kyverno fails - option to copy cosign signature from source to target registry

[wosiu]

When I enabled k8s-image-swapper it turned out that kyverno's image signature verification is failing.

So while k8s-image-swapper works fine for pulling/pushing docker images and mutating their references, I’m getting errors in replicasets like:

admission webhook "mutate.kyverno.svc-ignore" denied the request: policy Pod/my-pod/ for resource violation: image-signature-valid: verify-cosign-signature: | failed to verify image <my-account-id>.dkr.ecr.us-west-1.amazonaws.com/<my-account-id>.dkr.ecr.us-west-2.amazonaws.com/<my-docker-image>: .attestors[0].entries[0].keys: no matching signatures:

..which makes sense, because k8s-image-swapper currently does not fetch signatures from a source ECR while fetching a corresponding docker image. And because image name is mutated, kyverno is looking for a signature in a target ECR created by k8s-image-swapper.

So it would be nice to have option to enable copying signatures (if exist) from source to target registry.

FWIW I tried to hack this on kyverno side and no luck :(

[wosiu]

Referencing #633 as it also mentions sigstore signatures.

[wosiu]

Discussion on slack for reference: https://kubernetes.slack.com/archives/C04LETF7KEC/p1718703080654259