Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: Relax certificate authority validation in trustRoots #471

Merged
merged 2 commits into from Dec 25, 2022
Merged

chore: Relax certificate authority validation in trustRoots #471

merged 2 commits into from Dec 25, 2022

Conversation

hectorj2f
Copy link
Collaborator

Summary

We could create a TrustRoot with a list of TSAs servers without defining any additional CA.

Release Note

Documentation

@hectorj2f
fix: wrong api field ref in error msg
9829e71 
Signed-off-by: Hector Fernandez <hector@chainguard.dev>
@hectorj2f
chore: relax sigstoreKeys validation for missing ca
4d0f382 
Signed-off-by: Hector Fernandez <hector@chainguard.dev>
@hectorj2f hectorj2f added the enhancement New feature or request label Dec 25, 2022
@hectorj2f hectorj2f self-assigned this Dec 25, 2022
@codecov-commenter
Copy link

Codecov Report

Merging #471 (4d0f382) into main (f08ca0a) will not change coverage.
The diff coverage is 0.00%.

@@           Coverage Diff           @@
##             main     #471   +/-   ##
=======================================
  Coverage   55.66%   55.66%           
=======================================
  Files          38       38           
  Lines        3992     3992           
=======================================
  Hits         2222     2222           
  Misses       1598     1598           
  Partials      172      172
Impacted Files Coverage Δ
pkg/apis/policy/v1alpha1/trustroot_validation.go 30.63% <0.00%> (ø)

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

@cpanato cpanato merged commit 9d7bafc into sigstore:main Dec 25, 2022
vaikas
vaikas reviewed Jan 4, 2023
View reviewed changes
pkg/apis/policy/v1alpha1/trustroot_validation.go
@@ -99,8 +99,8 @@ func (remote *Remote) Validate(ctx context.Context) (errors *apis.FieldError) {
}

func (sigstoreKeys *SigstoreKeys) Validate(ctx context.Context) (errors *apis.FieldError) {
if len(sigstoreKeys.CertificateAuthorities) == 0 {
errors = errors.Also(apis.ErrMissingField("certificateAuthority"))
if len(sigstoreKeys.CertificateAuthorities) == 0 && len(sigstoreKeys.TimeStampAuthorities) == 0 {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FYI, we also need to update that assumption here when we're pulling things from TUF repos / remotes once we add support for getting TSA keys from there:
https://github.com/sigstore/policy-controller/blob/main/pkg/reconciler/trustroot/trustroot.go#L248

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vaikas vaikas vaikas left review comments

@dlorenc dlorenc dlorenc approved these changes

@cpanato cpanato cpanato approved these changes

Assignees

@hectorj2f hectorj2f

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@hectorj2f @codecov-commenter @dlorenc @cpanato @vaikas