-
Notifications
You must be signed in to change notification settings - Fork 59
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: multiple signatures verification #737
Comments
@yizha1 This is an interesting scenario. We hadn't considered annotations being used in policy. Currently, Ratify generates verification reports that contain details at the artifact level. For notation, for example, the report looks like this:
The notation verifier adds some custom fields such as the Issue and SN. If a user is adding custom annotations to their sigs, then they'd want those annotations showing up in the artifact's verifier report so that the rego policy can consider that. Few follow up questions:
|
I missed one scenario, it is about a container image that is signed by multiple signing tools, for example cosign and notation, which results multiple signatures as well. I will update the issue soon. |
Synced with @yizha1 offline. For scenerio 1, Ratify could support it by passing required annotations to the For scenerio 2 and 3, they would be supported by the refactored policy provider by providing corresponding Rego policies. |
Thanks @yizha1 for pointing me to the user metadata functionality. I wasn't aware this was supported. @binbin-li do you think Ratify would need to add the user annotation to verifier report so that policy could be applied? |
those annotations are verified by notation verifier not by the OPA engine. Adding it to verifier report might not help the scenario, but we can still add it to extensions field. Instead, it should be added in verifier config or somewhere else that can be updated dynamically. |
@binbin-li I updated the issue description and added one case for scenario-2. Scenario-1 is less important than scenario-2 |
Discussed with @yizha1, Ratify already supports it via Rego Policy. But we need to provide some templates for the below scenarios to help users try it:
|
What would you like to be added?
A container image could be signed by one trust identity multiple times, or by multiple trust identities, either case will produce multiple signatures associated with the image.
Trust identity is the identity that the signer trusts, for X.509 PKI, it means the signing certificate subject. For example, "C=US, ST=WA, L=Seattle, O=acme-rockets.io, OU=Finance, CN=SecureBuilder".
Scenario 1: A container image was signed by the same trust identity multiple times.
A container image was signed by different teams in the same company wabbit networks. For example, the builder team built the container image and signed it by adding annotation
build=123
. Then the QA team verified it and signed it using the same signing certificate but adding a different annotationtest=123
. Then this image had two signatures from the same trust identity with different annotationScenario 2: A container image was signed by multiple identities
A container image was signed by different teams in the same company Wabbit Networks, for example, the builder team built the container image and signed it, QA team verify it and signed it again using a different signing certificate before promoted to production. Then this image had two signatures from different trust identities from the same company.
A container image was signed by the company Wabbit Networks and published to a public registry. The company ACME Rockets only allows verified images to be used by internal teams. The acquiring team of the company ACME Rockets verified the image and signed the image, and then pushed it into internal registry. This image had two signatures from different trust identities from different companies.
A container image was signed by the company Wabbit Networks using tooling cosign and published to a public registry. The company ACME Rockets only allows verified images to be used by internal teams. The acquiring team of the company ACME Rockets verified the image, signed the image using tooling notation and pushed it to internal registries. Both cosign and notation can sign images but produce different formats of signatures. This image had two signatures with different formats.
Ratify policy for multiple signatures verification
Ratify policy should be able to support multiple signatures verification, so that users have a fine-tuned policy for validating signatures based on different scenarios.
Scenario-1 has lower priority than Scenario-2.
Anything else you would like to add?
The solution could be related to feature
multiple verifiers
that covered by this issue #448Are you willing to submit PRs to contribute to this feature?
The text was updated successfully, but these errors were encountered: