Skip to content

Commit da68f18

Browse files
simonbairdclaude
andcommitted
Tekton task support for keyless sig checks
We're keeping the new param handling bash as light as possible. My thinking is that ec should produce a good enough error if the params are wrong or incorrectly specified, so we don't want or need a layer messy bash to check that they are correct. Ref: https://issues.redhat.com/browse/EC-1652 Co-authored-by: Claude Code <noreply@anthropic.com>
1 parent 6109c0c commit da68f18

2 files changed

Lines changed: 36 additions & 1 deletion

File tree

docs/modules/ROOT/pages/verify-enterprise-contract.adoc

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -34,6 +34,8 @@ You can also specify a policy configuration using a git url, e.g.
3434
*Default*: `enterprise-contract-service/default`
3535
*PUBLIC_KEY* (`string`):: Public key used to verify signatures. Must be a valid k8s cosign reference, e.g. k8s://my-space/my-secret where my-secret contains the expected cosign.pub attribute.
3636
*REKOR_HOST* (`string`):: Rekor host for transparency log lookups
37+
*CERTIFICATE_IDENTITY* (`string`):: Expected identity in the signing certificate for keyless verification. This should be the email or URI that was used when signing.
38+
*CERTIFICATE_OIDC_ISSUER* (`string`):: Expected OIDC issuer in the signing certificate for keyless verification. This should match the issuer that provided the identity token used for signing.
3739
*IGNORE_REKOR* (`string`):: Skip Rekor transparency log checks during validation.
3840
+
3941
*Default*: `false`

tasks/verify-enterprise-contract/0.1/verify-enterprise-contract.yaml

Lines changed: 34 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -69,6 +69,20 @@ spec:
6969
description: Rekor host for transparency log lookups
7070
default: ""
7171

72+
- name: CERTIFICATE_IDENTITY
73+
type: string
74+
description: >-
75+
Expected identity in the signing certificate for keyless verification.
76+
This should be the email or URI that was used when signing.
77+
default: ""
78+
79+
- name: CERTIFICATE_OIDC_ISSUER
80+
type: string
81+
description: >-
82+
Expected OIDC issuer in the signing certificate for keyless verification.
83+
This should match the issuer that provided the identity token used for signing.
84+
default: ""
85+
7286
- name: IGNORE_REKOR
7387
type: string
7488
description: >-
@@ -245,7 +259,22 @@ spec:
245259
"image"
246260
"--images" "/tekton/home/snapshot.json"
247261
"--policy" "${POLICY_CONFIGURATION}"
248-
"--public-key" "${PUBLIC_KEY}"
262+
)
263+
264+
# To keep bash logic as thin as possible we deliberately don't sanitize
265+
# these params. If something is wrong or missing let Conforma handle it.
266+
if [ -n "${CERTIFICATE_IDENTITY}" ] && [ -n "${CERTIFICATE_OIDC_ISSUER}" ]; then
267+
cmd_args+=(
268+
"--certificate-identity" "${CERTIFICATE_IDENTITY}"
269+
"--certificate-oidc-issuer" "${CERTIFICATE_OIDC_ISSUER}"
270+
)
271+
elif [ -n "${PUBLIC_KEY}" ]; then
272+
cmd_args+=(
273+
"--public-key" "${PUBLIC_KEY}"
274+
)
275+
fi
276+
277+
cmd_args+=(
249278
"--rekor-url" "${REKOR_HOST}"
250279
"--ignore-rekor=${IGNORE_REKOR}"
251280
"--workers" "${WORKERS}"
@@ -276,6 +305,10 @@ spec:
276305
value: "$(params.POLICY_CONFIGURATION)"
277306
- name: PUBLIC_KEY
278307
value: "$(params.PUBLIC_KEY)"
308+
- name: CERTIFICATE_IDENTITY
309+
value: "$(params.CERTIFICATE_IDENTITY)"
310+
- name: CERTIFICATE_OIDC_ISSUER
311+
value: "$(params.CERTIFICATE_OIDC_ISSUER)"
279312
- name: REKOR_HOST
280313
value: "$(params.REKOR_HOST)"
281314
- name: IGNORE_REKOR

0 commit comments

Comments
 (0)