Add support for Sigstore Bundle Spec #1725
Draft
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Cody Soyland <[email protected]>
Signed-off-by: Cody Soyland <[email protected]> Sync TUF cache used for sigstore bundle verification (sigstore#166) * sync tuf cache used for sigstore bundle verification Signed-off-by: Meredith Lancaster <[email protected]> * remove singleton err Signed-off-by: Meredith Lancaster <[email protected]> * start adding lock Signed-off-by: Meredith Lancaster <[email protected]> * Use RWMutex Signed-off-by: Meredith Lancaster <[email protected]> * pr feedback Signed-off-by: Meredith Lancaster <[email protected]> --------- Signed-off-by: Meredith Lancaster <[email protected]> Fix shadowed trustedroot (sigstore#178) * Fix shadowed variable bug This code caused the singleton `trustedRoot` to be returned as nil on subsequent calls. The singleton was shadowed when the variable was redeclared in the `if` block. Signed-off-by: Cody Soyland <[email protected]> * Remove unused singleton `singletonRootError` was never returned without being overwritten, so it was essentially unused. I think it's wise to always retry the TUF call on future invocations in case of network errors. Signed-off-by: Cody Soyland <[email protected]> --------- Signed-off-by: Cody Soyland <[email protected]>
…igstore#171) * move trustroot resync period configration to different package Signed-off-by: Meredith Lancaster <[email protected]> * add license Signed-off-by: Meredith Lancaster <[email protected]> * comment Signed-off-by: Meredith Lancaster <[email protected]> * rename files Signed-off-by: Meredith Lancaster <[email protected]> --------- Signed-off-by: Meredith Lancaster <[email protected]>
Signed-off-by: Cody Soyland <[email protected]>
Signed-off-by: Cody Soyland <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Note: this PR depends on this unmerged cosign PR. This PR will remain in draft status until the cosign PR is merged.
This PR adds support for the Cosign Bundle Spec for verifying attestations.
To enable, the
ClusterImagePolicyauthority section now includes aSignatureFormatfield, which may be set to "bundle" in order to enable bundle verification.Release Note
Documentation