Plumb TrustRoot CRD through to CIP CRDs. Make TrustRoot available to webhook, clean up and refactor checkOpts logic.

config/300-clusterimagepolicy.yaml

@@ -104,6 +104,9 @@ spec:
                         description: CTLog sets the configuration to verify the authority against a Rekor instance.
                         type: object
                         properties:
+                          trustRootRef:
+                            description: Use the Public Key from the referred TrustRoot.TLog
+                            type: string
                           url:
                             description: URL sets the url to the rekor instance (by default the public rekor.sigstore.dev)
                             type: string
@@ -175,6 +178,9 @@ spec:
                                 subjectRegExp:
                                   description: SubjectRegExp specifies a regular expression to match the subject for this identity.
                                   type: string
+                          trustRootRef:
+                            description: Use the Certificate Chain from the referred TrustRoot.CertificateAuthorities and TrustRoot.CTLog
+                            type: string
                           url:
                             description: URL defines a url to the keyless instance.
                             type: string
@@ -357,6 +363,9 @@ spec:
                         description: CTLog sets the configuration to verify the authority against a Rekor instance.
                         type: object
                         properties:
+                          trustRootRef:
+                            description: Use the Public Key from the referred TrustRoot.TLog
+                            type: string
                           url:
                             description: URL sets the url to the rekor instance (by default the public rekor.sigstore.dev)
                             type: string
@@ -428,6 +437,9 @@ spec:
                                 subjectRegExp:
                                   description: SubjectRegExp specifies a regular expression to match the subject for this identity.
                                   type: string
+                          trustRootRef:
+                            description: Use the Certificate Chain from the referred TrustRoot.CertificateAuthorities and TrustRoot.CTLog
+                            type: string
                           url:
                             description: URL defines a url to the keyless instance.
                             type: string

docs/api-types/index.md

@@ -141,6 +141,7 @@ KeylessRef contains location of the validating certificate and the identities ag
 | url | URL defines a url to the keyless instance. | apis.URL | false |
 | identities | Identities sets a list of identities. | [][Identity](#identity) | false |
 | ca-cert | CACert sets a reference to CA certificate | [KeyRef](#keyref) | false |
+| trustRootRef | Use the Certificate Chain from the referred TrustRoot.CertificateAuthorities and TrustRoot.CTLog | string | false |
 
 [Back to TOC](#table-of-contents)
 
@@ -199,5 +200,6 @@ TLog specifies the URL to a transparency log that holds the signature and public
 | Field | Description | Scheme | Required |
 | ----- | ----------- | ------ | -------- |
 | url | URL sets the url to the rekor instance (by default the public rekor.sigstore.dev) | apis.URL | false |
+| trustRootRef | Use the Public Key from the referred TrustRoot.TLog | string | false |
 
 [Back to TOC](#table-of-contents)

examples/policies/custom-key-attestation-sbom-spdxjson.yaml

@@ -36,6 +36,8 @@ spec:
         MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEOc6HkISHzVdUbtUsdjYtPuyPYBeg
         4FCemyVurIM4KEORQk4OAu8ZNwxvGSoY3eAabYaFIPPQ8ROAjrbdPwNdJw==
         -----END PUBLIC KEY-----
+    ctlog:
+      url: https://rekor.sigstore.dev
     attestations:
     - name: must-have-spdxjson
       predicateType: spdxjson

examples/policies/keyless-attestation-sbom-spdxjson.yaml

@@ -35,6 +35,8 @@ spec:
       identities:
         - issuer: https://token.actions.githubusercontent.com
           subject: "https://github.com/sigstore/policy-controller/.github/workflows/policy-tester-examples.yml@refs/heads/main"
+    ctlog:
+      url: https://rekor.sigstore.dev
     attestations:
     - name: must-have-spdxjson
       predicateType: spdxjson

examples/policies/release-signed-by-github-actions.yaml

@@ -38,3 +38,5 @@ spec:
         # Matches a specific github workflow on main branch. Here we use the
         # sigstore policy controller example testing workflow as an example.
         subject: "https://github.com/sigstore/policy-controller/.github/workflows/release.yaml@refs/tags/v0.3.0"
+    ctlog:
+      url: https://rekor.sigstore.dev

examples/policies/signed-by-aws-kms-key.yaml

@@ -34,3 +34,5 @@ spec:
       # NB: the policy controller must have kms.DescribeKey, kms.GetPublicKey
       # and kms.Verify IAM permissions on the relevant key.
       kms: awskms:///arn:aws:kms:<< region >>:<< account id >>:key/<< key id >>
+    ctlog:
+      url: https://rekor.sigstore.dev

examples/policies/signed-by-github-actions.yaml

@@ -38,3 +38,5 @@ spec:
         # Matches a specific github workflow on main branch. Here we use the
         # sigstore policy controller example testing workflow as an example.
         subject: "https://github.com/sigstore/policy-controller/.github/workflows/policy-tester-examples.yml@refs/heads/main"
+    ctlog:
+      url: https://rekor.sigstore.dev

