diff --git a/.github/workflows/build-pr.yml b/.github/workflows/build-pr.yml
index daedaf40d..18ab101d4 100644
--- a/.github/workflows/build-pr.yml
+++ b/.github/workflows/build-pr.yml
@@ -13,6 +13,8 @@ permissions: read-all
jobs:
call_test_cli:
uses: ./.github/workflows/e2e-cli.yml
+ secrets:
+ CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
call_test_e2e_basic:
name: "run e2e on basic matrix"
@@ -60,10 +62,6 @@ jobs:
secrets: inherit
aks-test-cleanup:
- env:
- AZURE_SUBSCRIPTION_ID: daae1e1a-63dc-454f-825d-b39289070f79
- AZURE_CLIENT_ID: 814e6e97-120c-4534-b8a9-f1645bc99500
- AZURE_TENANT_ID: 72f988bf-86f1-41af-91ab-2d7cd011db47
needs: ['build_test_aks_e2e_conditional']
runs-on: ubuntu-latest
permissions:
@@ -72,7 +70,7 @@ jobs:
environment: azure-test
steps:
- name: Harden Runner
- uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
+ uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
with:
egress-policy: audit
@@ -86,10 +84,10 @@ jobs:
- name: Az CLI login
uses: azure/login@6c251865b4e6290e7b78be643ea2d005bc51f69a # v2.1.1
with:
- client-id: ${{ env.AZURE_CLIENT_ID }}
- tenant-id: ${{ env.AZURE_TENANT_ID }}
- subscription-id: ${{ env.AZURE_SUBSCRIPTION_ID }}
+ client-id: ${{ secrets.AZURE_CLIENT_ID }}
+ tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+ subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
- name: clean up
run: |
- make e2e-cleanup AZURE_SUBSCRIPTION_ID=${{ env.AZURE_SUBSCRIPTION_ID }}
\ No newline at end of file
+ make e2e-cleanup AZURE_SUBSCRIPTION_ID=${{ secrets.AZURE_SUBSCRIPTION_ID }}
\ No newline at end of file
diff --git a/.github/workflows/cache-cleanup.yml b/.github/workflows/cache-cleanup.yml
index 19fc6777b..5fbb3d0c8 100644
--- a/.github/workflows/cache-cleanup.yml
+++ b/.github/workflows/cache-cleanup.yml
@@ -12,7 +12,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Harden Runner
- uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
+ uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
with:
egress-policy: audit
diff --git a/.github/workflows/clean-dev-package.yml b/.github/workflows/clean-dev-package.yml
index da9602c62..98cc5cfff 100644
--- a/.github/workflows/clean-dev-package.yml
+++ b/.github/workflows/clean-dev-package.yml
@@ -13,7 +13,7 @@ jobs:
packages: write
steps:
- name: Harden Runner
- uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
+ uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
with:
egress-policy: audit
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 90541b62b..c4c55f106 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -27,7 +27,7 @@ jobs:
steps:
- name: Harden Runner
- uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
+ uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
with:
egress-policy: audit
@@ -38,7 +38,7 @@ jobs:
with:
go-version: "1.22"
- name: Initialize CodeQL
- uses: github/codeql-action/init@2d790406f505036ef40ecba973cc774a50395aac # tag=v3.25.13
+ uses: github/codeql-action/init@eb055d739abdc2e8de2e5f4ba1a8b246daa779aa # tag=v3.26.0
with:
languages: go
- name: Run tidy
@@ -46,4 +46,4 @@ jobs:
- name: Build CLI
run: make build
- name: Perform CodeQL Analysis
- uses: github/codeql-action/analyze@2d790406f505036ef40ecba973cc774a50395aac # tag=v3.25.13
+ uses: github/codeql-action/analyze@eb055d739abdc2e8de2e5f4ba1a8b246daa779aa # tag=v3.26.0
diff --git a/.github/workflows/e2e-aks.yml b/.github/workflows/e2e-aks.yml
index b3c8c3da4..30dced1e8 100644
--- a/.github/workflows/e2e-aks.yml
+++ b/.github/workflows/e2e-aks.yml
@@ -20,11 +20,6 @@ on:
jobs:
build_test_aks_e2e:
name: "Build and run e2e Test on AKS"
- env:
- AZURE_CLIENT_ID: 814e6e97-120c-4534-b8a9-f1645bc99500
- AZURE_TENANT_ID: 72f988bf-86f1-41af-91ab-2d7cd011db47
- AZURE_SUBSCRIPTION_ID: daae1e1a-63dc-454f-825d-b39289070f79
- AZURE_SP_OBJECT_ID: fd917b28-cdc0-4828-92c9-1ca8203842a3
runs-on: ubuntu-latest
timeout-minutes: 30
environment: azure-test
@@ -33,7 +28,7 @@ jobs:
contents: read
steps:
- name: Harden Runner
- uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
+ uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
with:
egress-policy: audit
@@ -46,9 +41,9 @@ jobs:
- name: Az CLI login
uses: azure/login@6c251865b4e6290e7b78be643ea2d005bc51f69a # v2.1.1
with:
- client-id: ${{ env.AZURE_CLIENT_ID }}
- tenant-id: ${{ env.AZURE_TENANT_ID }}
- subscription-id: ${{ env.AZURE_SUBSCRIPTION_ID }}
+ client-id: ${{ secrets.AZURE_CLIENT_ID }}
+ tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+ subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
- name: Cache AAD tokens
run: |
az version
@@ -66,10 +61,10 @@ jobs:
- name: Run e2e on Azure
run: |
- make e2e-aks KUBERNETES_VERSION=${{ inputs.k8s_version }} GATEKEEPER_VERSION=${{ inputs.gatekeeper_version }} TENANT_ID=${{ env.AZURE_TENANT_ID }} AZURE_SP_OBJECT_ID=${{ env.AZURE_SP_OBJECT_ID }}
+ make e2e-aks KUBERNETES_VERSION=${{ inputs.k8s_version }} GATEKEEPER_VERSION=${{ inputs.gatekeeper_version }} TENANT_ID=${{ secrets.AZURE_TENANT_ID }} AZURE_SP_OBJECT_ID=${{ secrets.AZURE_SP_OBJECT_ID }}
- name: Upload artifacts
- uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
+ uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6
if: ${{ always() }}
with:
name: e2e-logs-aks-${{ inputs.k8s_version }}-${{ inputs.gatekeeper_version }}
diff --git a/.github/workflows/e2e-cli.yml b/.github/workflows/e2e-cli.yml
index 8d666aeb4..324de264f 100644
--- a/.github/workflows/e2e-cli.yml
+++ b/.github/workflows/e2e-cli.yml
@@ -2,6 +2,9 @@ name: e2e-cli
on:
workflow_call:
+ secrets:
+ CODECOV_TOKEN:
+ required: true
permissions:
contents: read
@@ -11,7 +14,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Harden Runner
- uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
+ uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
with:
egress-policy: audit
@@ -32,7 +35,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Harden Runner
- uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
+ uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
with:
egress-policy: audit
@@ -50,8 +53,8 @@ jobs:
run: bin/ratify version
- name: Upload coverage to codecov.io
uses: codecov/codecov-action@e28ff129e5465c2c0dcc6f003fc735cb6ae0c673 # v4.5.0
- env:
- CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+ with:
+ token: ${{ secrets.CODECOV_TOKEN }}
- name: Run helm lint
run: helm lint charts/ratify
build_test_cli:
@@ -61,7 +64,7 @@ jobs:
contents: read
steps:
- name: Harden Runner
- uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
+ uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
with:
egress-policy: audit
@@ -83,13 +86,13 @@ jobs:
make test-e2e-cli GOCOVERDIR=${GITHUB_WORKSPACE}/test/e2e/.cover
- name: Upload coverage to codecov.io
uses: codecov/codecov-action@e28ff129e5465c2c0dcc6f003fc735cb6ae0c673 # v4.5.0
- env:
- CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+ with:
+ token: ${{ secrets.CODECOV_TOKEN }}
markdown-link-check:
runs-on: ubuntu-latest
steps:
- name: Harden Runner
- uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
+ uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
with:
egress-policy: audit
diff --git a/.github/workflows/e2e-k8s.yml b/.github/workflows/e2e-k8s.yml
index 1550962b7..06d97d5ef 100644
--- a/.github/workflows/e2e-k8s.yml
+++ b/.github/workflows/e2e-k8s.yml
@@ -26,7 +26,7 @@ jobs:
contents: read
steps:
- name: Harden Runner
- uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
+ uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
with:
egress-policy: audit
@@ -65,7 +65,7 @@ jobs:
kubectl logs -n gatekeeper-system -l app=ratify --tail=-1 > logs-ratify-preinstall-${{ matrix.KUBERNETES_VERSION }}-${{ matrix.GATEKEEPER_VERSION }}-rego-policy.json
kubectl logs -n gatekeeper-system -l app.kubernetes.io/name=ratify --tail=-1 > logs-ratify-${{ matrix.KUBERNETES_VERSION }}-${{ matrix.GATEKEEPER_VERSION }}-rego-policy.json
- name: Upload artifacts
- uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
+ uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6
if: ${{ always() }}
with:
name: e2e-logs-${{ inputs.k8s_version }}-${{ inputs.gatekeeper_version }}
diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml
index 67626f059..dd5bec53a 100644
--- a/.github/workflows/golangci-lint.yml
+++ b/.github/workflows/golangci-lint.yml
@@ -15,7 +15,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Harden Runner
- uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
+ uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
with:
egress-policy: audit
@@ -24,7 +24,7 @@ jobs:
go-version: '1.22'
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: golangci-lint
- uses: golangci/golangci-lint-action@a4f60bb28d35aeee14e6880718e0c85ff1882e64 # v6.0.1
+ uses: golangci/golangci-lint-action@aaa42aa0628b4ae2578232a66b541047968fac86 # v6.1.0
with:
version: v1.59.1
args: --timeout=10m
diff --git a/.github/workflows/high-availability.yml b/.github/workflows/high-availability.yml
index c46bd43c8..09d3fe236 100644
--- a/.github/workflows/high-availability.yml
+++ b/.github/workflows/high-availability.yml
@@ -30,7 +30,7 @@ jobs:
DAPR_VERSION: ["1.13.2"]
steps:
- name: Harden Runner
- uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
+ uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
with:
egress-policy: audit
@@ -60,7 +60,7 @@ jobs:
kubectl logs -n gatekeeper-system -l app=ratify --tail=-1 > logs-ratify-preinstall-${{ matrix.DAPR_VERSION }}.json
kubectl logs -n gatekeeper-system -l app.kubernetes.io/name=ratify --tail=-1 > logs-ratify-${{ matrix.DAPR_VERSION }}.json
- name: Upload artifacts
- uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
+ uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6
