failed to get trust policy: no policy found for reference when scope matching with image:tag

[susanshi]

What happened in your environment?

Following this doc, https://github.com/deislabs/ratify-web/blob/e0d548665d273502be477559d10fc02911348c51/docs/plugins/Verifier/cosign.md#trust-policy

I specified a image:tab as the scope of the cosign trust policy, however since the image to deploy has mutated to the digest, verifier was not able to find a trust policy that matches image:tag.

Error: Detail: failed to get trust policy: no policy found for reference

What did you expect to happen?

No response

What version of Kubernetes are you running?

No response

What version of Ratify are you running?

No response

Anything else you would like to add?

No response

Are you willing to submit PRs to contribute to this bug fix?

• [ ] Yes, I am willing to implement it.

[susanshi]

@akashsinghal , does the notation trust policy have the same limitation? For now, we can update the doc to make sure Customer are redirected to use the digest, or specify wildcard for scope matching.

[binbin-li]

@akashsinghal , does the notation trust policy have the same limitation? For now, we can update the doc to make sure Customer are redirected to use the digest, or specify wildcard for scope matching.

In terms of notation spec on trust policy, the scope can be either * or a path to repo. So it will not have the issue parsing image tag to digest.

https://github.com/notaryproject/specifications/blob/main/specs/trust-store-trust-policy.md#oci-trust-policy-constraints

[akashsinghal]

I've added a note in the documentation about this behavior. At this point, I think that's all that we will support.

[susanshi]

Discussed at community meeting , no plan to change this behavior right now.