Skip to content

Commit 530fd7b

Browse files
authored
Merge pull request #3140 from simonbaird/task-keyless-support
Support validating keyless signed images in v-e-c tekton task
2 parents bb47538 + 63baa34 commit 530fd7b

7 files changed

Lines changed: 651 additions & 42 deletions

File tree

docs/modules/ROOT/pages/verify-enterprise-contract.adoc

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -34,6 +34,8 @@ You can also specify a policy configuration using a git url, e.g.
3434
*Default*: `enterprise-contract-service/default`
3535
*PUBLIC_KEY* (`string`):: Public key used to verify signatures. Must be a valid k8s cosign reference, e.g. k8s://my-space/my-secret where my-secret contains the expected cosign.pub attribute.
3636
*REKOR_HOST* (`string`):: Rekor host for transparency log lookups
37+
*CERTIFICATE_IDENTITY* (`string`):: Expected identity in the signing certificate for keyless verification. This should be the email or URI that was used when signing.
38+
*CERTIFICATE_OIDC_ISSUER* (`string`):: Expected OIDC issuer in the signing certificate for keyless verification. This should match the issuer that provided the identity token used for signing.
3739
*IGNORE_REKOR* (`string`):: Skip Rekor transparency log checks during validation.
3840
+
3941
*Default*: `false`