if: ${{ always() }}
with:
name: e2e-logs-${{ matrix.DAPR_VERSION }}
diff --git a/.github/workflows/pr-to-main.yml b/.github/workflows/pr-to-main.yml
index 6b3d2e119..3aecd8b89 100644
--- a/.github/workflows/pr-to-main.yml
+++ b/.github/workflows/pr-to-main.yml
@@ -13,7 +13,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Harden Runner
- uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
+ uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
with:
egress-policy: audit
diff --git a/.github/workflows/publish-charts.yml b/.github/workflows/publish-charts.yml
index a9aea641e..cfb578923 100644
--- a/.github/workflows/publish-charts.yml
+++ b/.github/workflows/publish-charts.yml
@@ -13,7 +13,7 @@ jobs:
contents: write
steps:
- name: Harden Runner
- uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
+ uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
with:
egress-policy: audit
diff --git a/.github/workflows/publish-cosign-sample.yml b/.github/workflows/publish-cosign-sample.yml
index b1957923b..2c5a7d7f6 100644
--- a/.github/workflows/publish-cosign-sample.yml
+++ b/.github/workflows/publish-cosign-sample.yml
@@ -20,7 +20,7 @@ jobs:
id-token: write
steps:
- name: Harden Runner
- uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
+ uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
with:
egress-policy: audit
diff --git a/.github/workflows/publish-dev-assets.yml b/.github/workflows/publish-dev-assets.yml
index febca49ba..b7b294c53 100644
--- a/.github/workflows/publish-dev-assets.yml
+++ b/.github/workflows/publish-dev-assets.yml
@@ -13,13 +13,30 @@ jobs:
permissions:
packages: write
contents: read
+ id-token: write
+ environment: azure-publish
steps:
- name: Harden Runner
- uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
+ uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
with:
egress-policy: audit
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
+ - name: Install Notation
+ uses: notaryproject/notation-action/setup@104aa999103172f827373af8ac14dde7aa6d28f1 # v1.1.0
+ - name: Install cosign
+ uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
+ - name: Az CLI login
+ uses: azure/login@6c251865b4e6290e7b78be643ea2d005bc51f69a # v2.1.1
+ with:
+ client-id: ${{ secrets.AZURE_CLIENT_ID }}
+ tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+ subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+ - name: Cache AAD tokens
+ run: |
+ az version
+ # Key Vault:
+ az account get-access-token --scope https://vault.azure.net/.default --output none
- name: prepare
id: prepare
run: |
@@ -100,6 +117,27 @@ jobs:
run: |
helm push ratify-${{ steps.prepare.outputs.semversion }}.tgz oci://${{ steps.prepare.outputs.chartrepo }}
helm push ratify-${{ steps.prepare.outputs.semversionrolling }}.tgz oci://${{ steps.prepare.outputs.chartrepo }}
+ - name: Sign with Notation
+ uses: notaryproject/notation-action/sign@104aa999103172f827373af8ac14dde7aa6d28f1 # v1.1.0
+ with:
+ plugin_name: azure-kv
+ plugin_url: ${{ vars.AZURE_KV_PLUGIN_URL }}
+ plugin_checksum: ${{ vars.AZURE_KV_CHECKSUM }}
+ key_id: ${{ secrets.AZURE_KV_KEY_ID }}
+ target_artifact_reference: |-
+ ${{ steps.prepare.outputs.crdref }}:${{ steps.prepare.outputs.version }}
+ ${{ steps.prepare.outputs.baseref }}:${{ steps.prepare.outputs.version }}
+ ${{ steps.prepare.outputs.ref }}:${{ steps.prepare.outputs.version }}
+ ${{ steps.prepare.outputs.chartrepo }}/ratify:${{ steps.prepare.outputs.semversionrolling }}
+ ${{ steps.prepare.outputs.chartrepo }}/ratify:${{ steps.prepare.outputs.semversion }}
+ signature_format: cose
+ - name: Sign with Cosign
+ run: |
+ cosign sign --yes ${{ steps.prepare.outputs.crdref }}:${{ steps.prepare.outputs.version }}
+ cosign sign --yes ${{ steps.prepare.outputs.baseref }}:${{ steps.prepare.outputs.version }}
+ cosign sign --yes ${{ steps.prepare.outputs.ref }}:${{ steps.prepare.outputs.version }}
+ cosign sign --yes ${{ steps.prepare.outputs.chartrepo }}/ratify:${{ steps.prepare.outputs.semversionrolling }}
+ cosign sign --yes ${{ steps.prepare.outputs.chartrepo }}/ratify:${{ steps.prepare.outputs.semversion }}
- name: clear
if: always()
run: |
diff --git a/.github/workflows/publish-package.yml b/.github/workflows/publish-package.yml
index d191b43d7..32a893d36 100644
--- a/.github/workflows/publish-package.yml
+++ b/.github/workflows/publish-package.yml
@@ -16,7 +16,7 @@ jobs:
contents: read
steps:
- name: Harden Runner
- uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
+ uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
with:
egress-policy: audit
- name: Checkout
diff --git a/.github/workflows/publish-sample.yml b/.github/workflows/publish-sample.yml
index fc887ca8b..b21e8840e 100644
--- a/.github/workflows/publish-sample.yml
+++ b/.github/workflows/publish-sample.yml
@@ -19,7 +19,7 @@ jobs:
packages: write
steps:
- name: Harden Runner
- uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
+ uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
with:
egress-policy: audit
diff --git a/.github/workflows/quick-start.yml b/.github/workflows/quick-start.yml
index 284f4c872..ca981e2b5 100644
--- a/.github/workflows/quick-start.yml
+++ b/.github/workflows/quick-start.yml
@@ -30,7 +30,7 @@ jobs:
KUBERNETES_VERSION: ["1.29.2"]
steps:
- name: Harden Runner
- uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
+ uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
with:
egress-policy: audit
@@ -59,7 +59,7 @@ jobs:
kubectl logs -n gatekeeper-system -l app=ratify --tail=-1 > logs-ratify-preinstall-${{ matrix.KUBERNETES_VERSION }}-config-policy.json
kubectl logs -n gatekeeper-system -l app.kubernetes.io/name=ratify --tail=-1 > logs-ratify-${{ matrix.KUBERNETES_VERSION }}-config-policy.json
- name: Upload artifacts
- uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
+ uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6
if: ${{ always() }}
with:
name: e2e-logs-${{ matrix.KUBERNETES_VERSION }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 5a299a089..28769e410 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -16,7 +16,7 @@ jobs:
contents: write
steps:
- name: Harden Runner
- uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
+ uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
with:
egress-policy: audit
@@ -24,6 +24,9 @@ jobs:
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # tag=3.0.2
with:
fetch-depth: 0
+
+ - name: Install Syft
+ uses: anchore/sbom-action/download-syft@d94f46e13c6c62f59525ac9a1e147a99dc0b9bf5 # v0.17.0
- name: Set up Go
uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
@@ -31,10 +34,11 @@ jobs:
go-version: '1.22'
- name: Goreleaser
+ id: goreleaser
uses: goreleaser/goreleaser-action@286f3b13b1b49da4ac219696163fb8c1c93e1200 # v6.0.0
with:
- version: '1.18.0'
- args: release --rm-dist
+ version: '2.0.1'
+ args: release --clean
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -45,7 +49,7 @@ jobs:
$RUNNER_TEMP/sbom-tool generate -b . -bc . -pn ratify -pv $GITHUB_REF_NAME -ps Microsoft -nsb https://microsoft.com -V Verbose
- name: Upload a Build Artifact
- uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # tag=v4.3.4
+ uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # tag=v4.3.6
with:
name: SBOM SPDX files
path: _manifest/spdx_2.2/**
diff --git a/.github/workflows/run-full-validation.yml b/.github/workflows/run-full-validation.yml
index 945dd0798..a3ad7f595 100644
--- a/.github/workflows/run-full-validation.yml
+++ b/.github/workflows/run-full-validation.yml
@@ -16,6 +16,8 @@ permissions: read-all
jobs:
call-e2e-cli:
uses: ./.github/workflows/e2e-cli.yml
+ secrets:
+ CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
call_test_e2e_full:
name: "Build and run e2e on full test matrix"
@@ -48,10 +50,6 @@ jobs:
secrets: inherit
aks-test-cleanup:
- env:
- AZURE_SUBSCRIPTION_ID: daae1e1a-63dc-454f-825d-b39289070f79
- AZURE_CLIENT_ID: 814e6e97-120c-4534-b8a9-f1645bc99500
- AZURE_TENANT_ID: 72f988bf-86f1-41af-91ab-2d7cd011db47
needs: ['build_test_aks_e2e']
runs-on: ubuntu-latest
permissions:
@@ -60,7 +58,7 @@ jobs:
environment: azure-test
steps:
- name: Harden Runner
- uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
+ uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
with:
egress-policy: audit
@@ -74,10 +72,10 @@ jobs:
- name: Az CLI login
uses: azure/login@6c251865b4e6290e7b78be643ea2d005bc51f69a # v2.1.1
with:
- client-id: ${{ env.AZURE_CLIENT_ID }}
- tenant-id: ${{ env.AZURE_TENANT_ID }}
- subscription-id: ${{ env.AZURE_SUBSCRIPTION_ID }}
+ client-id: ${{ secrets.AZURE_CLIENT_ID }}
+ tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+ subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
- name: clean up
run: |
- make e2e-cleanup AZURE_SUBSCRIPTION_ID=${{ env.AZURE_SUBSCRIPTION_ID }}
\ No newline at end of file
+ make e2e-cleanup AZURE_SUBSCRIPTION_ID=${{ secrets.AZURE_SUBSCRIPTION_ID }}
\ No newline at end of file
diff --git a/.github/workflows/scan-vulns.yaml b/.github/workflows/scan-vulns.yaml
index 02601045f..7c0ff23c4 100644
--- a/.github/workflows/scan-vulns.yaml
+++ b/.github/workflows/scan-vulns.yaml
@@ -23,7 +23,7 @@ jobs:
timeout-minutes: 15
steps:
- name: Harden Runner
- uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
+ uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
with:
egress-policy: audit
@@ -39,7 +39,7 @@ jobs:
timeout-minutes: 15
steps:
- name: Harden Runner
- uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
+ uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
with:
egress-policy: audit
diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml
index 84c42bce7..838e6d546 100644
