Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

wip: notation implementation #1885

Open
wants to merge 1 commit into
base: develop
Choose a base branch
from
Open

wip: notation implementation #1885

wants to merge 1 commit into from

Conversation

phbelitz
Copy link
Member

Implementation for notation

Checklist

  • PR is rebased to/aimed at branch develop
  • PR follows Contributing Guide
  • Added tests (if necessary)
  • Extended README/Documentation (if necessary)
  • Adjusted versions of image and Helm chart in Chart.yaml (if necessary)

@phbelitz phbelitz force-pushed the feat/notation branch 2 times, most recently from b9e7a27 to cc68f82 Compare January 24, 2025 14:39
Starkteetje
Starkteetje reviewed Jan 24, 2025
View reviewed changes
test/integration/notation/cases.yaml
# simple test cases for notation
- id: unsigned
txt: Testing unsigned image...
ref: ghcr.io/sse-secure-systems/testimage:notation-unsign
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
ref: ghcr.io/sse-secure-systems/testimage:notation-unsign
ref: ghcr.io/sse-secure-systems/testimage:notation-unsigned

test/integration/notation/cases.yaml
expected_msg: error during notation validation
- id: signed
txt: Testing signed image...
ref: ghcr.io/sse-secure-systems/testimage:notation-sign
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
ref: ghcr.io/sse-secure-systems/testimage:notation-sign
ref: ghcr.io/sse-secure-systems/testimage:notation-signed

test/integration/notation/test.sh Outdated Show resolved Hide resolved
internal/validator/notation/trust_store.go Show resolved Hide resolved
internal/validator/notation/notation_validator.go Outdated
Comment on lines 130 to 164
SignatureVerification: trustpolicy.SignatureVerification{
VerificationLevel: trustpolicy.LevelStrict.Name,
},
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What about VerifyTimestamp? Without having looked at it this looks like something we want to have an opinion on

internal/validator/notation/notation_validator.go
VerificationLevel: trustpolicy.LevelStrict.Name,
},
TrustStores: utils.Map(trs, func(tr auth.TrustRoot) string { return fmt.Sprintf("ca:%s", tr.Name) }),
TrustedIdentities: []string{"*"},
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Without knowing anything, this looks weird 🤔

internal/validator/notation/trust_store_test.go Outdated Show resolved Hide resolved
internal/validator/notation/notation_validator_test.go Outdated Show resolved Hide resolved
@phbelitz
feat: notation support
9aa9ebc 
Implements the notation signature verification for container images.

fixes #312
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Starkteetje Starkteetje Starkteetje left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@phbelitz @Starkteetje