Closed susanshi closed 2 months ago
@akashsinghal , does the notation trust policy have the same limitation? For now, we can update the doc to make sure Customer are redirected to use the digest, or specify wildcard for scope matching.
@akashsinghal , does the notation trust policy have the same limitation? For now, we can update the doc to make sure Customer are redirected to use the digest, or specify wildcard for scope matching.
In terms of notation spec on trust policy, the scope can be either *
or a path to repo. So it will not have the issue parsing image tag to digest.
I've added a note in the documentation about this behavior. At this point, I think that's all that we will support.
Discussed at community meeting , no plan to change this behavior right now.
What happened in your environment?
Following this doc, https://github.com/deislabs/ratify-web/blob/e0d548665d273502be477559d10fc02911348c51/docs/plugins/Verifier/cosign.md#trust-policy
I specified a image:tab as the scope of the cosign trust policy, however since the image to deploy has mutated to the digest, verifier was not able to find a trust policy that matches image:tag.
Error: Detail: failed to get trust policy: no policy found for reference
What did you expect to happen?
No response
What version of Kubernetes are you running?
No response
What version of Ratify are you running?
No response
Anything else you would like to add?
No response
Are you willing to submit PRs to contribute to this bug fix?