5 files changed, 48 insertions, 0 deletions

diff --git a/pkg/trust/policy.go b/pkg/trust/policy.go
index 085f0076a..a41982c13 100644
--- a/pkg/trust/policy.go
+++ b/pkg/trust/policy.go
@@ -29,6 +29,7 @@ type repoContent struct {
 	Type           string          `json:"type"`
 	KeyType        string          `json:"keyType,omitempty"`
 	KeyPath        string          `json:"keyPath,omitempty"`
+	KeyPaths       []string        `json:"keyPaths,omitempty"`
 	KeyData        string          `json:"keyData,omitempty"`
 	SignedIdentity json.RawMessage `json:"signedIdentity,omitempty"`
 }
diff --git a/pkg/trust/policy_test.go b/pkg/trust/policy_test.go
index c2c2d93be..0f9721722 100644
--- a/pkg/trust/policy_test.go
+++ b/pkg/trust/policy_test.go
@@ -117,6 +117,13 @@ func xNewPRSignedByKeyPath(t *testing.T, keyPath string, signedIdentity signatur
 	return pr
 }
 
+// xNewPRSignedByKeyPaths is a wrapper for NewPRSignedByKeyPaths which must not fail.
+func xNewPRSignedByKeyPaths(t *testing.T, keyPaths []string, signedIdentity signature.PolicyReferenceMatch) signature.PolicyRequirement {
+	pr, err := signature.NewPRSignedByKeyPaths(signature.SBKeyTypeGPGKeys, keyPaths, signedIdentity)
+	require.NoError(t, err)
+	return pr
+}
+
 // xNewPRSigstoreSignedKeyPath is a wrapper for NewPRSigstoreSignedKeyPath which must not fail.
 func xNewPRSigstoreSignedKeyPath(t *testing.T, keyPath string, signedIdentity signature.PolicyReferenceMatch) signature.PolicyRequirement {
 	pr, err := signature.NewPRSigstoreSignedKeyPath(keyPath, signedIdentity)
diff --git a/pkg/trust/testdata/redhat.yaml b/pkg/trust/testdata/redhat.yaml
index 35f2c611c..8e40a4174 100644
--- a/pkg/trust/testdata/redhat.yaml
+++ b/pkg/trust/testdata/redhat.yaml
@@ -1,3 +1,5 @@
 docker:
      registry.redhat.io:
          sigstore: https://registry.redhat.io/containers/sigstore
+     registry.access.redhat.com:
+         sigstore: https://registry.redhat.io/containers/sigstore
diff --git a/pkg/trust/trust.go b/pkg/trust/trust.go
index a27ce5a85..07d144bc1 100644
--- a/pkg/trust/trust.go
+++ b/pkg/trust/trust.go
@@ -107,6 +107,9 @@ func descriptionsOfPolicyRequirements(reqs []repoContent, template Policy, regis
 			if len(repoele.KeyPath) > 0 {
 				uids = append(uids, idReader(repoele.KeyPath)...)
 			}
+			for _, path := range repoele.KeyPaths {
+				uids = append(uids, idReader(path)...)
+			}
 			if len(repoele.KeyData) > 0 {
 				uids = append(uids, getGPGIdFromKeyData(idReader, repoele.KeyData)...)
 			}
diff --git a/pkg/trust/trust_test.go b/pkg/trust/trust_test.go
index 58394e77b..22b780fc9 100644
--- a/pkg/trust/trust_test.go
+++ b/pkg/trust/trust_test.go
@@ -41,6 +41,9 @@ func TestPolicyDescription(t *testing.T) {
 						"registry.redhat.io": {
 							xNewPRSignedByKeyPath(t, "/redhat.pub", signature.NewPRMMatchRepoDigestOrExact()),
 						},
+						"registry.access.redhat.com": {
+							xNewPRSignedByKeyPaths(t, []string{"/redhat.pub", "/redhat-beta.pub"}, signature.NewPRMMatchRepoDigestOrExact()),
+						},
 						"quay.io/multi-signed": {
 							xNewPRSignedByKeyPath(t, "/1.pub", signature.NewPRMMatchRepoDigestOrExact()),
 							xNewPRSignedByKeyPath(t, "/2,3.pub", signature.NewPRMMatchRepoDigestOrExact()),
@@ -99,6 +102,13 @@ func TestPolicyDescription(t *testing.T) {
 				},
 				{
 					Transport:      "repository",
+					Name:           "registry.access.redhat.com",
+					RepoName:       "registry.access.redhat.com",
+					Type:           "signed",
+					SignatureStore: "https://registry.redhat.io/containers/sigstore",
+					GPGId:          "redhat, redhat-beta",
+				}, {
+					Transport:      "repository",
 					Name:           "registry.redhat.io",
 					RepoName:       "registry.redhat.io",
 					Type:           "signed",
@@ -212,6 +222,22 @@ func TestDescriptionsOfPolicyRequirements(t *testing.T) {
 			},
 		},
 		{
+			"registry.access.redhat.com",
+			signature.PolicyRequirements{
+				xNewPRSignedByKeyPaths(t, []string{"/redhat.pub", "/redhat-beta.pub"}, signature.NewPRMMatchRepoDigestOrExact()),
+			},
+			[]*Policy{
+				{
+					Transport:      "transport",
+					Name:           "name",
+					RepoName:       "repoName",
+					Type:           "signed",
+					SignatureStore: "https://registry.redhat.io/containers/sigstore",
+					GPGId:          "redhat, redhat-beta",
+				},
+			},
+		},
+		{
 			"quay.io/multi-signed",
 			signature.PolicyRequirements{
 				xNewPRSignedByKeyPath(t, "/1.pub", signature.NewPRMMatchRepoDigestOrExact()),
@@ -266,6 +292,7 @@ func TestDescriptionsOfPolicyRequirements(t *testing.T) {
 				signature.NewPRReject(),
 				signature.NewPRInsecureAcceptAnything(),
 				xNewPRSignedByKeyPath(t, "/redhat.pub", signature.NewPRMMatchRepoDigestOrExact()),
+				xNewPRSignedByKeyPaths(t, []string{"/redhat.pub", "/redhat-beta.pub"}, signature.NewPRMMatchRepoDigestOrExact()),
 				xNewPRSignedByKeyPath(t, "/1.pub", signature.NewPRMMatchRepoDigestOrExact()),
 				xNewPRSignedByKeyPath(t, "/2,3.pub", signature.NewPRMMatchRepoDigestOrExact()),
 				xNewPRSigstoreSignedKeyPath(t, "/1.pub", signature.NewPRMMatchRepoDigestOrExact()),
@@ -300,6 +327,14 @@ func TestDescriptionsOfPolicyRequirements(t *testing.T) {
 					RepoName:       "repoName",
 					Type:           "signed",
 					SignatureStore: "https://registry.redhat.io/containers/sigstore",
+					GPGId:          "redhat, redhat-beta",
+				},
+				{
+					Transport:      "transport",
+					Name:           "name",
+					RepoName:       "repoName",
+					Type:           "signed",
+					SignatureStore: "https://registry.redhat.io/containers/sigstore",
 					GPGId:          "1",
 				},
 				{