--- a/.github/workflows/scorecards.yml
+++ b/.github/workflows/scorecards.yml
@@ -8,10 +8,12 @@ on:
branches:
- main
- dev
+ - release-*
pull_request:
branches:
- dev
- main
+ - release-*
workflow_dispatch:
permissions: read-all
@@ -28,7 +30,7 @@ jobs:
steps:
- name: Harden Runner
- uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
+ uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
with:
egress-policy: audit
@@ -38,7 +40,7 @@ jobs:
persist-credentials: false
- name: "Run analysis"
- uses: ossf/scorecard-action@dc50aa9510b46c811795eb24b2f1ba02a914e534 # tag=v2.3.3
+ uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # tag=v2.4.0
with:
results_file: results.sarif
results_format: sarif
@@ -46,13 +48,13 @@ jobs:
publish_results: true
- name: "Upload artifact"
- uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # tag=v4.3.4
+ uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # tag=v4.3.6
with:
name: SARIF file
path: results.sarif
retention-days: 5
- name: "Upload to code-scanning"
- uses: github/codeql-action/upload-sarif@2d790406f505036ef40ecba973cc774a50395aac # tag=v3.25.13
+ uses: github/codeql-action/upload-sarif@eb055d739abdc2e8de2e5f4ba1a8b246daa779aa # tag=v3.26.0
with:
sarif_file: results.sarif
diff --git a/.github/workflows/sync-gh-pages.yml b/.github/workflows/sync-gh-pages.yml
index 28fa3824c..fd44a65d1 100644
--- a/.github/workflows/sync-gh-pages.yml
+++ b/.github/workflows/sync-gh-pages.yml
@@ -17,7 +17,7 @@ jobs:
repository-projects: write
steps:
- name: Harden Runner
- uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
+ uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
with:
egress-policy: audit
diff --git a/.goreleaser.yml b/.goreleaser.yml
index 4d7daf6c7..73aead7f3 100644
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -1,4 +1,5 @@
# Check the documentation at https://goreleaser.com for more options
+version: 2
before:
hooks:
- go mod tidy
@@ -57,15 +58,15 @@ release:
prerelease: auto
draft: true
archives:
- - replacements:
- darwin: Darwin
- linux: Linux
- windows: Windows
- format_overrides:
+ - format_overrides:
- goos: windows
format: zip
checksum:
name_template: 'checksums.txt'
+sboms:
+ - artifacts: archive
+ - id: source
+ artifacts: source
snapshot:
name_template: '{{ incpatch .Version }}-next'
changelog:
diff --git a/.well-known/pki-validation/ratify-verification.crt b/.well-known/pki-validation/ratify-verification.crt
new file mode 100644
index 000000000..065c274bf
--- /dev/null
+++ b/.well-known/pki-validation/ratify-verification.crt
@@ -0,0 +1,33 @@
+-----BEGIN CERTIFICATE-----
+MIIFsDCCA5igAwIBAgIQbZCNsoQpQC+/hsEf/FdjDjANBgkqhkiG9w0BAQsFADBa
+MQswCQYDVQQGEwJVUzELMAkGA1UECBMCV0ExEDAOBgNVBAcTB1NlYXR0bGUxFzAV
+BgNVBAoTDnJhdGlmeS1wcm9qZWN0MRMwEQYDVQQDEwpyYXRpZnkuZGV2MB4XDTI0
+MDYxMDIyNDQ1OVoXDTI1MDYxMDIyNTQ1OVowWjELMAkGA1UEBhMCVVMxCzAJBgNV
+BAgTAldBMRAwDgYDVQQHEwdTZWF0dGxlMRcwFQYDVQQKEw5yYXRpZnktcHJvamVj
+dDETMBEGA1UEAxMKcmF0aWZ5LmRldjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCC
+AgoCggIBAM6wAPQhVoIA7qbckyk8qYYiTnKjlUXaThXn8RYe6+dYQjBypxciAyyJ
+NLbM675gXTc26rZDm29ldsych6G6VSP0wkziqZHIYKTSZ/kSzw0mm/KLRgHQPKsj
+PdhVYnLbg4keyKvSRBDmKl6I04VMNXERezJWpcK0F+6wtt6BKZOJRSPCbTPhHIVY
+U5iwqwMt9lOzNgWKsFUfTW+eZ2sPOJzpu78h/0JaOGgsms80Btm5UBjeJCWAOQDS
+VzurUk8Q5EX5X4faNbUiKLREY4210ELVZq8xU1yixkzO2reh9Sw6maG2YLW3W0rc
+bn1PTxz5ddvTF1r/J+A9JSQUhVCM7sEfh9oXW6az4OeZVCD1beG1mX5mtE/kzZqN
+9KfzvBSwdFx4D4t0KBG4/f2/k2pwZuTy3qqA+R9cd434jJpdY4/dQi0JTAG7XmuG
+HMpEM/1TQmXV3Nccwbyy5W2D07/y4fDVSxh2czumK8C7hWs0EX3CQ0C4mi0o3GjD
+1meir2GYKDqQUyVQx0gcDgOVDQRsyA2zQ3gUy7/7RGDbtaGN0XVT0kBMU66aS6Mj
+z69YEu+Yj3QNqVQL/Ms4A2G+mPXoqVTikQxbDI5Bi3d5U0Xu6zQ7/Wx+li1pO2TV
+3tNSyy5Tj/IT5Mou5e5oDt81yIfrXtb6Mye5zJ6uiqq5RwK9+b2BAgMBAAGjcjBw
+MA4GA1UdDwEB/wQEAwIHgDAJBgNVHRMEAjAAMBMGA1UdJQQMMAoGCCsGAQUFBwMD
+MB8GA1UdIwQYMBaAFO4kXbjSuXzopPxrB1tKZ5g4oZQ/MB0GA1UdDgQWBBTuJF24
+0rl86KT8awdbSmeYOKGUPzANBgkqhkiG9w0BAQsFAAOCAgEASs8iFwuuh1lB1eM7
+cDM2rZfExb0RFXkcHWdF6+dEwuchn9rjKKXFLXU4k5sARKj+rTzxKGKNbymCLUto
+DzaJwwWygZu7HoG5DHGcj5StlBXNELMCoRwFW/MjRTv4Sfkiakw03PUBeiZeg8Xb
+SB3WuZreD0c/DPiONuXGSdx5cPgf0NkMTY8hiOoENP9eBCqcMhCUGMYRf1sIXr4m
+YWuS5KTB93DsWLjdw+X9FDi0irFa1uP01IM+iSsPtoGoT1tV8fnYl5anvBCLsh8U
+Y9vAXwJvZM6XlfA5XX4fzq82KuLASMBktyhXrYWeGBUOYOpQa4M3c/KiJyYjtm08
+pFRBdbzUwK1GF2mDfO/8oyyqPMhdkD3dO6/iToOklSLcNS4AVoTBE+S62QHHluBD
+zlmeVabCB/TGLRm5wlKKm7YRI7DJXF0HVQ5KS8vXjbT1MzN7WB+Iey2lelH3U+CR
+V50lbGJhvs8WiSojzcl1xJAvhRaWXZ/h8TCBI8srQzBlZ+/8o2zhs4nlEFrgurzq
+Vd+m0s1lM1iGHrE//AxlU7NVh2yCjrhPumQ53Sv53LG3Kl5RD86Pvhd01ORvKKNR
+zS27F63BGy6basxXtHR8ibCPNs1gbT24YLfaPiXmhy0j8dwPhEFGwQEIL8peSG56
+6OcrwcZ4J28hTXOl4EIJ2Prp9mQ=
+-----END CERTIFICATE-----
diff --git a/cmd/ratify/cmd/cmd_test.go b/cmd/ratify/cmd/cmd_test.go
new file mode 100644
index 000000000..49149dcf5
--- /dev/null
+++ b/cmd/ratify/cmd/cmd_test.go
@@ -0,0 +1,83 @@
+/*
+Copyright The Ratify Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package cmd
+
+import (
+ "strings"
+ "testing"
+)
+
+const (
+ configFilePath = "../../../config/config.json"
+ subject = "localhost:5000/net-monitor:v1"
+ storeName = "oras"
+ digest = "sha256:17490f904cf278d4314a1ccba407fc8fd00fb45303589b8cc7f5174ac35554f4"
+)
+
+func TestVerify(t *testing.T) {
+ err := verify((verifyCmdOptions{
+ subject: subject,
+ artifactTypes: []string{""},
+ configFilePath: configFilePath,
+ }))
+
+ // TODO: make ratify cli more unit testable
+ // unit test should not have dependency for real image
+ if !strings.Contains(err.Error(), "plugin not found") {
+ t.Errorf("error expected")
+ }
+}
+
+func TestDiscover(t *testing.T) {
+ err := discover((discoverCmdOptions{
+ subject: subject,
+ artifactTypes: []string{""},
+ configFilePath: configFilePath,
+ }))
+
+ // TODO: make ratify cli more unit testable
+ // unit test should not need to resolve real image
+ if !strings.Contains(err.Error(), "referrer store failure") {
+ t.Errorf("error expected")
+ }
+}
+
+func TestShowRefManifest(t *testing.T) {
+ err := showRefManifest((referrerCmdOptions{
+ subject: subject,
+ configFilePath: configFilePath,
+ storeName: storeName,
+ digest: digest,
+ }))
+
+ // TODO: make ratify cli more unit testable
+ // unit test should not need to resolve real image
+ if !strings.Contains(err.Error(), "failed to resolve subject descriptor") {
+ t.Errorf("error expected")
+ }
+
+ // validate show blob returns error
+ err = showBlob((referrerCmdOptions{
+ subject: subject,
+ configFilePath: configFilePath,
+ storeName: storeName,
+ digest: "invalid-digest",
+ }))
+
+ if !strings.Contains(err.Error(), "the digest of the subject is invalid") {
+ t.Errorf("error expected")
+ }
+}
diff --git a/cmd/ratify/cmd/discover.go b/cmd/ratify/cmd/discover.go
index 66d9d0921..858f12b52 100644
--- a/cmd/ratify/cmd/discover.go
+++ b/cmd/ratify/cmd/discover.go
@@ -96,10 +96,6 @@ func discover(opts discoverCmdOptions) error {
return err
}
- if subRef.Digest == "" {
- fmt.Println(taggedReferenceWarning)
- }
-
cf, err := config.Load(opts.configFilePath)
if err != nil {
return err
@@ -109,6 +105,10 @@ func discover(opts discoverCmdOptions) error {
return err
}
+ if subRef.Digest == "" {
+ logger.GetLogger(context.Background(), logOpt).Warn(taggedReferenceWarning)
+ }
+
rootImage := treeprint.NewWithRoot(subRef.String())
stores, err := sf.CreateStoresFromConfig(cf.StoresConfig, config.GetDefaultPluginPath())
diff --git a/cmd/ratify/cmd/referrer.go b/cmd/ratify/cmd/referrer.go
index 67ebe2d9a..8921c5ede 100644
--- a/cmd/ratify/cmd/referrer.go
+++ b/cmd/ratify/cmd/referrer.go
@@ -97,7 +97,7 @@ func NewCmdShowRefManifest(argv ...string) *cobra.Command {
cmd := &cobra.Command{
Use: "show-manifest [OPTIONS]",
- Short: "show rference manifest at a digest",
+ Short: "show reference manifest at a digest",
Example: eg,
Args: cobra.NoArgs,
RunE: func(_ *cobra.Command, _ []string) error {
@@ -184,10 +184,6 @@ func showRefManifest(opts referrerCmdOptions) error {
return err
}
- if subRef.Digest == "" {
- fmt.Println(taggedReferenceWarning)
- }
-
digest, err := utils.ParseDigest(opts.digest)
if err != nil {
return err
@@ -198,6 +194,10 @@ func showRefManifest(opts referrerCmdOptions) error {
return err
}
+ if subRef.Digest == "" {
+ logger.GetLogger(context.Background(), logOpt).Warn(taggedReferenceWarning)
+ }
+
stores, err := sf.CreateStoresFromConfig(cf.StoresConfig, config.GetDefaultPluginPath())
if err != nil {
diff --git a/cmd/ratify/cmd/verify.go b/cmd/ratify/cmd/verify.go
index 1e745e9c6..c189fa68b 100644
--- a/cmd/ratify/cmd/verify.go
+++ b/cmd/ratify/cmd/verify.go
@@ -18,7 +18,6 @@ package cmd
import (
"context"
"errors"
- "fmt"
"github.com/ratify-project/ratify/config"
"github.com/ratify-project/ratify/internal/constants"
@@ -36,6 +35,10 @@ const (
verifyUse = "verify"
)
+var logOpt = logger.Option{
+ ComponentType: logger.CommandLine,
+}
+
type verifyCmdOptions struct {
configFilePath string
subject string
@@ -65,12 +68,6 @@ func NewCmdVerify(_ ...string) *cobra.Command {
return cmd
}
-func TestVerify(subject string) {
- _ = verify((verifyCmdOptions{
- subject: subject,
- }))
-}
-
func verify(opts verifyCmdOptions) error {
if opts.subject == "" {
return errors.New("subject parameter is required")
@@ -81,10 +78,6 @@ func verify(opts verifyCmdOptions) error {
return err
}
- if subRef.Digest == "" {
- fmt.Println(taggedReferenceWarning)
- }
-
cf, err := config.Load(opts.configFilePath)
if err != nil {
return err
@@ -94,6 +87,10 @@ func verify(opts verifyCmdOptions) error {
return err
}
+ if subRef.Digest == "" {
+ logger.GetLogger(context.Background(), logOpt).Warn(taggedReferenceWarning)
+ }
+
stores, err := sf.CreateStoresFromConfig(cf.StoresConfig, config.GetDefaultPluginPath())