features/__snapshots__/task_validate_image.snap

Lines changed: 273 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -180,3 +180,276 @@ true
180180
"TEST_OUTPUT": "{\"timestamp\":\"${TIMESTAMP}\",\"namespace\":\"\",\"successes\":3,\"failures\":0,\"warnings\":0,\"result\":\"SUCCESS\"}\n"
181181
}
182182
---
183+
184+
[Keyless signing verification cosign v3 style:report-json - 1]
185+
{
186+
"success": true,
187+
"components": [
188+
{
189+
"name": "",
190+
"containerImage": "quay.io/conforma/test@sha256:712ca3a7fcd41fe6b3e6f434a31f738743b6c31f1d81ad458502d6b0239a8903",
191+
"source": {},
192+
"successes": [
193+
{
194+
"msg": "Pass",
195+
"metadata": {
196+
"code": "builtin.attestation.signature_check",
197+
"description": "The attestation signature matches available signing materials.",
198+
"title": "Attestation signature check passed"
199+
}
200+
},
201+
{
202+
"msg": "Pass",
203+
"metadata": {
204+
"code": "builtin.attestation.syntax_check",
205+
"description": "The attestation has correct syntax.",
206+
"title": "Attestation syntax check passed"
207+
}
208+
},
209+
{
210+
"msg": "Pass",
211+
"metadata": {
212+
"code": "builtin.image.signature_check",
213+
"description": "The image signature matches available signing materials.",
214+
"title": "Image signature check passed"
215+
}
216+
},
217+
{
218+
"msg": "Pass",
219+
"metadata": {
220+
"code": "slsa_provenance_available.allowed_predicate_types_provided",
221+
"collections": [
222+
"minimal",
223+
"slsa3",
224+
"redhat",
225+
"redhat_rpms",
226+
"policy_data"
227+
],
228+
"description": "Confirm the `allowed_predicate_types` rule data was provided, since it is required by the policy rules in this package.",
229+
"title": "Allowed predicate types provided"
230+
}
231+
},
232+
{
233+
"msg": "Pass",
234+
"metadata": {
235+
"code": "slsa_provenance_available.attestation_predicate_type_accepted",
236+
"collections": [
237+
"minimal",
238+
"slsa3",
239+
"redhat",
240+
"redhat_rpms"
241+
],
242+
"depends_on": [
243+
"attestation_type.known_attestation_type"
244+
],
245+
"description": "Verify that the predicateType field of the attestation indicates the in-toto SLSA Provenance format was used to attest the PipelineRun.",
246+
"title": "Expected attestation predicate type found"
247+
}
248+
}
249+
],
250+
"success": true,
251+
"signatures": [
252+
{
253+
"keyid": "",
254+
"sig": ""
255+
},
256+
{
257+
"keyid": "",
258+
"sig": ""
259+
}
260+
],
261+
"attestations": [
262+
{
263+
"type": "https://in-toto.io/Statement/v0.1",
264+
"predicateType": "https://slsa.dev/provenance/v1",
265+
"signatures": [
266+
{
267+
"keyid": "",
268+
"sig": "MEUCIQC5bGm4zzbExXBMrZCmqZ98iqUhi8TV/maq/8dJ/c3POAIgCNw+RkeO7PAkT6JDWIvISZ2AjILu9YuPQ0qqfNwCqug="
269+
}
270+
]
271+
},
272+
{
273+
"type": "https://in-toto.io/Statement/v0.1",
274+
"predicateType": "https://sigstore.dev/cosign/sign/v1",
275+
"signatures": [
276+
{
277+
"keyid": "",
278+
"sig": "MEUCID1cJkxyk1oGvXcoAVkDST9A1vfX2gxPEz+LUzN10nDmAiEAxh9rp79yr4fZmAWWOit0dZ5QWK+uYIU8fQVb0/rLIyM="
279+
}
280+
]
281+
}
282+
]
283+
}
284+
],
285+
"key": "",
286+
"policy": {
287+
"sources": [
288+
{
289+
"policy": [
290+
"git::github.com/conforma/policy//policy/release?ref=0de5461c14413484575e63e96ddb514d8ab954b5",
291+
"git::github.com/conforma/policy//policy/lib?ref=0de5461c14413484575e63e96ddb514d8ab954b5"
292+
],
293+
"config": {
