large SBOMs. I hestiated to bring back a limit, however, the context is a little different, ociBlob vs ociBlobFile, and I'm making the limit 500MB instead of 10MB. Ref: https://issues.redhat.com/browse/EC-1681 Co-authored-by: Claude Code <noreply@anthropic.com>
Multiple LLMs are worried about using the same cache key for two potentially different things. Let's make it clear that it's not a problem. In reality I don't think it could be a problem, since the cache key includes the image ref, which in the case of a blob will always have a digest. But, I figure there's no harm in making the code intent clear, and avoid having to explain that subtle detail to the bots. Ref: https://issues.redhat.com/browse/EC-1681 Co-authored-by: Claude Code <noreply@anthropic.com>
Sometimes Claude doesn't format everything so I want an easy way to fix the formatting. There might be a better way to do it (and maybe make lintfix will do it?), but this works for me. Unrelated tweak while working on... Ref: https://issues.redhat.com/browse/EC-1681
Well the bot wanted the limit checks, then the bot pointed out that they aren't very effective. I don't want to add limit checks on all the oci fetches, but I also don't want to re-remove what we have here, so let's at least point out that its value is questionable. Ref: https://issues.redhat.com/browse/EC-1681
Since we're using the cache for both image files and blob files, let's stop calling it imageFilesCache. Same thing for single flight. Suggested by Qodo in code review. Co-authored-by: Claude Code <noreply@anthropic.com> Ref: https://issues.redhat.com/browse/EC-1681
Done like this: curl -sL https://github.com/simonbaird/konflux-pipeline-patcher/raw/main/pipeline-patcher | bash -s bump-task-refs But I manually updated these since the bash script doesn't update the tag versions: - init 0.3 -> 0.4 - buildah-remote-oci-ta 0.8 -> 0.9 - push-dockerfile-oci-ta 0.1 -> 0.2 No migrations are needed iiuc. The init task was the motivation for this since the 0.3 versions are now expired. I'm doing the other two to keep ahead of things.
…r-konflux-refs chore(deps): Update Konflux task refs
Add new rego function for blob files
cosign v3 stores signatures as OCI referrer bundles by default, but ec only supported the legacy tag-based format. Detect bundles via cosign.GetBundles() and route verification through the bundle-aware code path, matching what the cosign CLI already does internally. Also fix typos and incorrect examples in CLI help text. Signed-off-by: SequeI <asiek@redhat.com>
Signed-off-by: SequeI <asiek@redhat.com>
Signed-off-by: SequeI <asiek@redhat.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.

cosign v3 stores signatures as OCI referrer bundles by default, but ec only supported the legacy tag-based format. Detect bundles via cosign.GetBundles() and route verification through the bundle-aware code path, matching what the cosign CLI already does internally.
Also fix typos and incorrect examples in CLI help text.