go.mod

@@ -132,6 +132,8 @@ require (
 	github.com/containerd/stargz-snapshotter/estargz v0.12.1 // indirect
 	github.com/cyberphone/json-canonicalization v0.0.0-20220623050100-57a0ce2678a7 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/digitorus/pkcs7 v0.0.0-20221019075359-21b8b40e6bb4 // indirect
+	github.com/digitorus/timestamp v0.0.0-20221019182153-ef3b63b79b31 // indirect
 	github.com/dimchansky/utfbom v1.1.1 // indirect
 	github.com/docker/cli v20.10.21+incompatible // indirect
 	github.com/docker/distribution v2.8.1+incompatible // indirect
@@ -147,12 +149,13 @@ require (
 	github.com/go-kit/log v0.2.1 // indirect
 	github.com/go-logfmt/logfmt v0.5.1 // indirect
 	github.com/go-logr/logr v1.2.3 // indirect
+	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-openapi/analysis v0.21.4 // indirect
 	github.com/go-openapi/errors v0.20.3 // indirect
 	github.com/go-openapi/jsonpointer v0.19.5 // indirect
 	github.com/go-openapi/jsonreference v0.20.0 // indirect
 	github.com/go-openapi/loads v0.21.2 // indirect
-	github.com/go-openapi/runtime v0.24.2 // indirect
+	github.com/go-openapi/runtime v0.25.0 // indirect
 	github.com/go-openapi/spec v0.20.7 // indirect
 	github.com/go-openapi/strfmt v0.21.3 // indirect
 	github.com/go-openapi/swag v0.22.3 // indirect
@@ -199,15 +202,15 @@ require (
 	github.com/mpvl/unique v0.0.0-20150818121801-cbe035fff7de // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/oklog/ulid v1.3.1 // indirect
-	github.com/open-policy-agent/opa v0.45.0 // indirect
+	github.com/open-policy-agent/opa v0.47.2 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.1.0-rc2 // indirect
 	github.com/opentracing/opentracing-go v1.2.0 // indirect
 	github.com/pelletier/go-toml v1.9.5 // indirect
 	github.com/pelletier/go-toml/v2 v2.0.5 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
-	github.com/prometheus/client_golang v1.13.0 // indirect
+	github.com/prometheus/client_golang v1.14.0 // indirect
 	github.com/prometheus/client_model v0.3.0 // indirect
 	github.com/prometheus/common v0.37.0 // indirect
 	github.com/prometheus/procfs v0.8.0 // indirect
@@ -216,13 +219,14 @@ require (
 	github.com/sassoftware/relic v0.0.0-20210427151427-dfb082b79b74 // indirect
 	github.com/secure-systems-lab/go-securesystemslib v0.4.0 // indirect
 	github.com/shibumi/go-pathspec v1.3.0 // indirect
+	github.com/sigstore/timestamp-authority v0.1.3-0.20221114113831-cf271cea5d83 // indirect
 	github.com/sirupsen/logrus v1.9.0 // indirect
 	github.com/spf13/afero v1.9.2 // indirect
 	github.com/spf13/cast v1.5.0 // indirect
 	github.com/spf13/cobra v1.6.1 // indirect
 	github.com/spf13/jwalterweatherman v1.1.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
-	github.com/spf13/viper v1.13.0 // indirect
+	github.com/spf13/viper v1.14.0 // indirect
 	github.com/subosito/gotenv v1.4.1 // indirect
 	github.com/syndtr/goleveldb v1.0.1-0.20220721030215-126854af5e6d // indirect
 	github.com/tchap/go-patricia/v2 v2.3.1 // indirect
@@ -231,12 +235,14 @@ require (
 	github.com/tjfoc/gmsm v1.4.1 // indirect
 	github.com/transparency-dev/merkle v0.0.1 // indirect
 	github.com/vbatts/tar-split v0.11.2 // indirect
-	github.com/xanzy/go-gitlab v0.73.1 // indirect
+	github.com/xanzy/go-gitlab v0.76.0 // indirect
 	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
 	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
 	github.com/yashtewari/glob-intersection v0.1.0 // indirect
 	go.mongodb.org/mongo-driver v1.10.3 // indirect
 	go.opencensus.io v0.24.0 // indirect
+	go.opentelemetry.io/otel v1.11.1 // indirect
+	go.opentelemetry.io/otel/trace v1.11.1 // indirect
 	go.uber.org/automaxprocs v1.5.1 // indirect
 	go.uber.org/multierr v1.8.0 // indirect
 	golang.org/x/exp v0.0.0-20221026153819-32f3d567a233 // indirect
@@ -264,3 +270,7 @@ require (
 // TODO: this dependency causes issues on webhook startup due
 // to conflicting "log_dir" flags between this and klog (knative)
 replace github.com/golang/glog => github.com/jdolitsky/glog v0.0.0-20220729172235-78744e90d087
+
+// Bring in the latest cosign so we can pass various keys in to verification
+// functions
+replace github.com/sigstore/cosign => github.com/sigstore/cosign v1.13.2-0.20221209171251-6cb723fc299c