Description
We are using GitLab CI pipelines to sign container images, image provenance data, SBOM and attest them to the OCI Registry using Cosign v3 (and the new bundle format). The key material is in a Hashicorp Vault cluster's transit engine.
This setup has working well with Cosign v2 but since we moved to Cosign v3 it is broken. We realized the bundle format change so we modified our policies to expect the new bundle format.
Artifacts:
$ cosign tree registry.redacted.com/rester/rester:0.2.7-21
📦 Supply Chain Security Related artifacts for an image: registry.redacted.com/rester/rester:0.2.7-21
└── 🔗 https://sigstore.dev/cosign/sign/v1 artifacts via OCI referrer: registry.redacted.com/rester/rester@sha256:1d6ded42353e41cf0c277fe7c8e56ec94c42e0cfacef075dc166448bd9d4327b
└── 🍒 sha256:2bbd703994daaafa8cc3503ea453167dc926890d7e8498252bacd6d184ae6f4f
└── 🔗 https://sigstore.dev/cosign/sign/v1 artifacts via OCI referrer: registry.redacted.com/rester/rester@sha256:6d04290365d92b848c554645afe86869d11f57534d0e45b22605d9da1b8b3836
└── 🍒 sha256:cecd9ec21d6bcc2c3265fafe9f3208abf2ff3fd01dcbb19afe8a0fcac3acc250
└── 🔗 https://sigstore.dev/cosign/sign/v1 artifacts via OCI referrer: registry.redacted.com/rester/rester@sha256:901e9725abba4da9869384afcf795c20a8b4e52ead5b355f6bc4da2160a90916
└── 🍒 sha256:e88674ad73fd562acf5115869b1028e0bfc442dc3eafa903d4ce4b2670d4c7f4
Example policy (note the signatureFormat: bundle):
---
apiVersion: policy.sigstore.dev/v1beta1
kind: ClusterImagePolicy
metadata:
name: image-provenance
spec:
authorities:
- attestations:
- name: must-have-slsa-provenance
policy:
data: |
predicateType: "https://slsa.dev/provenance/v1"
type: cue
predicateType: https://slsa.dev/provenance/v1
key:
data: |
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEB/zjHHd6w16mRPZdgkJFQsTnpP6Q
XzToRZ2pGF9AStZzZeP7Ldo2UaDS5fe1w05khIZpMed6cJhgEI9PP86IPQ==
-----END PUBLIC KEY-----
hashAlgorithm: sha256
name: gitlabpipeline-key
signatureFormat: bundle
images:
- glob: docker-pull.redacted.com**
- glob: registry.redacted.com**
- glob: registry-infra.redacted.com**
mode: enforce
The error indicates that the new bundle format requires keyless authority:
registry.redacted.com/rester/rester:0.2.7-21@sha256:45539faf creating CheckOpts: when using the new bundle format, the authority must be keyless
failed policy: image-provenance: spec.template.spec.containers[0].image
Cosign v3 allows us to use the key in Hashicorp Vault to sign these artifacts. Is there a way to validate these with policy controller?
Version
Cosign version: v3.0.4
Policy controller version: v0.15.1
Description
We are using GitLab CI pipelines to sign container images, image provenance data, SBOM and attest them to the OCI Registry using Cosign v3 (and the new bundle format). The key material is in a Hashicorp Vault cluster's transit engine.
This setup has working well with Cosign v2 but since we moved to Cosign v3 it is broken. We realized the bundle format change so we modified our policies to expect the new bundle format.
Artifacts:
Example policy (note the
signatureFormat: bundle):The error indicates that the new bundle format requires keyless authority:
Cosign v3 allows us to use the key in Hashicorp Vault to sign these artifacts. Is there a way to validate these with policy controller?
Version
Cosign version: v3.0.4
Policy controller version: v0.15.1