Open lcarva opened 2 months ago
With a policy.yaml that specifies a publicKey, e.g.:
publicKey: k8s://openshift-pipelines/public-key sources: - data: - ... policy: - ...
The ec validate input command always fails:
ec validate input
Error: 1 error occurred: * error validating file input.json: no check options or sig verifier configured
With the --debug flag:
--debug flag
DEBU[0000] helpers.go:80 readPolicyConfigurationFile Loaded policy.yaml as policyConfiguration DEBU[0000] policy.go:394 parseEffectiveTime Chosen to use effective time of `now`, using current time 2024-04-15T18:44:38Z DEBU[0000] policy.go:309 loadPolicy Read EnterpriseContractPolicy as YAML DEBU[0000] policy.go:314 loadPolicy Unable to parse EnterpriseContractPolicy from "configuration:\n # exclude:\n # - tasks.required_tasks_found:prefetch-dependencies\n # - hermetic_build_task.build_task_hermetic\n # - test.no_test_warnings\n # - redhat_manifests.redhat_manifests_missing\n # - labels.required_labels\n # - rpm_ostree_task.builder_image_param\n # - sbom_cyclonedx.found\n # - test.no_failed_tests\n # include:\n # - '@redhat'\n include:\n - attestation_task_bundle\ndescription: Rules for shipping content to registry.redhat.io\npublicKey: k8s://openshift-pipelines/public-key\nsources:\n- data:\n - github.com/release-engineering/rhtap-ec-policy//data\n - oci::quay.io/redhat-appstudio-tekton-catalog/data-acceptable-bundles:latest\n name: Release Policies\n policy:\n # - oci::quay.io/enterprise-contract/ec-release-policy:latest\n - /home/lucarval/src/enterprise-contract/ec-policies/policy/lib\n - /home/lucarval/src/enterprise-contract/ec-policies/policy/release\n # ruleData:\n # allowed_registry_prefixes:\n # - registry.access.redhat.com/\n # - registry.redhat.io/\n # - quay.io/rh-osbs/ubi9\n # - localhost/rhtap-final-image\n # allowed_rpm_ostree_builder_image_prefixes:\n # - quay.io/centos-bootc/bootc-image-builder\n" DEBU[0000] policy.go:315 loadPolicy Attempting to parse as EnterpriseContractPolicySpec DEBU[0000] validate.go:37 ValidateInput Current input filePath: "input.json" DEBU[0000] validate.go:67 detectInput unable to detect input as JSON DEBU[0000] validate.go:75 detectInput unable to detect input as YAML DEBU[0000] input.go:53 NewInput policySource: &source.PolicyUrl{Url:"/home/lucarval/src/enterprise-contract/ec-policies/policy/lib", Kind:"policy"} DEBU[0000] input.go:53 NewInput policySource: &source.PolicyUrl{Url:"/home/lucarval/src/enterprise-contract/ec-policies/policy/release", Kind:"policy"} DEBU[0000] input.go:53 NewInput policySource: &source.PolicyUrl{Url:"github.com/release-engineering/rhtap-ec-policy//data", Kind:"data"} DEBU[0000] input.go:53 NewInput policySource: &source.PolicyUrl{Url:"oci::quay.io/redhat-appstudio-tekton-catalog/data-acceptable-bundles:latest", Kind:"data"} DEBU[0000] conftest_evaluator.go:277 NewConftestEvaluatorWithNamespace Created work dir /tmp/ec-work-678054144 DEBU[0000] policy.go:380 EffectiveTime Using effective time: 2024-04-15T18:44:38Z DEBU[0000] input.go:58 NewInput Failed to initialize the conftest evaluator! DEBU[0000] validate.go:46 ValidateInput Failed to create input! Error: 1 error occurred: * error validating file input.json: no check options or sig verifier configured
Git bisect tells me this started with commit https://github.com/enterprise-contract/ec-cli/commit/117055d2a0a47af0dd63f9f763c9b243f646d803.
Remove publicKey from the policy bypasses the issue.
publicKey
Perhaps fetching configuration out of the policy could be made lazily, i.e. only try to access the public key if it is required for validation.
With a policy.yaml that specifies a publicKey, e.g.:
The
ec validate input
command always fails:With the
--debug flag
:Git bisect tells me this started with commit https://github.com/enterprise-contract/ec-cli/commit/117055d2a0a47af0dd63f9f763c9b243f646d803.
Remove
publicKey
from the policy bypasses the issue.