if err != nil {
diff --git a/crd.Dockerfile b/crd.Dockerfile
index b1f3319f8..92482cd1b 100644
--- a/crd.Dockerfile
+++ b/crd.Dockerfile
@@ -11,7 +11,7 @@
# See the License for the specific language governing permissions and
# limitations under the License.
-FROM alpine@sha256:b89d9c93e9ed3597455c90a0b88a8bbb5cb7188438f70953fede212a0c4394e0 as builder
+FROM alpine@sha256:0a4eaa0eecf5f8c050e5bba433f58c052be7587ee8af3e8b3910ef9ab5fbe9f5 as builder
ARG TARGETOS
ARG TARGETARCH
diff --git a/docs/discussion/Ratify Error Handling Scenarios.md b/docs/discussion/Ratify Error Handling Scenarios.md
new file mode 100644
index 000000000..02b309f9e
--- /dev/null
+++ b/docs/discussion/Ratify Error Handling Scenarios.md
@@ -0,0 +1,638 @@
+Ratify Error Handling Scenarios
+===
+Author: Binbin Li
+
+Table of Contents
+=================
+
+- [Ratify Error Handling Scenarios](#ratify-error-handling-scenarios)
+- [Table of Contents](#table-of-contents)
+- [Overview](#overview)
+- [Objective](#objective)
+ - [Areas for Enhancement](#areas-for-enhancement)
+- [Stages](#stages)
+ - [Diagnostic Review](#diagnostic-review)
+ - [Error Message Clarification](#error-message-clarification)
+ - [Nested Error Refactoring](#nested-error-refactoring)
+- [User Scenarios](#user-scenarios)
+ - [Configuration](#configuration)
+ - [KMP](#kmp)
+ - [Invalid spec.type | Juncheng](#invalid-spectype--juncheng)
+ - [Current Error](#current-error)
+ - [Improvements](#improvements)
+ - [Invalid spec.parameters.contentType | Juncheng](#invalid-specparameterscontenttype--juncheng)
+ - [Current Error](#current-error-1)
+ - [Improvement](#improvement)
+ - [Invalid certificate provided for inline provider | Juncheng](#invalid-certificate-provided-for-inline-provider--juncheng)
+ - [Current Error](#current-error-2)
+ - [Improvement](#improvement-1)
+ - [Invalid key provided for inline provider | Juncheng](#invalid-key-provided-for-inline-provider--juncheng)
+ - [Current Error](#current-error-3)
+ - [Wrong vaultURI for AKV provider | Juncheng](#wrong-vaulturi-for-akv-provider--juncheng)
+ - [Current Error](#current-error-4)
+ - [Wrong certificate name for AKV provider | Juncheng](#wrong-certificate-name-for-akv-provider--juncheng)
+ - [Current Error](#current-error-5)
+ - [Invalid certificate version for AKV provider | Juncheng](#invalid-certificate-version-for-akv-provider--juncheng)
+ - [Current Error](#current-error-6)
+ - [Wrong tenantID or clientID for AKV provider | Juncheng](#wrong-tenantid-or-clientid-for-akv-provider--juncheng)
+ - [Current Error](#current-error-7)
+ - [Store](#store)
+ - [useHttp is enabled for public registry | Binbin](#usehttp-is-enabled-for-public-registry--binbin)
+ - [Current Error](#current-error-8)
+ - [Invalid authProvider(we support multiple providers, probably docker/Azure/AWS are main use case), e.g. wrong clientID for azureWorkloadIdentity](#invalid-authproviderwe-support-multiple-providers-probably-dockerazureaws-are-main-use-case-eg-wrong-clientid-for-azureworkloadidentity)
+ - [Verifier](#verifier)
+ - [Notation verifier references invalid certStore | Susan](#notation-verifier-references-invalid-certstore--susan)
+ - [Current Error](#current-error-9)
+ - [Improvement](#improvement-2)
+ - [Invalid artifactTypes in notation verifier | Susan](#invalid-artifacttypes-in-notation-verifier--susan)
+ - [Current Error](#current-error-10)
+ - [Improvement](#improvement-3)
+ - [invalid(non-existing) trustStores | Susan](#invalidnon-existing-truststores--susan)
+ - [Current Error](#current-error-11)
+ - [Improvement](#improvement-4)
+ - [Unsupported registryScope | Susan](#unsupported-registryscope--susan)
+ - [Current Error](#current-error-12)
+ - [Improvement](#improvement-5)
+ - [Invalid trustedIdentity | Susan](#invalid-trustedidentity--susan)
+ - [Current Error](#current-error-13)
+ - [Certificate has no matching trusted identity | Susan](#certificate-has-no-matching-trusted-identity--susan)
+ - [Current Error](#current-error-14)
+ - [Cosign verifier references invalid key provider | Binbin](#cosign-verifier-references-invalid-key-provider--binbin)
+ - [Current Error](#current-error-15)
+ - [Invalid artifactTypes in cosign verifier(same question) | Binbin](#invalid-artifacttypes-in-cosign-verifiersame-question--binbin)
+ - [Current Error](#current-error-16)
+ - [Improvement](#improvement-6)
+ - [Unsupported scope is provided in cosign verifier | Binbin](#unsupported-scope-is-provided-in-cosign-verifier--binbin)
+ - [Current Error](#current-error-17)
+ - [Conflict scopes from multiple policies in cosign verifier | Binbin](#conflict-scopes-from-multiple-policies-in-cosign-verifier--binbin)
+ - [Current Error](#current-error-18)
+ - [Invalid cert identity/cert OIDC issuer for keyless cosign verifier | Binbin](#invalid-cert-identitycert-oidc-issuer-for-keyless-cosign-verifier--binbin)
+ - [Current Error](#current-error-19)
+ - [Configured keyless cosign verifier to verify a keyed signature | Binbin](#configured-keyless-cosign-verifier-to-verify-a-keyed-signature--binbin)
+ - [Current Error](#current-error-20)
+ - [Cosign verifier configured a wrong public key | Binbin](#cosign-verifier-configured-a-wrong-public-key--binbin)
+ - [Current Error](#current-error-21)
+ - [Cosign verifier references non-existent kmp | Binbin](#cosign-verifier-references-non-existent-kmp--binbin)
+ - [Current Error](#current-error-22)
+ - [Policy](#policy)
+ - [`metadata.name` is changed other than ratify-policy | Binbin](#metadataname-is-changed-other-than-ratify-policy--binbin)
+ - [Current Error](#current-error-23)
+ - [Invalid spec.type | Binbin](#invalid-spectype--binbin)
+ - [Current Error](#current-error-24)
+ - [Invalid policy value except `all` and `or` in config policy | Binbin](#invalid-policy-value-except-all-and-or-in-config-policy--binbin)
+ - [Current Error](#current-error-25)
+ - [Invalid policy string is provided in rego policy | Binbin](#invalid-policy-string-is-provided-in-rego-policy--binbin)
+ - [Current Error](#current-error-26)
+ - [Access Control](#access-control)
+ - [ACR](#acr)
+ - [`AcrPull` role is not assigned | Juncheng](#acrpull-role-is-not-assigned--juncheng)
+ - [Current Error](#current-error-27)
+ - [Improvement](#improvement-7)
+ - [AKV](#akv)
+ - [`Key Vault Secrets User` role is not assigned for notation signature | Juncheng](#key-vault-secrets-user-role-is-not-assigned-for-notation-signature--juncheng)
+ - [Current Error](#current-error-28)
+ - [Improvement](#improvement-8)
+ - [`Key Vault Crypto User` role is not assigned for cosign signature | Juncheng](#key-vault-crypto-user-role-is-not-assigned-for-cosign-signature--juncheng)
+ - [Current Error](#current-error-29)
+ - [Improvement](#improvement-9)
+ - [Signature Verification](#signature-verification)
+ - [No matching verifier for notation signature | Akash](#no-matching-verifier-for-notation-signature--akash)
+ - [Test Error](#test-error)
+ - [Improvment](#improvment)
+ - [No matching verifier for cosign signature | Akash](#no-matching-verifier-for-cosign-signature--akash)
+ - [Test Error](#test-error-1)
+ - [Image is not signed | Akash](#image-is-not-signed--akash)
+ - [Current Error](#current-error-30)
+ - [Improvement](#improvement-10)
+ - [Image is signed with notation signature, but KMP provides a different certificate resulting to verification failure | Akash](#image-is-signed-with-notation-signature-but-kmp-provides-a-different-certificate-resulting-to-verification-failure--akash)
+ - [Current Error](#current-error-31)
+ - [Improvement](#improvement-11)
+ - [Image is signed with cosign signature, but KMP provides a different key resulting to verification failure | Akash](#image-is-signed-with-cosign-signature-but-kmp-provides-a-different-key-resulting-to-verification-failure--akash)
+ - [Current Error](#current-error-32)
+ - [Images are signed by unknown identities so that verification should fail. (Notary Project signatures) | Akash](#images-are-signed-by-unknown-identities-so-that-verification-should-fail-notary-project-signatures--akash)
+ - [Current Error](#current-error-33)
+ - [Improvement](#improvement-12)
+ - [Images are signed by unknown keys so that verification should fail (Cosign key-pair signatures) | Akash](#images-are-signed-by-unknown-keys-so-that-verification-should-fail-cosign-key-pair-signatures--akash)
+ - [Current Error](#current-error-34)
+ - [Revocation: Images are signed with revoked certificates](#revocation-images-are-signed-with-revoked-certificates)
+ - [Timestamp: Images are signed before certificate expired but cert is expired now (Time-stamp support is required and users specify TSA root certificate)](#timestamp-images-are-signed-before-certificate-expired-but-cert-is-expired-now-time-stamp-support-is-required-and-users-specify-tsa-root-certificate)
+ - [Images are signed with multiple signatures, but some signature is missing matching verifier | Binbin](#images-are-signed-with-multiple-signatures-but-some-signature-is-missing-matching-verifier--binbin)
+ - [Current Error](#current-error-35)
+ - [Images are signed with multiple signatures, and policy requires all signatures pass. | Binbin](#images-are-signed-with-multiple-signatures-and-policy-requires-all-signatures-pass--binbin)
+ - [Current Error](#current-error-36)
+ - [Images are signed with multiple signatures, and no matching verifiers configured | Binbin](#images-are-signed-with-multiple-signatures-and-no-matching-verifiers-configured--binbin)
+ - [Current Error](#current-error-37)
+ - [Images are signed with multiple signatures, and policy requires at least one signature pass | Binbin](#images-are-signed-with-multiple-signatures-and-policy-requires-at-least-one-signature-pass--binbin)
+ - [Current Error](#current-error-38)
+ - [Improvement](#improvement-13)
+ - [certificate is rotated, but Ratify didn't refresh it and previous cert is expired | Binbin](#certificate-is-rotated-but-ratify-didnt-refresh-it-and-previous-cert-is-expired--binbin)
+ - [Current Error](#current-error-39)
+ - [key is rotated, but Ratify didn't refresh it | Binbin](#key-is-rotated-but-ratify-didnt-refresh-it--binbin)
+ - [Current Error](#current-error-40)
+ - [Timeout during keyless cosign verification](#timeout-during-keyless-cosign-verification)
+ - [Timeout from requests to remote registry](#timeout-from-requests-to-remote-registry)
+ - [Timeout during cert revocation evaluation for notation signature](#timeout-during-cert-revocation-evaluation-for-notation-signature)
+
+# Overview
+
+Ratify has received a lot of valuable feedback on the error handling. Recognizing that the current errors are either too cryptic or excessively detailed, we are now committed to refining our error handling processes to improve overall user satisfaction.
