You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Implement --skip-att-sig-check flag to skip attestation signature
validation checks, mirroring the existing --skip-image-sig-check flag.
When enabled, attestation signature verification is bypassed during
image validation.
Why? Often I'm debugging/troubleshooting something and I get given
an image ref to look at. We can use cosign download attestation to
inspect the attestation, which is very useful, but if we want to try
running Conforma against it, we must either guess, find, or ask to
be provided with the public key. Sometimes that's not so difficult,
but other times it may be very difficult or even impossible.
(Consider for example if the image was built on an ephemeral cluster
and the signing secret used is gone forever.)
Now we can use --skip-image-sig-check and --skip-att-sig-check and
carry on with the debugging. Note that we added the
--skip-image-sig-check recently for other reasons, see
https://redhat.atlassian.net/browse/EC-1647. The
--skip-att-sig-check is a little more complicated because we needed
to add a new function that can download the attestation without
verifying it.
The argument against this is that it may encourage less secure
practices, but I would say it's acceptable because we're not
changing the default behavior, which is always to require signature
verification.
Ref: https://redhat.atlassian.net/browse/EC-1815
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
# Notice we're using the --skip-att-sig-check flag, which is the reason this is
84
+
# green even though attestation is signed with a different key to the one we're providing
85
+
When ec command is run with "validate image --image ${REGISTRY}/acceptance/invalid-att-signature --policy acceptance/invalid-att-signature-policy --public-key ${known_PUBLIC_KEY} --skip-att-sig-check --rekor-url ${REKOR} --show-successes --output json"
86
+
Then the exit status should be 0
87
+
Then the output should match the snapshot
88
+
89
+
Scenario: skip both image and att sig checks for debugging
90
+
Given a key pair named "known"
91
+
Given a key pair named "unknown"
92
+
Given an image named "acceptance/skip-both-sig-checks"
93
+
94
+
# Both signatures use the wrong key. Without the skip flags this would fail.
95
+
Given a valid image signature of "acceptance/skip-both-sig-checks" image signed by the "unknown" key
96
+
Given a valid attestation of "acceptance/skip-both-sig-checks" signed by the "unknown" key
97
+
98
+
Given a git repository named "skip-both-sig-checks" with
99
+
| main.rego | examples/happy_day.rego |
100
+
Given policy configuration named "skip-both-sig-checks-policy" with specification
0 commit comments