294+
"include": [
295+
"slsa_provenance_available"
296+
]
297+
}
298+
}
299+
],
300+
"rekorUrl": "https://rekor.sigstore.dev"
301+
},
302+
"ec-version": "${EC_VERSION}",
303+
"effective-time": "${TIMESTAMP}"
304+
}
305+
---
306+
307+
[Keyless signing verification cosign v3 style:results - 1]
308+
{
309+
"TEST_OUTPUT": "{\"timestamp\":\"${TIMESTAMP}\",\"namespace\":\"\",\"successes\":5,\"failures\":0,\"warnings\":0,\"result\":\"SUCCESS\"}\n"
310+
}
311+
---
312+
313+
[Keyless signing verification cosign v2 style:report-json - 1]
314+
{
315+
"success": true,
316+
"components": [
317+
{
318+
"name": "",
319+
"containerImage": "quay.io/conforma/test@sha256:03a10dff06ae364ef9727d562e7077b135b00c7a978e571c4354519e6d0f23b8",
320+
"source": {},
321+
"successes": [
322+
{
323+
"msg": "Pass",
324+
"metadata": {
325+
"code": "builtin.attestation.signature_check",
326+
"description": "The attestation signature matches available signing materials.",
327+
"title": "Attestation signature check passed"
328+
}
329+
},
330+
{
331+
"msg": "Pass",
332+
"metadata": {
333+
"code": "builtin.attestation.syntax_check",
334+
"description": "The attestation has correct syntax.",
335+
"title": "Attestation syntax check passed"
336+
}
337+
},
338+
{
339+
"msg": "Pass",
340+
"metadata": {
341+
"code": "builtin.image.signature_check",
342+
"description": "The image signature matches available signing materials.",
343+
"title": "Image signature check passed"
344+
}
345+
},
346+
{
347+
"msg": "Pass",
348+
"metadata": {
349+
"code": "slsa_provenance_available.allowed_predicate_types_provided",
350+
"collections": [
351+
"minimal",
352+
"slsa3",
353+
"redhat",
354+
"redhat_rpms",
355+
"policy_data"
356+
],
357+
"description": "Confirm the `allowed_predicate_types` rule data was provided, since it is required by the policy rules in this package.",
358+
"title": "Allowed predicate types provided"
359+
}
360+
},
361+
{
362+
"msg": "Pass",
363+
"metadata": {
364+
"code": "slsa_provenance_available.attestation_predicate_type_accepted",
365+
"collections": [
366+
"minimal",
367+
"slsa3",
368+
"redhat",
369+
"redhat_rpms"
370+
],
371+
"depends_on": [
372+
"attestation_type.known_attestation_type"
373+
],
374+
"description": "Verify that the predicateType field of the attestation indicates the in-toto SLSA Provenance format was used to attest the PipelineRun.",
375+
"title": "Expected attestation predicate type found"
376+
}
377+
}
378+
],
379+
"success": true,
380+
"signatures": [
381+
{
382+
"keyid": "dc5f3121f1f76f0d687877532ce44ff55aab2050",
383+
"sig": "MEUCIQDV4du9T+vV6dtN1LsCrZgByokRslw43oxscniN3wbaigIgMV+NFgix7ZjqhIpXFIMVFl1CQuya8JQsYP96ByA5iAc=",
384+
"certificate": "-----BEGIN CERTIFICATE-----\nMIIC0zCCAlqgAwIBAgIUfPJP4pJfIr6Pgt2Q2J9hu4DqoJcwCgYIKoZIzj0EAwMw\nNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRl\ncm1lZGlhdGUwHhcNMjYwMzAzMTkxNjUyWhcNMjYwMzAzMTkyNjUyWjAAMFkwEwYH\nKoZIzj0CAQYIKoZIzj0DAQcDQgAEGMk9duvfPU07wcRpBWKXUi8bmr833N3pKhP2\nGCVBlFxZIRcD01FKT4TEMvlRIq8gZJO4eQ/WvEL/NpNmkk+PzaOCAXkwggF1MA4G\nA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQU3F8x\nIfH3bw1oeHdTLORP9VqrIFAwHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4Y\nZD8wKQYDVR0RAQH/BB8wHYEbY29uZm9ybWFjb21tdW5pdHlAZ21haWwuY29tMCkG\nCisGAQQBg78wAQEEG2h0dHBzOi8vYWNjb3VudHMuZ29vZ2xlLmNvbTArBgorBgEE\nAYO/MAEIBB0MG2h0dHBzOi8vYWNjb3VudHMuZ29vZ2xlLmNvbTCBigYKKwYBBAHW\neQIEAgR8BHoAeAB2AN09MGrGxxEyYxkeHJlnNwKiSl643jyt/4eKcoAvKe6OAAAB\nnLUhueMAAAQDAEcwRQIgARu6tEmE0vUHU+MhCQB6tzwROaEn4VdlfGBFWQxxcygC\nIQCHm2/lgszmmt2gC6Pl2bfvCRDKewUQDvWjzNqq8WtPczAKBggqhkjOPQQDAwNn\nADBkAjAMnyVwJVMQflB7Iwfte7cuOYYN2uvmEibKwjmmPgZOq43vSH9Y9gtUvyJk\nZ23vTpwCMHKChuWjhTQgxczH7MhKUO2IphbaHeJYmeFa4rrswhv6h9z6v5IIPovF\nsdbKg+sEHw==\n-----END CERTIFICATE-----\n",