+
+# Objective
+
+The target of this improvement is mainly focusing on the user expericence. So we'll start from current behavior in different user scenarios. Then we could compare the current behaivor and expected behavior to assess areas/directions we could improve.
+
+Our enhancement efforts are aimed at elevating the user experience. We will begin by examining the existing error responses across various user scenarios. By contrasting the present and ideal outcomes, we will identify and prioritize improvements.
+
+## Areas for Enhancement
+We have pinpointed several key areas for potential enhancement:
+1. Error message or detail for each specific scenario. Currently different issues could result to identical error, leading to user confusion. We aim to differentiate the error feedback more clearly.
+2. How to wrap up the nested error. While nested error offer comprehensive details, they can overwhelm users and are often too lengthy for practical disolay.
+3. How to handle the error originating from dependencies?
+
+# Stages
+I plan to complete the error handling improvement in 3 stages.
+## Diagnostic Review
+Initially, we will conduct a thorough review of the most common error-generating scenarios. We’ll evaluate the clarity of the errors for both customers and Ratify developers.
+## Error Message Clarification
+We will ensure that each scenario yields a precise error message that pinpoints the root cause, including those stemming from dependencies.
+## Nested Error Refactoring
+We will restructure the nested error framework to maintain clarity and retain essential information for the users.
+
+# User Scenarios
+
+In general, there are 3 major scenarios could produce errors.
+- Configration Error(excluding certificate)
+- Access Controll Error
+- Signature Verififcation Failures(including policy evaluation failure)
+
+Feel free to add more test cases under each section.
+
+## Configuration
+
+### KMP
+
+#### Invalid spec.type | Juncheng
+##### Current Error
+Error log:
+```
+time=2024-07-15T23:43:55.170100941Z level=error msg=Reconciler error KeyManagementProvider=keymanagementprovider-akv controller=keymanagementprovider controllerGroup=config.ratify.deislabs.io controllerKind=KeyManagementProvider error=failed to create key management provider provider: key management provider factory with name notazurekeyvault not found name=keymanagementprovider-akv namespace= reconcileID=baff8d41-5889-4a39-85ff-efd9d02c8372
+```
+
+##### Improvements
+KMP does not support type of ...
+
+#### Invalid spec.parameters.contentType | Juncheng
+##### Current Error
+Error log 1:
+```
+time=2024-07-17T12:54:37.380991457Z level=error msg=Reconciler error KeyManagementProvider=keymanagementprovider-inline controller=keymanagementprovider controllerGroup=config.ratify.deislabs.io controllerKind=KeyManagementProvider error=failed to create key management provider provider: Error: config invalid, Code: CONFIG_INVALID, Component Type: keyManagementProvider, Detail: content type notcertificate is not supported name=keymanagementprovider-inline namespace= reconcileID=4bbc444a-3326-45fb-b1fd-5fb09c6aa563
+```
+Error log 2:
+```
+time=2024-07-17T14:14:29.313249456Z level=error msg=Reconciler error KeyManagementProvider=keymanagementprovider-inline controller=keymanagementprovider controllerGroup=config.ratify.deislabs.io controllerKind=KeyManagementProvider error=failed to create key management provider provider: Error: config invalid, Code: CONFIG_INVALID, Component Type: keyManagementProvider, Detail: contentType parameter is not set name=keymanagementprovider-inline namespace= reconcileID=f1340181-e790-45e2-9c46-30ddb85441d1
+```
+
+##### Improvement
+
+#### Invalid certificate provided for inline provider | Juncheng
+##### Current Error
+
+Error log:
+```
+time=2024-07-17T12:57:02.094428327Z level=error msg=Reconciler error KeyManagementProvider=keymanagementprovider-inline controller=keymanagementprovider controllerGroup=config.ratify.deislabs.io controllerKind=KeyManagementProvider error=failed to create key management provider provider: Error: cert invalid, Code: CERT_INVALID, Component Type: certProvider, Detail: failed to decode pem block name=keymanagementprovider-inline namespace= reconcileID=bfe6ded8-21de-4a10-9a24-72bed094e682
+```
+
+##### Improvement
+Report error while parsing the public certificate
+
+#### Invalid key provided for inline provider | Juncheng
+##### Current Error
+Error log:
+```
+time=2024-07-17T13:06:39.146768643Z level=error msg=Reconciler error KeyManagementProvider=keymanagementprovider-inline controller=keymanagementprovider controllerGroup=config.ratify.deislabs.io controllerKind=KeyManagementProvider error=failed to create key management provider provider: Original Error: (PEM decoding failed), Error: key invalid, Code: KEY_INVALID, Component Type: keyManagementProvider, Detail: error parsing public key name=keymanagementprovider-inline namespace= reconcileID=1a5d7e8f-5fc0-4b22-a371-fe871218ec1e
+```
+
+#### Wrong vaultURI for AKV provider | Juncheng
+##### Current Error
+Error log for valid URL:
+```
+time=2024-07-16T07:56:11.14480023Z level=error msg=Reconciler error KeyManagementProvider=keymanagementprovider-akv controller=keymanagementprovider controllerGroup=config.ratify.deislabs.io controllerKind=KeyManagementProvider error=Error fetching certificates in KMProvider keymanagementprovider-akv with azurekeyvault provider, error: failed to get secret objectName:wabbit-networks-io, objectVersion:, error: keyvault.BaseClient#GetSecret: Failure sending request: StatusCode=0 -- Original Error: Get "https://notroakv.vault.azure.net/secrets/wabbit-networks-io/?api-version=7.1": dial tcp: lookup notroakv.vault.azure.net on 10.0.0.10:53: no such host name=keymanagementprovider-akv namespace= reconcileID=ec30a479-d739-438f-a5a8-49e8394f4ae4`
Error log for invalid URL: `time=2024-07-16T08:05:33.552739275Z level=error msg=Reconciler error KeyManagementProvider=keymanagementprovider-akv controller=keymanagementprovider controllerGroup=config.ratify.deislabs.io controllerKind=KeyManagementProvider error=Error fetching certificates in KMProvider keymanagementprovider-akv with azurekeyvault provider, error: failed to get secret objectName:wabbit-networks-io, objectVersion:, error: keyvault.BaseClient#GetSecret: Failure preparing request: StatusCode=0 -- Original Error: autorest: No scheme detected in URL .net/ name=keymanagementprovider-akv namespace= reconcileID=47f71684-2730-4545-979f-cc1598c6b88f
+```
+
+#### Wrong certificate name for AKV provider | Juncheng
+##### Current Error
+```
+time=2024-07-16T08:38:40.583971705Z level=error msg=Reconciler error KeyManagementProvider=keymanagementprovider-akv controller=keymanagementprovider controllerGroup=config.ratify.deislabs.io controllerKind=KeyManagementProvider error=Error fetching certificates in KMProvider keymanagementprovider-akv with azurekeyvault provider, error: failed to get secret objectName:notwabbit-networks-io, objectVersion:, error: keyvault.BaseClient#GetSecret: Failure responding to request: StatusCode=404 -- Original Error: autorest/azure: Service returned an error. Status=404 Code="SecretNotFound" Message="A secret with (name/id) notwabbit-networks-io was not found in this key vault. If you recently deleted this secret you may be able to recover it using the correct recovery command. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125182" name=keymanagementprovider-akv namespace= reconcileID=358953da-30a6-419c-8628-5583637e17c3
+```
+
+#### Invalid certificate version for AKV provider | Juncheng
+##### Current Error
+Error log:
+```
+time=2024-07-15T23:52:33.66317963Z level=error msg=Reconciler error KeyManagementProvider=keymanagementprovider-akv controller=keymanagementprovider controllerGroup=config.ratify.deislabs.io controllerKind=KeyManagementProvider error=Error fetching certificates in KMProvider keymanagementprovider-akv with azurekeyvault provider, error: failed to get secret objectName:wabbit-networks-io, objectVersion:invalidVersion, error: keyvault.BaseClient#GetSecret: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="BadParameter" Message="Method GET does not allow operation 'invalidVersion'" name=keymanagementprovider-akv namespace= reconcileID=481b14c6-0990-4413-9563-38d0ad0e180d
+```
+
+#### Wrong tenantID or clientID for AKV provider | Juncheng
+
+##### Current Error
+Wrong tenantID Error log:
+```
+time=2024-07-16T08:41:45.101552175Z level=error msg=Reconciler error KeyManagementProvider=keymanagementprovider-akv controller=keymanagementprovider controllerGroup=config.ratify.deislabs.io controllerKind=KeyManagementProvider error=failed to create key management provider provider: Original Error: (Original Error: (failed to acquire token: failed to acquire AAD token: unable to resolve an endpoint: http call(https://login.microsoftonline.com//v2.0/.well-known/openid-configuration)(GET) error: reply status code was 400:{"error":"invalid_tenant","error_description":"AADSTS90002: Tenant '' not found. Check to make sure you have the correct tenant ID and are signing into the correct cloud. Check with your subscription administrator, this may happen if there are no active subscriptions for the tenant. Trace ID: 5dd3d897-77ec-454b-907d-fca043f35600 Correlation ID: 2e2eacc0-4b67-43e0-8218-22de0a18a1eb Timestamp: 2024-07-16 08:41:45Z","error_codes":[90002],"timestamp":"2024-07-16 08:41:45Z","trace_id":"5dd3d897-77ec-454b-907d-fca043f35600","correlation_id":"2e2eacc0-4b67-43e0-8218-22de0a18a1eb","error_uri":"https://login.microsoftonline.com/error?code=90002"}), Error: auth denied, Code: AUTH_DENIED, Plugin Name: azurekeyvault, Component Type: keyManagementProvider, Documentation: https://learn.microsoft.com/en-us/azure/key-vault/general/overview, Detail: failed to get authorizer for keyvault client, Stack trace: goroutine 311 [running] ... Error: plugin init failure, Code: PLUGIN_INIT_FAILURE, Plugin Name: azurekeyvault, Component Type: keyManagementProvider, Documentation: https://learn.microsoft.com/en-us/azure/key-vault/general/overview, Detail: failed to create keyvault client name=keymanagementprovider-akv namespace= reconcileID=8cb1dd6a-0e92-4f84-bd04-ccc32e98906d` Wrong clientID Error log:`time=2024-07-16T08:50:37.655092495Z level=error msg=Reconciler error KeyManagementProvider=keymanagementprovider-akv controller=keymanagementprovider controllerGroup=config.ratify.deislabs.io controllerKind=KeyManagementProvider error=failed to create key management provider provider: Original Error: (Original Error: (failed to acquire token: failed to acquire AAD token: FromAssertion(): http call(https://login.microsoftonline.com//oauth2/v2.0/token)(POST) error: reply status code was 400: {"error":"unauthorized_client","error_description":"AADSTS700016: Application with identifier '' was not found in the directory 'Microsoft'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant. Trace ID: bd8356e9-e3a1-4604-bee8-f11e6a4f4200 Correlation ID: 5daee285-5a95-4f61-85b4-2f5332996b62 Timestamp: 2024-07-16 08:50:22Z","error_codes":[700016],"timestamp":"2024-07-16 08:50:22Z","trace_id":"bd8356e9-e3a1-4604-bee8-f11e6a4f4200","correlation_id":"5daee285-5a95-4f61-85b4-2f5332996b62","error_uri":"https://login.microsoftonline.com/error?code=700016"}), Error: auth denied, Code: AUTH_DENIED, Plugin Name: azurekeyvault, Component Type: keyManagementProvider, Documentation: https://learn.microsoft.com/en-us/azure/key-vault/general/overview, Detail: failed to get authorizer for keyvault client, Stack trace: goroutine 311 [running] ..., Error: plugin init failure, Code: PLUGIN_INIT_FAILURE, Plugin Name: azurekeyvault, Component Type: keyManagementProvider, Documentation: https://learn.microsoft.com/en-us/azure/key-vault/general/overview, Detail: failed to create keyvault client name=keymanagementprovider-akv namespace= reconcileID=0676c027-9dda-44c5-8769-c49f18f8d5b5
+```
+
+### Store
+#### useHttp is enabled for public registry | Binbin
+##### Current Error
+Mutation failure:
+```
+Error from server: admission webhook "mutation.gatekeeper.sh" denied the request: failed to resolve external data placeholders: failed to validate external data response from provider ratify-mutation-provider: non-empty system error: operation failed with error operation timed out after duration 1.95s` and no error log. Validation failure: `Error from server (Forbidden): admission webhook "validation.gatekeeper.sh" denied the request: [ratify-constraint] System error calling external data provider: operation failed with error operation timed out after duration 4.9s` error log: `"message": "verification failed: Original Error: (Get \"https://azure.microsoft.com/services/container-registry/\": context deadline exceeded), Error: list referrers failure, Code: LIST_REFERRERS_FAILURE, Plugin Name: oras, Component Type: referrerStore"
+```
+
+#### Invalid authProvider(we support multiple providers, probably docker/Azure/AWS are main use case), e.g. wrong clientID for azureWorkloadIdentity
+
+### Verifier
+#### Notation verifier references invalid certStore | Susan
+##### Current Error
+```
+"verifierReports": [
+ {
+ "isSuccess": false,
+ "name": "verifier-notation",
+ "type": "notation",
+ "message": "Original Error: (Original Error: (unable to fetch certificates for namedStore: certs), Error: verify plugin failure, Code: VERIFY_PLUGIN_FAILURE, Plugin Name: verifier-notation, Component Type: verifier, Documentation: https://ratify.dev/docs/troubleshoot/verifier/notation, Detail: failed to verify signature of digest), Error: verify reference failure, Code: VERIFY_REFERENCE_FAILURE, Plugin Name: verifier-notation, Component Type: verifier",
+ "artifactType": "application/vnd.cncf.notary.signature"
+ }
+ ]
+```
+
+##### Improvement
+Keep:
+This error is useful unable to fetch certificates for namedStore: certs
+ToImprove:
+
+1. Message maybe too verbose ( will get fixed if we remove nesting)
+2. Message ideally should include action item like please validate your cert store name
+3. Would a more specific error code help?
+
+#### Invalid artifactTypes in notation verifier | Susan
+
+##### Current Error
+```
+"verifierReports": [
+ {
+ "subject": "ghcr.io/deislabs/ratify/notary-image@sha256:8e3d01113285a0e4aa574da8eb9c0f112a1eb979d72f73399d7175ba3cdb1c1b",
+ "isSuccess": false,
+ "message": "verification failed: Error: no verifier report, Code: NO_VERIFIER_REPORT, Component Type: executor, Description: No verifier report was generated. This might be due to various factors, such as lack of artifacts attached to the image, a misconfiguration in the Referrer Store preventing access to the registry, or the absence of appropriate verifiers corresponding to the referenced image artifacts."
+ }
+ ]
+```
+
+##### Improvement
+We should link to a TSG with potential root cause and fix.
+
+#### invalid(non-existing) trustStores | Susan
+
+##### Current Error
+```
+ "verifierReports": [
+ {
+ "isSuccess": false,
+ "name": "verifier-notation",
+ "type": "notation",
+ "message": "Original Error: (Original Error: (valid certificates must be provided, only CA certificates or self-signed signing certificates are supported), Error: verify plugin failure, Code: VERIFY_PLUGIN_FAILURE, Plugin Name: verifier-notation, Component Type: verifier, Documentation: https://ratify.dev/docs/troubleshoot/verifier/notation, Detail: failed to verify signature of digest), Error: verify reference failure, Code: VERIFY_REFERENCE_FAILURE, Plugin Name: verifier-notation, Component Type: verifier",
+ "artifactType": "application/vnd.cncf.notary.signature"
+ }
+ ]
+```
+
+##### Improvement
+Wondering if we could have trust store missing error.
+
+#### Unsupported registryScope | Susan
+##### Current Error
+```
+"verifierReports": [
+ {
+ "isSuccess": false,
+ "name": "verifier-notation",
+ "type": "notation",
+ "message": "Original Error: (Original Error: (artifact \"ghcr.io/deislabs/ratify/notary-image@sha256:8e3d01113285a0e4aa574da8eb9c0f112a1eb979d72f73399d7175ba3cdb1c1b\" has no applicable trust policy. Trust policy applicability for a given artifact is determined by registryScopes. To create a trust policy, see: https://notaryproject.dev/docs/quickstart/#create-a-trust-policy), Error: verify plugin failure, Code: VERIFY_PLUGIN_FAILURE, Plugin Name: verifier-notation, Component Type: verifier, Documentation: https://ratify.dev/docs/troubleshoot/verifier/notation, Detail: failed to verify signature of digest), Error: verify reference failure, Code: VERIFY_REFERENCE_FAILURE, Plugin Name: verifier-notation, Component Type: verifier",
+ "artifactType": "application/vnd.cncf.notary.signature"
+ }
+ ]
+```
+
+##### Improvement
+The error has `no applicable trust policy.` is helpful.
+
+#### Invalid trustedIdentity | Susan
+
+##### Current Error
+```
+ time=2024-07-17T01:47:19.106388964Z level=error msg=Original Error: (trust policy statement "default" has trusted identity "ratifytest, test" missing separator), Error: plugin init failure, Code: PLUGIN_INIT_FAILURE, Plugin Name: verifier-notation, Component Type: verifierunable to create verifier from verifier crd
+```
+
+#### Certificate has no matching trusted identity | Susan
+##### Current Error
+
+```
+ "verifierReports": [
+ {
+ "isSuccess": false,
+ "name": "verifier-notation",
+ "type": "notation",
+ "message": "Original Error: (Original Error: (error while parsing the certificate subject from the digital signature. error : \"distinguished name (DN) \\\"CN=ratify.default\\\" has no mandatory RDN attribute for \\\"C\\\", it must contain 'C', 'ST', and 'O' RDN attributes at a minimum\"), Error: verify plugin failure, Code: VERIFY_PLUGIN_FAILURE, Plugin Name: verifier-notation, Component Type: verifier, Documentation: https://ratify.dev/docs/troubleshoot/verifier/notation, Detail: failed to verify signature of digest), Error: verify reference failure, Code: VERIFY_REFERENCE_FAILURE, Plugin Name: verifier-notation, Component Type: verifier",
+ "artifactType": "application/vnd.cncf.notary.signature"
+ }
+ ]
+```
+
+#### Cosign verifier references invalid key provider | Binbin
+
+##### Current Error
+Terminal response:
+```
+Error from server (Forbidden): admission webhook "validation.gatekeeper.sh" denied the request: [ratify-constraint] Subject failed verification: huishwabbit1.azurecr.io/test8may24@sha256:c780036bc8a6f577910bf01151013aaa18e255057a1653c76d8f3572aa3f6ff6
+```
+Error log:
+```
+cosign verification failed: Error: config invalid, Code: CONFIG_INVALID, Plugin Name: verifier-cosign, Component Type: verifier, Detail: trust policy [default] failed to access key management provider ratify-cosign-inline-key-1, err: failed to access non-existent key management provider: ratify-cosign-inline-key-1
+```
+
+#### Invalid artifactTypes in cosign verifier(same question) | Binbin
+
+##### Current Error
+Terminal reponse:
+```
+Error from server (Forbidden): admission webhook "validation.gatekeeper.sh" denied the request: [ratify-constraint] Subject failed verification: huishwabbit1.azurecr.io/test8may24@sha256:c780036bc8a6f577910bf01151013aaa18e255057a1653c76d8f3572aa3f6ff6
+```
+Error log:
+```
+verification failed: Error: no verifier report, Code: NO_VERIFIER_REPORT, Component Type: executor, Description: No verifier report was generated. This might be due to various factors, such as lack of artifacts attached to the image, a misconfiguration in the Referrer Store preventing access to the registry, or the absence of appropriate verifiers corresponding to the referenced image artifacts.
