summaryrefslogtreecommitdiff
path: root/pkg/trust
diff options
context:
space:
mode:
Diffstat (limited to 'pkg/trust')
-rw-r--r--pkg/trust/policy.go1
-rw-r--r--pkg/trust/policy_test.go7
-rw-r--r--pkg/trust/testdata/redhat.yaml2
-rw-r--r--pkg/trust/trust.go3
-rw-r--r--pkg/trust/trust_test.go35
5 files changed, 48 insertions, 0 deletions
diff --git a/pkg/trust/policy.go b/pkg/trust/policy.go
index 085f0076a..a41982c13 100644
--- a/pkg/trust/policy.go
+++ b/pkg/trust/policy.go
@@ -29,6 +29,7 @@ type repoContent struct {
Type string `json:"type"`
KeyType string `json:"keyType,omitempty"`
KeyPath string `json:"keyPath,omitempty"`
+ KeyPaths []string `json:"keyPaths,omitempty"`
KeyData string `json:"keyData,omitempty"`
SignedIdentity json.RawMessage `json:"signedIdentity,omitempty"`
}
diff --git a/pkg/trust/policy_test.go b/pkg/trust/policy_test.go
index c2c2d93be..0f9721722 100644
--- a/pkg/trust/policy_test.go
+++ b/pkg/trust/policy_test.go
@@ -117,6 +117,13 @@ func xNewPRSignedByKeyPath(t *testing.T, keyPath string, signedIdentity signatur
return pr
}
+// xNewPRSignedByKeyPaths is a wrapper for NewPRSignedByKeyPaths which must not fail.
+func xNewPRSignedByKeyPaths(t *testing.T, keyPaths []string, signedIdentity signature.PolicyReferenceMatch) signature.PolicyRequirement {
+ pr, err := signature.NewPRSignedByKeyPaths(signature.SBKeyTypeGPGKeys, keyPaths, signedIdentity)
+ require.NoError(t, err)
+ return pr
+}
+
// xNewPRSigstoreSignedKeyPath is a wrapper for NewPRSigstoreSignedKeyPath which must not fail.
func xNewPRSigstoreSignedKeyPath(t *testing.T, keyPath string, signedIdentity signature.PolicyReferenceMatch) signature.PolicyRequirement {
pr, err := signature.NewPRSigstoreSignedKeyPath(keyPath, signedIdentity)
diff --git a/pkg/trust/testdata/redhat.yaml b/pkg/trust/testdata/redhat.yaml
index 35f2c611c..8e40a4174 100644
--- a/pkg/trust/testdata/redhat.yaml
+++ b/pkg/trust/testdata/redhat.yaml
@@ -1,3 +1,5 @@
docker:
registry.redhat.io:
sigstore: https://registry.redhat.io/containers/sigstore
+ registry.access.redhat.com:
+ sigstore: https://registry.redhat.io/containers/sigstore
diff --git a/pkg/trust/trust.go b/pkg/trust/trust.go
index a27ce5a85..07d144bc1 100644
--- a/pkg/trust/trust.go
+++ b/pkg/trust/trust.go
@@ -107,6 +107,9 @@ func descriptionsOfPolicyRequirements(reqs []repoContent, template Policy, regis
if len(repoele.KeyPath) > 0 {
uids = append(uids, idReader(repoele.KeyPath)...)
}
+ for _, path := range repoele.KeyPaths {
+ uids = append(uids, idReader(path)...)
+ }
if len(repoele.KeyData) > 0 {
uids = append(uids, getGPGIdFromKeyData(idReader, repoele.KeyData)...)
}
diff --git a/pkg/trust/trust_test.go b/pkg/trust/trust_test.go
index 58394e77b..22b780fc9 100644
--- a/pkg/trust/trust_test.go
+++ b/pkg/trust/trust_test.go
@@ -41,6 +41,9 @@ func TestPolicyDescription(t *testing.T) {
"registry.redhat.io": {
xNewPRSignedByKeyPath(t, "/redhat.pub", signature.NewPRMMatchRepoDigestOrExact()),
},
+ "registry.access.redhat.com": {
+ xNewPRSignedByKeyPaths(t, []string{"/redhat.pub", "/redhat-beta.pub"}, signature.NewPRMMatchRepoDigestOrExact()),
+ },
"quay.io/multi-signed": {
xNewPRSignedByKeyPath(t, "/1.pub", signature.NewPRMMatchRepoDigestOrExact()),
xNewPRSignedByKeyPath(t, "/2,3.pub", signature.NewPRMMatchRepoDigestOrExact()),
@@ -99,6 +102,13 @@ func TestPolicyDescription(t *testing.T) {
},
{
Transport: "repository",
+ Name: "registry.access.redhat.com",
+ RepoName: "registry.access.redhat.com",
+ Type: "signed",
+ SignatureStore: "https://registry.redhat.io/containers/sigstore",
+ GPGId: "redhat, redhat-beta",
+ }, {
+ Transport: "repository",
Name: "registry.redhat.io",
RepoName: "registry.redhat.io",
Type: "signed",
@@ -212,6 +222,22 @@ func TestDescriptionsOfPolicyRequirements(t *testing.T) {
},
},
{
+ "registry.access.redhat.com",
+ signature.PolicyRequirements{
+ xNewPRSignedByKeyPaths(t, []string{"/redhat.pub", "/redhat-beta.pub"}, signature.NewPRMMatchRepoDigestOrExact()),
+ },
+ []*Policy{
+ {
+ Transport: "transport",
+ Name: "name",
+ RepoName: "repoName",
+ Type: "signed",
+ SignatureStore: "https://registry.redhat.io/containers/sigstore",
+ GPGId: "redhat, redhat-beta",
+ },
+ },
+ },
+ {
"quay.io/multi-signed",
signature.PolicyRequirements{
xNewPRSignedByKeyPath(t, "/1.pub", signature.NewPRMMatchRepoDigestOrExact()),
@@ -266,6 +292,7 @@ func TestDescriptionsOfPolicyRequirements(t *testing.T) {
signature.NewPRReject(),
signature.NewPRInsecureAcceptAnything(),
xNewPRSignedByKeyPath(t, "/redhat.pub", signature.NewPRMMatchRepoDigestOrExact()),
+ xNewPRSignedByKeyPaths(t, []string{"/redhat.pub", "/redhat-beta.pub"}, signature.NewPRMMatchRepoDigestOrExact()),
xNewPRSignedByKeyPath(t, "/1.pub", signature.NewPRMMatchRepoDigestOrExact()),
xNewPRSignedByKeyPath(t, "/2,3.pub", signature.NewPRMMatchRepoDigestOrExact()),
xNewPRSigstoreSignedKeyPath(t, "/1.pub", signature.NewPRMMatchRepoDigestOrExact()),
@@ -300,6 +327,14 @@ func TestDescriptionsOfPolicyRequirements(t *testing.T) {
RepoName: "repoName",
Type: "signed",
SignatureStore: "https://registry.redhat.io/containers/sigstore",
+ GPGId: "redhat, redhat-beta",
+ },
+ {
+ Transport: "transport",
+ Name: "name",
+ RepoName: "repoName",
+ Type: "signed",
+ SignatureStore: "https://registry.redhat.io/containers/sigstore",
GPGId: "1",
},
{