385+
"chain": [
386+
"-----BEGIN CERTIFICATE-----\nMIICGjCCAaGgAwIBAgIUALnViVfnU0brJasmRkHrn/UnfaQwCgYIKoZIzj0EAwMw\nKjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0y\nMjA0MTMyMDA2MTVaFw0zMTEwMDUxMzU2NThaMDcxFTATBgNVBAoTDHNpZ3N0b3Jl\nLmRldjEeMBwGA1UEAxMVc2lnc3RvcmUtaW50ZXJtZWRpYXRlMHYwEAYHKoZIzj0C\nAQYFK4EEACIDYgAE8RVS/ysH+NOvuDZyPIZtilgUF9NlarYpAd9HP1vBBH1U5CV7\n7LSS7s0ZiH4nE7Hv7ptS6LvvR/STk798LVgMzLlJ4HeIfF3tHSaexLcYpSASr1kS\n0N/RgBJz/9jWCiXno3sweTAOBgNVHQ8BAf8EBAMCAQYwEwYDVR0lBAwwCgYIKwYB\nBQUHAwMwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQU39Ppz1YkEZb5qNjp\nKFWixi4YZD8wHwYDVR0jBBgwFoAUWMAeX5FFpWapesyQoZMi0CrFxfowCgYIKoZI\nzj0EAwMDZwAwZAIwPCsQK4DYiZYDPIaDi5HFKnfxXx6ASSVmERfsynYBiX2X6SJR\nnZU84/9DZdnFvvxmAjBOt6QpBlc4J/0DxvkTCqpclvziL6BCCPnjdlIB3Pu3BxsP\nmygUY7Ii2zbdCdliiow=\n-----END CERTIFICATE-----\n",
387+
"-----BEGIN CERTIFICATE-----\nMIIB9zCCAXygAwIBAgIUALZNAPFdxHPwjeDloDwyYChAO/4wCgYIKoZIzj0EAwMw\nKjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0y\nMTEwMDcxMzU2NTlaFw0zMTEwMDUxMzU2NThaMCoxFTATBgNVBAoTDHNpZ3N0b3Jl\nLmRldjERMA8GA1UEAxMIc2lnc3RvcmUwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAT7\nXeFT4rb3PQGwS4IajtLk3/OlnpgangaBclYpsYBr5i+4ynB07ceb3LP0OIOZdxex\nX69c5iVuyJRQ+Hz05yi+UF3uBWAlHpiS5sh0+H2GHE7SXrk1EC5m1Tr19L9gg92j\nYzBhMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRY\nwB5fkUWlZql6zJChkyLQKsXF+jAfBgNVHSMEGDAWgBRYwB5fkUWlZql6zJChkyLQ\nKsXF+jAKBggqhkjOPQQDAwNpADBmAjEAj1nHeXZp+13NWBNa+EDsDP8G1WWg1tCM\nWP/WHPqpaVo0jhsweNFZgSs0eE7wYI4qAjEA2WB9ot98sIkoF3vZYdd3/VtWB5b9\nTNMea7Ix/stJ5TfcLLeABLE4BNJOsQ4vnBHJ\n-----END CERTIFICATE-----\n"
388+
],
389+
"metadata": {
390+
"Fulcio Issuer": "https://accounts.google.com",
391+
"Fulcio Issuer (V2)": "https://accounts.google.com",
392+
"Issuer": "CN=sigstore-intermediate,O=sigstore.dev",
393+
"Not After": "${TIMESTAMP}",
394+
"Not Before": "${TIMESTAMP}",
395+
"Serial Number": "7cf24fe2925f22be8f82dd90d89f61bb80eaa097",
396+
"Subject Alternative Name": "Email Addresses:conformacommunity@gmail.com"
397+
}
398+
}
399+
],
400+
"attestations": [
401+
{
402+
"type": "https://in-toto.io/Statement/v0.1",
403+
"predicateType": "https://slsa.dev/provenance/v1",
404+
"predicateBuildType": "https://example.com/build-type/v1",
405+
"signatures": [
406+
{
407+
"keyid": "17d7418e0517e21e30f4fe144128b7ca1d1bb2ac",
408+
"sig": "MEUCIBvsTgzJ5DOVIEAH/u5eav7C3QXx6ttR0tZxFQlJe6c4AiEAtIid+gk+EqgxSYNBLquaq2dfdWBL28yR1EOjn/Fi1T8=",
409+
"certificate": "-----BEGIN CERTIFICATE-----\nMIIC1TCCAlqgAwIBAgIUPUQSAPNDQoKF8C3ufUx0Jta8GvEwCgYIKoZIzj0EAwMw\nNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRl\ncm1lZGlhdGUwHhcNMjYwMzAzMTkxNzA1WhcNMjYwMzAzMTkyNzA1WjAAMFkwEwYH\nKoZIzj0CAQYIKoZIzj0DAQcDQgAE81mfg8hXUQRHdZpbbST2ckHT4YrcRPRvM+tc\nRmcvvexGuwm0yIOBZqIqXeyd/YrJn9MjBdHrmyKIztdR9mdpUaOCAXkwggF1MA4G\nA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUF9dB\njgUX4h4w9P4UQSi3yh0bsqwwHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4Y\nZD8wKQYDVR0RAQH/BB8wHYEbY29uZm9ybWFjb21tdW5pdHlAZ21haWwuY29tMCkG\nCisGAQQBg78wAQEEG2h0dHBzOi8vYWNjb3VudHMuZ29vZ2xlLmNvbTArBgorBgEE\nAYO/MAEIBB0MG2h0dHBzOi8vYWNjb3VudHMuZ29vZ2xlLmNvbTCBigYKKwYBBAHW\neQIEAgR8BHoAeAB2AN09MGrGxxEyYxkeHJlnNwKiSl643jyt/4eKcoAvKe6OAAAB\nnLUh7ZUAAAQDAEcwRQIgY5+UpYgU0LsrAiTQSoeLquv9EVJ8lH4rtxQupmSWDWwC\nIQC6zpOJpx/ryldrjdpfycB9wBWIexg+/XC8Avdv9W2D3jAKBggqhkjOPQQDAwNp\nADBmAjEA/LIHzfKog0PwRohtlpLV32CpVyWrTt9jK84quvooFP5dgeegze/A4mrk\n0bO73KdEAjEA94BFoAYPJw1RTmIw5VnZXbYKqhlt0hm4nTx9pVoGQMFEtnIguX7f\nNnaoX2+paxVF\n-----END CERTIFICATE-----\n",
410+
"chain": [
411+
"-----BEGIN CERTIFICATE-----\nMIICGjCCAaGgAwIBAgIUALnViVfnU0brJasmRkHrn/UnfaQwCgYIKoZIzj0EAwMw\nKjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0y\nMjA0MTMyMDA2MTVaFw0zMTEwMDUxMzU2NThaMDcxFTATBgNVBAoTDHNpZ3N0b3Jl\nLmRldjEeMBwGA1UEAxMVc2lnc3RvcmUtaW50ZXJtZWRpYXRlMHYwEAYHKoZIzj0C\nAQYFK4EEACIDYgAE8RVS/ysH+NOvuDZyPIZtilgUF9NlarYpAd9HP1vBBH1U5CV7\n7LSS7s0ZiH4nE7Hv7ptS6LvvR/STk798LVgMzLlJ4HeIfF3tHSaexLcYpSASr1kS\n0N/RgBJz/9jWCiXno3sweTAOBgNVHQ8BAf8EBAMCAQYwEwYDVR0lBAwwCgYIKwYB\nBQUHAwMwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQU39Ppz1YkEZb5qNjp\nKFWixi4YZD8wHwYDVR0jBBgwFoAUWMAeX5FFpWapesyQoZMi0CrFxfowCgYIKoZI\nzj0EAwMDZwAwZAIwPCsQK4DYiZYDPIaDi5HFKnfxXx6ASSVmERfsynYBiX2X6SJR\nnZU84/9DZdnFvvxmAjBOt6QpBlc4J/0DxvkTCqpclvziL6BCCPnjdlIB3Pu3BxsP\nmygUY7Ii2zbdCdliiow=\n-----END CERTIFICATE-----\n",
412+
"-----BEGIN CERTIFICATE-----\nMIIB9zCCAXygAwIBAgIUALZNAPFdxHPwjeDloDwyYChAO/4wCgYIKoZIzj0EAwMw\nKjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0y\nMTEwMDcxMzU2NTlaFw0zMTEwMDUxMzU2NThaMCoxFTATBgNVBAoTDHNpZ3N0b3Jl\nLmRldjERMA8GA1UEAxMIc2lnc3RvcmUwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAT7\nXeFT4rb3PQGwS4IajtLk3/OlnpgangaBclYpsYBr5i+4ynB07ceb3LP0OIOZdxex\nX69c5iVuyJRQ+Hz05yi+UF3uBWAlHpiS5sh0+H2GHE7SXrk1EC5m1Tr19L9gg92j\nYzBhMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRY\nwB5fkUWlZql6zJChkyLQKsXF+jAfBgNVHSMEGDAWgBRYwB5fkUWlZql6zJChkyLQ\nKsXF+jAKBggqhkjOPQQDAwNpADBmAjEAj1nHeXZp+13NWBNa+EDsDP8G1WWg1tCM\nWP/WHPqpaVo0jhsweNFZgSs0eE7wYI4qAjEA2WB9ot98sIkoF3vZYdd3/VtWB5b9\nTNMea7Ix/stJ5TfcLLeABLE4BNJOsQ4vnBHJ\n-----END CERTIFICATE-----\n"
413+
],
414+
"metadata": {
415+
"Fulcio Issuer": "https://accounts.google.com",
416+
"Fulcio Issuer (V2)": "https://accounts.google.com",
417+
"Issuer": "CN=sigstore-intermediate,O=sigstore.dev",
418+
"Not After": "${TIMESTAMP}",
419+
"Not Before": "${TIMESTAMP}",
420+
"Serial Number": "3d441200f343428285f02dee7d4c7426d6bc1af1",
421+
"Subject Alternative Name": "Email Addresses:conformacommunity@gmail.com"
422+
}
423+
}
424+
]
425+
}
426+
]
427+
}
428+
],
429+
"key": "",
430+
"policy": {
431+
"sources": [
432+
{
433+
"policy": [
434+
"git::github.com/conforma/policy//policy/release?ref=0de5461c14413484575e63e96ddb514d8ab954b5",
435+
"git::github.com/conforma/policy//policy/lib?ref=0de5461c14413484575e63e96ddb514d8ab954b5"
436+
],
437+
"config": {
438+
"include": [
439+
"slsa_provenance_available"
440+
]
441+
}
442+
}
443+
],
444+
"rekorUrl": "https://rekor.sigstore.dev"
445+
},
446+
"ec-version": "${EC_VERSION}",
447+
"effective-time": "${TIMESTAMP}"
448+
}
449+
---
450+
451+
[Keyless signing verification cosign v2 style:results - 1]
452+
{
453+
"TEST_OUTPUT": "{\"timestamp\":\"${TIMESTAMP}\",\"namespace\":\"\",\"successes\":5,\"failures\":0,\"warnings\":0,\"result\":\"SUCCESS\"}\n"
454+
}
455+
---