+```
+
+##### Improvement
+Consider validating the artifactType when applying CR
+
+#### Unsupported scope is provided in cosign verifier | Binbin
+##### Current Error
+Failed to create cosign verifier. Error log: ![image](../img/ratify-errors/SJTOOXhDA.png)
+
+
+#### Conflict scopes from multiple policies in cosign verifier | Binbin
+
+##### Current Error
+Failed to create cosign verifier. Error log: ![image](../img/ratify-errors/H1KYhmnDA.png)
+
+
+#### Invalid cert identity/cert OIDC issuer for keyless cosign verifier | Binbin
+
+##### Current Error
+Terminal response:
+```
+Error from server (Forbidden): admission webhook "validation.gatekeeper.sh" denied the request: [ratify-constraint] Subject failed verification: libinbinacr.azurecr.io/testcosign@sha256:f2502800f0663995420b13214a0d20eae1ec9a3c072f99c462cef0132a684556
+```
+Error log: ![image](../img/ratify-errors/r1vemTRwC.png)
+
+#### Configured keyless cosign verifier to verify a keyed signature | Binbin
+
+##### Current Error
+Terminal response:
+```
+Error from server (Forbidden): admission webhook "validation.gatekeeper.sh" denied the request: [ratify-constraint] Subject failed verification: libinbinacr.azurecr.io/testimage@sha256:f2502800f0663995420b13214a0d20eae1ec9a3c072f99c462cef0132a684556
+```
+Error log: ![image](../img/ratify-errors/rkrEZvfd0.png)
+
+#### Cosign verifier configured a wrong public key | Binbin
+
+##### Current Error
+Terminal response:
+```
+Error from server (Forbidden): admission webhook "validation.gatekeeper.sh" denied the request: [ratify-constraint] Subject failed verification: libinbinacr.azurecr.io/testimage@sha256:f2502800f0663995420b13214a0d20eae1ec9a3c072f99c462cef0132a684556
+```
+Error log: ![image](../img/ratify-errors/HJHWNwfuC.png)
+
+#### Cosign verifier references non-existent kmp | Binbin
+
+##### Current Error
+Error log:
+```
+cosign verification failed: Error: config invalid, Code: CONFIG_INVALID, Plugin Name: verifier-cosign, Component Type: verifier, Detail: trust policy [default] failed to access key management provider ratify-cosign-inline-key-1, err: failed to access non-existent key management provider: ratify-cosign-inline-key-1
+```
+
+### Policy
+
+#### `metadata.name` is changed other than ratify-policy | Binbin
+
+##### Current Error
+Error log while applying the CR:
+```
+metadata.name must be ratify-policy, got ratify-policy2
+```
+It will keep using the previous policy.
+
+#### Invalid spec.type | Binbin
+
+##### Current Error
+Error log after applying CR:
+```
+time=2024-07-18T06:58:03.394537164Z level=error msg=unable to create policy from policy crd: failed to create policy enforcer: failed to create policy provider: Error: policy provider not found, Code: POLICY_PROVIDER_NOT_FOUND, Plugin Name: configpolicy2, Component Type: policyProvider, Documentation: https://ratify.dev/docs/reference/crds/policies, Detail: policy type: configpolicy2 is not registered policy provider
+```
+And it will keep using the previous policy
+
+#### Invalid policy value except `all` and `or` in config policy | Binbin
+
+##### Current Error
+
+No error log upon applying CR.
+Terminal response on deployment:
+```
+Error from server (Forbidden): admission webhook "validation.gatekeeper.sh" denied the request: [ratify-constraint] Subject failed verification: libinbinacr.azurecr.io/testimage2@sha256:f2502800f0663995420b13214a0d20eae1ec9a3c072f99c462cef0132a684556
+```
+No error log.
+
+#### Invalid policy string is provided in rego policy | Binbin
+
+##### Current Error
+Error log during applying CR:
+```
+time=2024-07-18T08:11:13.480990932Z level=error msg=unable to create policy from policy crd: failed to create policy enforcer: failed to create policy provider: Original Error: (Original Error: (failed to create policy engine: failed to create policy query, err: failed to prepare rego query, err: 1 error occurred: policy.rego:4: rego_parse_error: var cannot be used for rule name), Error: plugin init failure, Code: PLUGIN_INIT_FAILURE, Plugin Name: regopolicy, Component Type: policyProvider, Documentation: https://ratify.dev/docs/reference/providers, Detail: failed to create OPA engine), Error: plugin init failure, Code: PLUGIN_INIT_FAILURE, Plugin Name: regopolicy, Component Type: policyProvider, Documentation: https://ratify.dev/docs/reference/providers, Detail: failed to create policy provider
+```
+
+## Access Control
+### ACR
+#### `AcrPull` role is not assigned | Juncheng
+##### Current Error
+Error log:
+```
+time=2024-07-17T16:28:16.939576441Z level=warning msg=Original Error: (Original Error: (HEAD "https://roacr.azurecr.io/v2/net-monitor/manifests/v2": GET "https://roacr.azurecr.io/oauth2/token?scope=repository%3Anet-monitor%3Apull&service=roacr.azurecr.io": response status code 401: unauthorized: authentication required, visit https://aka.ms/acr/authorization for more information.), Error: repository operation failure, Code: REPOSITORY_OPERATION_FAILURE, Plugin Name: oras), Error: get subject descriptor failure, Code: GET_SUBJECT_DESCRIPTOR_FAILURE, Plugin Name: oras, Component Type: referrerStore, Detail: failed to resolve the subject descriptor component-type=referrerStore go.version=go1.21.10 namespace= trace-id=34b27888-5402-443e-9836-77124c840561
+```
+![image](../img/ratify-errors/SkUQfOr_0.png)
+
+##### Improvement
+
+1. Users just need to know 401 error.
+2. VerifierReports.Message should contain info including 401, repository operation failure and getSubject(optional)
+3. probably different logs for each nested error
+
+### AKV
+#### `Key Vault Secrets User` role is not assigned for notation signature | Juncheng
+
+##### Current Error
+Error logs:
+```
+time=2024-07-17T17:40:22.299403863Z level=error msg=authenticity validation failed. Failure reason: unable to fetch certificates for namedStore: certs component-type=verifier go.version=go1.21.10 namespace= trace-id=af227387-267c-4abc-b536-1ad423918726
+```
+![image](../img/ratify-errors/rym_MFHOC.png)
+
+##### Improvement
+Reverse error msg and failure reason. Failure during akv fetching. Potential reason: no certs/invalid auth. List all possible reason. **Important: Add error field in KMP to return to verifier.**
+
+#### `Key Vault Crypto User` role is not assigned for cosign signature | Juncheng
+
+##### Current Error
+Error log:
+```
+time=2024-07-17T19:01:24.928790514Z level=error msg=Reconciler error KeyManagementProvider=keymanagementprovider-akv controller=keymanagementprovider controllerGroup=config.ratify.deislabs.io controllerKind=KeyManagementProvider error=failed to create key management provider provider: Original Error: (Original Error: (failed to acquire token: failed to acquire AAD token: FromAssertion(): http call(https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/v2.0/token)(POST) error: reply status code was 401:{"error":"invalid_client","error_description":"AADSTS70025: Client application has no configured federated identity credentials. Trace ID: 479893ff-f447-44d8-abbe-da02e9897300 Correlation ID: fa4c8a02-7d90-4858-9951-e485843c66e1 Timestamp: 2024-07-17 19:01:24Z","error_codes":[70025],"timestamp":"2024-07-17 19:01:24Z","trace_id":"479893ff-f447-44d8-abbe-da02e9897300","correlation_id":"fa4c8a02-7d90-4858-9951-e485843c66e1"}), Error: auth denied, Code: AUTH_DENIED, Plugin Name: azurekeyvault, Component Type: keyManagementProvider, Documentation: https://learn.microsoft.com/en-us/azure/key-vault/general/overview, Detail: failed to get authorizer for keyvault client, Stack trace:(omit_stack_trace)), Error: plugin init failure, Code: PLUGIN_INIT_FAILURE, Plugin Name: azurekeyvault, Component Type: keyManagementProvider, Documentation: https://learn.microsoft.com/en-us/azure/key-vault/general/overview, Detail: failed to create keyvault client name=keymanagementprovider-akv namespace= reconcileID=28f52896-543a-48de-8770-9820d9d6b063
+```
+
+##### Improvement
+KMP state is invalid/KMP cached certs/keys
+
+## Signature Verification
+
+#### No matching verifier for notation signature | Akash
+##### Test Error
+Terminal Response:
+```
+Error from server (Forbidden): admission webhook "validation.gatekeeper.sh" denied the request: [ratify-constraint] Subject failed verification: ghcr.io/ratify-project/ratify/notary-image@sha256:8e3d01113285a0e4aa574da8eb9c0f112a1eb979d72f73399d7175ba3cdb1c1b
+```
+![image](../img/ratify-errors/Sy6OtPVuC.png)
+Rego policy will not show any message simply shows:`{"verifierReports": []}`
+
+##### Improvment
+1. Provide artifactType.
+2. Message: failed to verify the artifact of type ...
+3. Reason: no matching verifier configured for ...
+
+#### No matching verifier for cosign signature | Akash
+##### Test Error
+Same behavior as previous test case.
