Closed jdolitsky closed 1 year ago
policy-tester --policy policies/02-has-vuln-attestation.yaml --image cgr.dev/chainguard/wait-for-it:latest
2023-02-22T22:38:27.273Z DEBUG webhook/validator.go:496 Checking Authority: keyless-authority
2023-02-22T22:38:28.473Z DEBUG webhook/validator.go:837 Found 2 valid attestations, validating policies for them
{"errors":["no matching attestations with type vuln: "]}
Policy:
apiVersion: policy.sigstore.dev/v1beta1
kind: ClusterImagePolicy
metadata:
name: has-vuln-attestation
spec:
images:
- glob: cgr.dev/chainguard/*
authorities:
- name: keyless-authority
keyless:
url: https://fulcio.sigstore.dev
identities:
- issuer: https://token.actions.githubusercontent.com
subject: https://github.com/chainguard-images/images/.github/workflows/release.yaml@refs/heads/main
ctlog:
url: https://rekor.sigstore.dev
attestations:
- name: must-have-vuln-attestation
predicateType: vuln
policy:
type: cue
data: |
predicateType: "cosign.sigstore.dev/attestation/vuln/v1"
Fixed by pinning to 0.6.2 release
Use predicateType: "https://cosign.sigstore.dev/attestation/vuln/v1"
using main
.
Use predicateType: "https://cosign.sigstore.dev/attestation/vuln/v1" using main.
This doesn't appear to work if the attestation was pushed using cosign v0.13.1
@jdolitsky I found the reason. The predicate type validation needs to be less strict in cosign package. It complains about invalid predicate type due to the lack of a scheme. But if you add the scheme, the predicate type doesn't match with predicate type set with attestations done via cosign versions < v2.0.0-rc3
.
There's few reasons here why this alone won't work. PRs coming up in cosign and here.
There's couple of problems here which is always fantabulous:
So, if you attested something with a cosign prior to 2.X-rc's, the mapping from short->predicate could be different when you use it with the policy today (this was one contributor to your troubles). Second problem is that if you then change the predicatetype to the non RFC3986 compliant form (short->predicate turned vuln->cosign.sigstore.dev/attestation/vuln/v1), CIP would be rejected because, well, it's not compliant to RFC3986. And then if you make it be an RFC3986 compliant (with the proper scheme), well, it wouldn't be found because of the first problem (short->predicate mapping).
Anyways, PRs coming up, but I'll also add deprecation notices and change non conformant predicatetypes to varnings.
As of today, policies are failing published using cosign 1.13.1