search

acorn-io / runtime

A simple application deployment framework built on Kubernetes
https://docs.acorn.io/
Apache License 2.0
1.13k stars 100 forks source link

Error message has "no matching signatures" errors as many times as the number of public keys in "anyof" and "allof" #1411

Open sangee2004 opened 1 year ago

sangee2004 commented 1 year ago

acorn version v0.6.0-93-gd9de8c30+d9de8c30

Create a ImageAllowRules with multiple keys in "anyof":

apiVersion: api.acorn.io/v1
kind: ImageAllowRules
metadata:
  name: testrules-project
  namespace: testp1
signatures:
  rules:
    - signedBy:
        anyOf:
          - |
            -----BEGIN PUBLIC KEY-----
            key1
            -----END PUBLIC KEY-----
          - |
            -----BEGIN PUBLIC KEY-----
            key2
            -----END PUBLIC KEY-----
        allOf: []
      annotations:
        match:
          tag: ok

Deploy app with an image that is not signed by any of the above keys:

Following is the error message that is presented:

 ✗  ERROR:  App.api.acorn.io "myt3" is invalid: spec.image: Invalid value: "docker.io/sangeetha/<image>:v4.0.0": disallowed by imageAllowRules: error verifying image docker.io/sangeetha/myfirstacorn:<image> against testp1/testrules-project.signatures.anyOf.*: error verifying image docker.io/sangeetha/myfirstacorn:<image> against testp1/testrules-project.signatures.anyOf.0: failed to verify image signatures: no matching signatures:
               invalid signature when validating ASN.1 encoded signature, error verifying image docker.io/sangeetha/myfirstacorn:<image> against testp1/testrules-project.signatures.anyOf.1: failed to verify image signatures: no matching signatures:
               invalid signature when validating ASN.1 encoded signature

Notice that the "no matching signatures" is presented for every key.

Same behavior is also seen when image is signed only by one of the keys from the allOf section:

  ✗  ERROR:  App.api.acorn.io "t1" is invalid: spec.image: Invalid value: "docker.io/sangeetha/<image>:v4.0.0": disallowed by imageAllowRules: error verifying image docker.io/sangeetha/<image>:v4.0.0 against testp1/testrules-project.signatures.allOf.1: failed to verify image signatures: no matching signatures:
               invalid signature when validating ASN.1 encoded signature
                invalid signature when validating ASN.1 encoded signature
iwilltry42 commented 1 year ago

This is expected actually in an attempt to be as explicit as possible about which validations failed. We may need to align on how detailed we want to get here :thinking: