Commit Graph

14 Commits

Author SHA1 Message Date
Soule BA 5ecc6b10a8
Enable caching contextual Login Credentials
Provide an optional Cache to the Login Manager used to retrive
contextual login credentials.

Signed-off-by: Soule BA <bah.soule@gmail.com>
2024-06-21 15:15:02 +02:00
Soule BA 12fb25fec2
removing verifyImageSignatures method
Signed-off-by: Soule BA <bah.soule@gmail.com>
2024-03-26 21:53:32 +01:00
Soule BA 7f3df76ccc
Use the verify defined interface in OCIRepository
Signed-off-by: Soule BA <bah.soule@gmail.com>
2024-03-26 15:35:13 +01:00
JasonTheDeveloper 553945ab8e Add verification support for notation signed artifacts
Introduces a new verification provider `notation` to verify notation signed artifacts. Currently only cosign is supported and that is a problem if the end user utilises notation.

---------

Signed-off-by: Jason <jagoodse@microsoft.com>
Signed-off-by: JasonTheDeveloper <jagoodse@microsoft.com>
Signed-off-by: Jagpreet Singh Tamber <jagpreetstamber@gmail.com>
Co-authored-by: souleb <bah.soule@gmail.com>
Co-authored-by: Jagpreet Singh Tamber <jagpreetstamber@gmail.com>
Co-authored-by: Sunny <github@darkowlzz.space>
2024-03-26 21:32:23 +11:00
Sanskar Jaiswal d855805b8f
cosign: allow identity matching for keyless verification
Add `.spec.verify.matchOIDCIdentity` to OCIRepository and HelmChart.
It allows specifying regular expressions to match against the subject and
issuer of the certificate related to the artifact signature. Its used
only if the artifact was signed using Cosign keyless signing.

Signed-off-by: Sanskar Jaiswal <jaiswalsanskar078@gmail.com>
2023-10-31 08:04:34 -07:00
Sanskar Jaiswal 79adec586b
helm: add support for specifying TLS auth via `.spec.certSecretRef`
Add support for specifying TLS auth data via `.spec.certSecretRef` in
HelmRepository and log a deprecation warning if TLS is configured via
`.spec.secretRef`. Introduce (and refactor) Helm client builder and
auth helpers to reduce duplicated code and increase uniformity and
testability.

Signed-off-by: Sanskar Jaiswal <jaiswalsanskar078@gmail.com>
2023-07-31 13:29:17 +05:30
Hidde Beydals 0ec49784b5
oci: sort remaining quirks in cosign verify logic
This commit properly sets `IgnoreTlog` to `true` when a public key is
provided to check the signature against, which matches the (silent)
default behavior from cosign v1.

However, during this exercise it has become apparant that this
assumption isn't necessarily true. As you can theoretically have a
custom key and a tlog entry.

Given this, we should inventarise the possible configuration options
and the potential value they have to users (e.g. defining a custom
Rekor URL seems to be valuable as well), and extend our API to
facilitate these needs.

In addition to the above, the CTLog public keys are now properly
retrieved to avoid a `none of the CTFE keys have been found` error.

Signed-off-by: Hidde Beydals <hidde@hhh.computer>
2023-05-22 11:08:16 +02:00
Stefan Prodan f58c229bc6 Update cosign to v2
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
2023-05-22 11:08:12 +02:00
Soule BA 25673ac512
addressing review comments
Signed-off-by: Soule BA <soule@weave.works>
2022-10-21 10:00:08 +02:00
Soule BA 0e97547eeb
implement Cosign verification for HelmCharts
If implemented, users will be able to enable chart verification for OCI
based helm charts.

Signed-off-by: Soule BA <soule@weave.works>
2022-10-21 10:00:08 +02:00
Soule BA e2f4e5e7c5
Accept a slice of remote.Option for cosign verification
If implemented this enable passing a keychain, an authenticator and a
custom transport as remote.Option to the verifier. It enables contextual
login, self-signed certificates and insecure registries.

Signed-off-by: Soule BA <soule@weave.works>

refactor makeOptions

Reduce complexity by replacing the functional options with a flat out
conditional logic in makeOptions.

Signed-off-by: Soule BA <soule@weave.works>
2022-09-29 14:45:25 +02:00
Stefan Prodan 082028e115
Refactor internal OCI package
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
2022-09-20 18:34:02 +03:00
Batuhan Apaydın 2db2715988
feat: add condition tests for verification logic
Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
2022-09-20 14:07:11 +03:00
Furkan 697f260dba
Introduce Initial OCIRepository Source Verification
Fixes #863

Signed-off-by: Furkan <furkan.turkal@trendyol.com>
Co-authored-by: Batuhan <batuhan.apaydin@trendyol.com>
Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
2022-09-20 14:07:10 +03:00