3 files changed, 79 insertions, 9 deletions

diff --git a/pkg/trust/policy.go b/pkg/trust/policy.go
index 7f32e2afc..085f0076a 100644
--- a/pkg/trust/policy.go
+++ b/pkg/trust/policy.go
@@ -130,7 +130,7 @@ func getPolicy(policyPath string) (policyContent, error) {
 	return policyContentStruct, nil
 }
 
-var typeDescription = map[string]string{"insecureAcceptAnything": "accept", "signedBy": "signed", "reject": "reject"}
+var typeDescription = map[string]string{"insecureAcceptAnything": "accept", "signedBy": "signed", "sigstoreSigned": "sigstoreSigned", "reject": "reject"}
 
 func trustTypeDescription(trustType string) string {
 	trustDescription, exist := typeDescription[trustType]
diff --git a/pkg/trust/trust.go b/pkg/trust/trust.go
index 5f292083f..a27ce5a85 100644
--- a/pkg/trust/trust.go
+++ b/pkg/trust/trust.go
@@ -100,15 +100,23 @@ func descriptionsOfPolicyRequirements(reqs []repoContent, template Policy, regis
 		entry := template
 		entry.Type = trustTypeDescription(repoele.Type)
 
-		uids := []string{}
-		if len(repoele.KeyPath) > 0 {
-			uids = append(uids, idReader(repoele.KeyPath)...)
-		}
-		if len(repoele.KeyData) > 0 {
-			uids = append(uids, getGPGIdFromKeyData(idReader, repoele.KeyData)...)
+		var gpgIDString string
+		switch repoele.Type {
+		case "signedBy":
+			uids := []string{}
+			if len(repoele.KeyPath) > 0 {
+				uids = append(uids, idReader(repoele.KeyPath)...)
+			}
+			if len(repoele.KeyData) > 0 {
+				uids = append(uids, getGPGIdFromKeyData(idReader, repoele.KeyData)...)
+			}
+			gpgIDString = strings.Join(uids, ", ")
+
+		case "sigstoreSigned":
+			gpgIDString = "N/A" // We could potentially return key fingerprints here, but they would not be _GPG_ fingerprints.
 		}
-		entry.GPGId = strings.Join(uids, ", ")
-		entry.SignatureStore = lookasidePath
+		entry.GPGId = gpgIDString
+		entry.SignatureStore = lookasidePath // We do this even for sigstoreSigned and things like type: reject, to show that the sigstore is being read.
 		res = append(res, &entry)
 	}
 
diff --git a/pkg/trust/trust_test.go b/pkg/trust/trust_test.go
index edafeb5c1..58394e77b 100644
--- a/pkg/trust/trust_test.go
+++ b/pkg/trust/trust_test.go
@@ -45,6 +45,10 @@ func TestPolicyDescription(t *testing.T) {
 							xNewPRSignedByKeyPath(t, "/1.pub", signature.NewPRMMatchRepoDigestOrExact()),
 							xNewPRSignedByKeyPath(t, "/2,3.pub", signature.NewPRMMatchRepoDigestOrExact()),
 						},
+						"quay.io/sigstore-signed": {
+							xNewPRSigstoreSignedKeyPath(t, "/1.pub", signature.NewPRMMatchRepoDigestOrExact()),
+							xNewPRSigstoreSignedKeyPath(t, "/2.pub", signature.NewPRMMatchRepoDigestOrExact()),
+						},
 					},
 				},
 			},
@@ -79,6 +83,22 @@ func TestPolicyDescription(t *testing.T) {
 				},
 				{
 					Transport:      "repository",
+					Name:           "quay.io/sigstore-signed",
+					RepoName:       "quay.io/sigstore-signed",
+					Type:           "sigstoreSigned",
+					SignatureStore: "",
+					GPGId:          "N/A",
+				},
+				{
+					Transport:      "repository",
+					Name:           "quay.io/sigstore-signed",
+					RepoName:       "quay.io/sigstore-signed",
+					Type:           "sigstoreSigned",
+					SignatureStore: "",
+					GPGId:          "N/A",
+				},
+				{
+					Transport:      "repository",
 					Name:           "registry.redhat.io",
 					RepoName:       "registry.redhat.io",
 					Type:           "signed",
@@ -215,6 +235,30 @@ func TestDescriptionsOfPolicyRequirements(t *testing.T) {
 					GPGId:          "2, 3",
 				},
 			},
+		}, {
+			"quay.io/sigstore-signed",
+			signature.PolicyRequirements{
+				xNewPRSigstoreSignedKeyPath(t, "/1.pub", signature.NewPRMMatchRepoDigestOrExact()),
+				xNewPRSigstoreSignedKeyPath(t, "/2.pub", signature.NewPRMMatchRepoDigestOrExact()),
+			},
+			[]*Policy{
+				{
+					Transport:      "transport",
+					Name:           "name",
+					RepoName:       "repoName",
+					Type:           "sigstoreSigned",
+					SignatureStore: "",
+					GPGId:          "N/A",
+				},
+				{
+					Transport:      "transport",
+					Name:           "name",
+					RepoName:       "repoName",
+					Type:           "sigstoreSigned",
+					SignatureStore: "",
+					GPGId:          "N/A",
+				},
+			},
 		},
 		{ // Multiple kinds of requirements are represented individually.
 			"registry.redhat.io",
@@ -224,6 +268,8 @@ func TestDescriptionsOfPolicyRequirements(t *testing.T) {
 				xNewPRSignedByKeyPath(t, "/redhat.pub", signature.NewPRMMatchRepoDigestOrExact()),
 				xNewPRSignedByKeyPath(t, "/1.pub", signature.NewPRMMatchRepoDigestOrExact()),
 				xNewPRSignedByKeyPath(t, "/2,3.pub", signature.NewPRMMatchRepoDigestOrExact()),
+				xNewPRSigstoreSignedKeyPath(t, "/1.pub", signature.NewPRMMatchRepoDigestOrExact()),
+				xNewPRSigstoreSignedKeyPath(t, "/2.pub", signature.NewPRMMatchRepoDigestOrExact()),
 			},
 			[]*Policy{
 				{
@@ -264,6 +310,22 @@ func TestDescriptionsOfPolicyRequirements(t *testing.T) {
 					SignatureStore: "https://registry.redhat.io/containers/sigstore",
 					GPGId:          "2, 3",
 				},
+				{
+					Transport:      "transport",
+					Name:           "name",
+					RepoName:       "repoName",
+					Type:           "sigstoreSigned",
+					SignatureStore: "https://registry.redhat.io/containers/sigstore",
+					GPGId:          "N/A",
+				},
+				{
+					Transport:      "transport",
+					Name:           "name",
+					RepoName:       "repoName",
+					Type:           "sigstoreSigned",
+					SignatureStore: "https://registry.redhat.io/containers/sigstore",
+					GPGId:          "N/A",
+				},
 			},
 		},
 	} {