features/task_validate_image.feature

Lines changed: 75 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -337,3 +337,78 @@ Feature: Verify Enterprise Contract Tekton Tasks
337337
Then the task should succeed
338338
And the task logs for step "report" should match the snapshot
339339
And the task results should match the snapshot
340+
341+
# See hack/keyless-test-image for how the quay.io/conforma/test:keyless_v2
342+
# and quay.io/conforma/test:keyless_v3 test images where created. It's not
343+
# ideal that this test requires an external image, but we already do this
344+
# elsewhere, so I guess one more is okay.
345+
346+
# Todo: We should be able test this also with an internally built image
347+
# similar to how it's done in the "happy day with keyless" scenario in the
348+
# validate_image feature.
349+
350+
# Confirm we can verify the signatures on a keylessly signed image signed with cosign v2
351+
Scenario: Keyless signing verification cosign v2 style
352+
Given a working namespace
353+
Given a cluster policy with content:
354+
```
355+
{
356+
"sources": [
357+
{
358+
"policy": [
359+
"github.com/conforma/policy//policy/release?ref=0de5461c14413484575e63e96ddb514d8ab954b5",
360+
"github.com/conforma/policy//policy/lib?ref=0de5461c14413484575e63e96ddb514d8ab954b5"
361+
],
362+
"config": {
363+
"include": [
364+
"slsa_provenance_available"
365+
]
366+
}
367+
}
368+
]
369+
}
370+
```
371+
When version 0.1 of the task named "verify-enterprise-contract" is run with parameters:
372+
| IMAGES | {"components": [{"containerImage": "quay.io/conforma/test:keyless_v2@sha256:03a10dff06ae364ef9727d562e7077b135b00c7a978e571c4354519e6d0f23b8"}]} |
373+
| POLICY_CONFIGURATION | ${NAMESPACE}/${POLICY_NAME} |
374+
| CERTIFICATE_IDENTITY | conformacommunity@gmail.com |
375+
| CERTIFICATE_OIDC_ISSUER | https://accounts.google.com |
376+
| REKOR_HOST | https://rekor.sigstore.dev |
377+
| IGNORE_REKOR | false |
378+
| STRICT | true |
379+
Then the task should succeed
380+
And the task logs for step "report-json" should match the snapshot
381+
And the task results should match the snapshot
382+
383+
# Confirm we can verify the signatures on a keylessly signed image signed with cosign v3
384+
Scenario: Keyless signing verification cosign v3 style
385+
Given a working namespace
386+
Given a cluster policy with content:
387+
```
388+
{
389+
"sources": [
390+
{
391+
"policy": [
392+
"github.com/conforma/policy//policy/release?ref=0de5461c14413484575e63e96ddb514d8ab954b5",
393+
"github.com/conforma/policy//policy/lib?ref=0de5461c14413484575e63e96ddb514d8ab954b5"
394+
],
395+
"config": {
396+
"include": [
397+
"slsa_provenance_available"
398+
]
399+
}
400+
}
401+
]
402+
}
403+
```
404+
When version 0.1 of the task named "verify-enterprise-contract" is run with parameters:
405+
| IMAGES | {"components": [{"containerImage": "quay.io/conforma/test:keyless_v3@sha256:712ca3a7fcd41fe6b3e6f434a31f738743b6c31f1d81ad458502d6b0239a8903"}]} |
406+
| POLICY_CONFIGURATION | ${NAMESPACE}/${POLICY_NAME} |
407+
| CERTIFICATE_IDENTITY | conformacommunity@gmail.com |
408+
| CERTIFICATE_OIDC_ISSUER | https://accounts.google.com |
409+
| REKOR_HOST | https://rekor.sigstore.dev |
410+
| IGNORE_REKOR | false |
411+
| STRICT | true |
412+
Then the task should succeed
413+
And the task logs for step "report-json" should match the snapshot
414+
And the task results should match the snapshot

0 commit comments

Comments
 (0)