Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cosign: allow identity matching for keyless verification #1250

Merged
merged 2 commits into from
Nov 2, 2023
Merged

cosign: allow identity matching for keyless verification #1250

merged 2 commits into from
Nov 2, 2023

Conversation

aryan9600
Copy link
Member

@aryan9600 aryan9600 commented Oct 5, 2023
edited
Loading

Add .spec.verify.matchOIDCIdentity to OCIRepository and HelmChart. It allows specifying a regexp to match against the subject and issuer of the certificate related to the artifact signature, if the artifact was signed using Cosign keyless signing.

@aryan9600 aryan9600 added enhancement New feature or request area/security Security related issues and pull requests area/oci OCI related issues and pull requests labels Oct 5, 2023
@aryan9600 aryan9600 force-pushed the cosign-identity-matching branch from 5b3d641 to 9e3cc30 Compare October 5, 2023 12:12
@aryan9600 aryan9600 force-pushed the cosign-identity-matching branch from 213d780 to 3869d94 Compare October 6, 2023 14:53
stefanprodan
stefanprodan reviewed Oct 6, 2023
View reviewed changes
docs/spec/v1beta2/helmcharts.md Outdated Show resolved Hide resolved
docs/spec/v1beta2/helmcharts.md Outdated Show resolved Hide resolved
@aryan9600 aryan9600 force-pushed the cosign-identity-matching branch from 3869d94 to dea0e1d Compare October 6, 2023 15:18
@aryan9600 aryan9600 force-pushed the cosign-identity-matching branch 2 times, most recently from c16697c to 8b69555 Compare October 9, 2023 09:43
@aryan9600 aryan9600 force-pushed the cosign-identity-matching branch 2 times, most recently from dd648db to b60cbe2 Compare October 10, 2023 16:27
stefanprodan
stefanprodan approved these changes Oct 12, 2023
View reviewed changes
Copy link
Member

@stefanprodan stefanprodan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Thanks @aryan9600 🥇

darkowlzz
darkowlzz reviewed Oct 12, 2023
View reviewed changes
internal/controller/helmchart_controller_test.go Outdated Show resolved Hide resolved
internal/oci/verifier.go Outdated Show resolved Hide resolved
@aryan9600 aryan9600 force-pushed the cosign-identity-matching branch 3 times, most recently from 22c9fb3 to f77b0ce Compare October 13, 2023 11:22
@aryan9600 aryan9600 requested a review from darkowlzz October 17, 2023 07:19
@stefanprodan stefanprodan added the area/api API related issues and pull requests label Oct 17, 2023
@aryan9600 aryan9600 force-pushed the cosign-identity-matching branch 2 times, most recently from e031b44 to fda2259 Compare October 18, 2023 20:02
@aryan9600 aryan9600 force-pushed the cosign-identity-matching branch 2 times, most recently from 7ec83f8 to ab285ca Compare October 23, 2023 10:48
darkowlzz
darkowlzz approved these changes Oct 25, 2023
View reviewed changes
Copy link
Contributor

@darkowlzz darkowlzz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Left a small suggestion.
Otherwise, it LGTM.

internal/controller/helmchart_controller_test.go Outdated Show resolved Hide resolved
@stefanprodan stefanprodan mentioned this pull request Oct 28, 2023
Open
@aryan9600
cosign: allow identity matching for keyless verification
d855805 
Add `.spec.verify.matchOIDCIdentity` to OCIRepository and HelmChart.
It allows specifying regular expressions to match against the subject and
issuer of the certificate related to the artifact signature. Its used
only if the artifact was signed using Cosign keyless signing.

Signed-off-by: Sanskar Jaiswal <[email protected]>
@aryan9600 aryan9600 force-pushed the cosign-identity-matching branch from ab285ca to fcaf86e Compare October 31, 2023 15:04
@aryan9600 aryan9600 merged commit a8a8196 into main Nov 2, 2023
10 checks passed
@aryan9600 aryan9600 deleted the cosign-identity-matching branch November 2, 2023 15:13
@stefanprodan stefanprodan mentioned this pull request Nov 7, 2023
Merged
@stefanprodan stefanprodan mentioned this pull request Nov 16, 2023
Closed
14 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stefanprodan stefanprodan stefanprodan approved these changes

@darkowlzz darkowlzz darkowlzz approved these changes

Assignees
No one assigned
Labels
area/api API related issues and pull requests area/oci OCI related issues and pull requests area/security Security related issues and pull requests enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@aryan9600 @darkowlzz @stefanprodan