+Terminal Response:
+```
+Error from server (Forbidden): admission webhook "validation.gatekeeper.sh" denied the request: [ratify-constraint] Subject failed verification:
+```
+Rego policy will not show any message simply shows:`{"verifierReports": []}`
+
+#### Image is not signed | Akash
+
+##### Current Error
+Terminal Response:
+```
+Error from server (Forbidden): admission webhook "validation.gatekeeper.sh" denied the request: [ratify-constraint] Subject failed verification: docker.io/library/hello-world@sha256:1408fec50309afee38f3535383f5b09419e6dc0925bc69891e79d84cc4cdcec6
+```
+![image](../img/ratify-errors/SyfhDP4dC.png)
+Rego policy will not show any message simply shows:`{"verifierReports": []}`
+
+##### Improvement
+Reason: artifact is not signed or signature is found
+
+#### Image is signed with notation signature, but KMP provides a different certificate resulting to verification failure | Akash
+
+##### Current Error
+Terminal response:
+```
+Error from server (Forbidden): admission webhook "validation.gatekeeper.sh" denied the request: [ratify-constraint] Subject failed verification: ghcr.io/ratify-project/ratify/notary-image@sha256:8e3d01113285a0e4aa574da8eb9c0f112a1eb979d72f73399d7175ba3cdb1c1b
+```
+![image](../img/ratify-errors/rys__uEOA.png)
+
+##### Improvement
+Probably need more accurate or descriptive msg from notation-go
+
+#### Image is signed with cosign signature, but KMP provides a different key resulting to verification failure | Akash
+##### Current Error
+Terminal Response:
+```
+Error from server (Forbidden): admission webhook "validation.gatekeeper.sh" denied the request: [ratify-constraint] Subject failed verification: generaltest.azurecr.io/cosign/hello-world@sha256:d37ada95d47ad12224c205a938129df7a3e52345828b4fa27b03a98825d1e2e7
+```
+![image](../img/ratify-errors/B12iZKE_C.png)
+
+#### Images are signed by unknown identities so that verification should fail. (Notary Project signatures) | Akash
+
+##### Current Error
+Terminal Response:
+```
+Error from server (Forbidden): admission webhook "validation.gatekeeper.sh" denied the request: [ratify-constraint] Subject failed verification: ghcr.io/ratify-project/ratify/notary-image@sha256:8e3d01113285a0e4aa574da8eb9c0f112a1eb979d72f73399d7175ba3cdb1c1b
+```
+
+![image](../img/ratify-errors/rJvv5_N_0.png)
+
+##### Improvement
+same as prev case that uses different cert
+
+#### Images are signed by unknown keys so that verification should fail (Cosign key-pair signatures) | Akash
+##### Current Error
+
+Terminal Response:
+```
+Error from server (Forbidden): admission webhook "validation.gatekeeper.sh" denied the request: [ratify-constraint] Subject failed verification: generaltest.azurecr.io/cosign/hello-world@sha256:d37ada95d47ad12224c205a938129df7a3e52345828b4fa27b03a98825d1e2e7
+```
+![image](../img/ratify-errors/B12iZKE_C.png)
+
+#### Revocation: Images are signed with revoked certificates
+#### Timestamp: Images are signed before certificate expired but cert is expired now (Time-stamp support is required and users specify TSA root certificate)
+#### Images are signed with multiple signatures, but some signature is missing matching verifier | Binbin
+##### Current Error
+It passes using config-policy, but can fail using rego-policy.
+Terminal response:
+```
+Error from server (Forbidden): admission webhook "validation.gatekeeper.sh" denied the request: [ratify-constraint] Subject failed verification: libinbinacr.azurecr.io/testimage@sha256:f2502800f0663995420b13214a0d20eae1ec9a3c072f99c462cef0132a684556
+```
+![image](../img/ratify-errors/Byrwl2zuC.png)
+
+#### Images are signed with multiple signatures, and policy requires all signatures pass. | Binbin
+##### Current Error
+Terminal response:
+```
+Error from server (Forbidden): admission webhook "validation.gatekeeper.sh" denied the request: [ratify-constraint] Subject failed verification: libinbinacr.azurecr.io/testimage@sha256:f2502800f0663995420b13214a0d20eae1ec9a3c072f99c462cef0132a684556
+```
+Error log: ![image](../img/ratify-errors/SkubOnMuA.png)
+
+#### Images are signed with multiple signatures, and no matching verifiers configured | Binbin
+##### Current Error
+Terminal response:
+```
+Error from server (Forbidden): admission webhook "validation.gatekeeper.sh" denied the request: [ratify-constraint] Error validating one or more images: ["libinbinacr.azurecr.io/testimage@sha256:f2502800f0663995420b13214a0d20eae1ec9a3c072f99c462cef0132a684556", "Error: config invalid, Code: CONFIG_INVALID, Component Type: verifier, Detail: verifiers config should have at least one verifier"]
+```
+
+#### Images are signed with multiple signatures, and policy requires at least one signature pass | Binbin
+##### Current Error
+Terminal response:
+```
+Error from server (Forbidden): admission webhook "validation.gatekeeper.sh" denied the request: [ratify-constraint] Subject failed verification: libinbinacr.azurecr.io/testimage@sha256:f2502800f0663995420b13214a0d20eae1ec9a3c072f99c462cef0132a684556
+```
+Error log: ![image](../img/ratify-errors/rJtithG_0.png)
+
+##### Improvement
+print notation signature digest
+
+#### certificate is rotated, but Ratify didn't refresh it and previous cert is expired | Binbin
+##### Current Error
+Terminal Response:
+```
+Error from server (Forbidden): admission webhook "validation.gatekeeper.sh" denied the request: [ratify-constraint] Subject failed verification: libinbinacr.azurecr.io/testimage@sha256:f2502800f0663995420b13214a0d20eae1ec9a3c072f99c462cef0132a684556
+```
+Error Log: ![image](../img/ratify-errors/SJqHDNL_A.png)
+
+#### key is rotated, but Ratify didn't refresh it | Binbin
+##### Current Error
+Terminal response:
+```
+Error from server (Forbidden): admission webhook "validation.gatekeeper.sh" denied the request: [ratify-constraint] Subject failed verification: libinbinacr.azurecr.io/testimage@sha256:f2502800f0663995420b13214a0d20eae1ec9a3c072f99c462cef0132a684556
+```
+Error log: ![image](../img/ratify-errors/ryMGu8L_C.png)
+
+#### Timeout during keyless cosign verification
+#### Timeout from requests to remote registry
+#### Timeout during cert revocation evaluation for notation signature
+Reference: https://github.com/notaryproject/specifications/blob/main/specs/trust-store-trust-policy.md#certificate-revocation-evaluation
\ No newline at end of file
diff --git a/docs/img/ratify-errors/B12iZKE_C.png b/docs/img/ratify-errors/B12iZKE_C.png
new file mode 100644
index 000000000..cd8b317ef
Binary files /dev/null and b/docs/img/ratify-errors/B12iZKE_C.png differ
diff --git a/docs/img/ratify-errors/Byrwl2zuC.png b/docs/img/ratify-errors/Byrwl2zuC.png
new file mode 100644
index 000000000..972cb5201
Binary files /dev/null and b/docs/img/ratify-errors/Byrwl2zuC.png differ
diff --git a/docs/img/ratify-errors/H1KYhmnDA.png b/docs/img/ratify-errors/H1KYhmnDA.png
new file mode 100644
index 000000000..78eb47cae
Binary files /dev/null and b/docs/img/ratify-errors/H1KYhmnDA.png differ
diff --git a/docs/img/ratify-errors/HJHWNwfuC.png b/docs/img/ratify-errors/HJHWNwfuC.png
new file mode 100644
index 000000000..1d1ba7c9f
Binary files /dev/null and b/docs/img/ratify-errors/HJHWNwfuC.png differ
diff --git a/docs/img/ratify-errors/SJTOOXhDA.png b/docs/img/ratify-errors/SJTOOXhDA.png
new file mode 100644
index 000000000..196746985
Binary files /dev/null and b/docs/img/ratify-errors/SJTOOXhDA.png differ
diff --git a/docs/img/ratify-errors/SJqHDNL_A.png b/docs/img/ratify-errors/SJqHDNL_A.png
new file mode 100644
index 000000000..c61490fd1
Binary files /dev/null and b/docs/img/ratify-errors/SJqHDNL_A.png differ
diff --git a/docs/img/ratify-errors/SkUQfOr_0.png b/docs/img/ratify-errors/SkUQfOr_0.png
new file mode 100644
index 000000000..0a621e6b2
Binary files /dev/null and b/docs/img/ratify-errors/SkUQfOr_0.png differ
diff --git a/docs/img/ratify-errors/SkubOnMuA.png b/docs/img/ratify-errors/SkubOnMuA.png
new file mode 100644
index 000000000..3ba9507b0
Binary files /dev/null and b/docs/img/ratify-errors/SkubOnMuA.png differ
diff --git a/docs/img/ratify-errors/Sy6OtPVuC.png b/docs/img/ratify-errors/Sy6OtPVuC.png
new file mode 100644
index 000000000..9a870767c
Binary files /dev/null and b/docs/img/ratify-errors/Sy6OtPVuC.png differ
diff --git a/docs/img/ratify-errors/SyfhDP4dC.png b/docs/img/ratify-errors/SyfhDP4dC.png
new file mode 100644
index 000000000..c0ab26800
Binary files /dev/null and b/docs/img/ratify-errors/SyfhDP4dC.png differ
diff --git a/docs/img/ratify-errors/r1vemTRwC.png b/docs/img/ratify-errors/r1vemTRwC.png
new file mode 100644
index 000000000..88036620e
Binary files /dev/null and b/docs/img/ratify-errors/r1vemTRwC.png differ
diff --git a/docs/img/ratify-errors/rJtithG_0.png b/docs/img/ratify-errors/rJtithG_0.png
new file mode 100644
index 000000000..29bc56ce9
Binary files /dev/null and b/docs/img/ratify-errors/rJtithG_0.png differ
diff --git a/docs/img/ratify-errors/rJvv5_N_0.png b/docs/img/ratify-errors/rJvv5_N_0.png
new file mode 100644
index 000000000..312dd41fc
Binary files /dev/null and b/docs/img/ratify-errors/rJvv5_N_0.png differ
diff --git a/docs/img/ratify-errors/rkrEZvfd0.png b/docs/img/ratify-errors/rkrEZvfd0.png
new file mode 100644
index 000000000..5972e63f5
Binary files /dev/null and b/docs/img/ratify-errors/rkrEZvfd0.png differ
diff --git a/docs/img/ratify-errors/ryMGu8L_C.png b/docs/img/ratify-errors/ryMGu8L_C.png
new file mode 100644
index 000000000..fc968e65f
Binary files /dev/null and b/docs/img/ratify-errors/ryMGu8L_C.png differ
diff --git a/docs/img/ratify-errors/rym_MFHOC.png b/docs/img/ratify-errors/rym_MFHOC.png
new file mode 100644
index 000000000..2cb1fd2ed
Binary files /dev/null and b/docs/img/ratify-errors/rym_MFHOC.png differ
diff --git a/docs/img/ratify-errors/rys__uEOA.png b/docs/img/ratify-errors/rys__uEOA.png
new file mode 100644
index 000000000..9f4ae33b0
Binary files /dev/null and b/docs/img/ratify-errors/rys__uEOA.png differ
diff --git a/docs/proposals/Release-Supply-Chain-Metadata.md b/docs/proposals/Release-Supply-Chain-Metadata.md
new file mode 100644
index 000000000..e50806de1
--- /dev/null
+++ b/docs/proposals/Release-Supply-Chain-Metadata.md
@@ -0,0 +1,192 @@
+# Supply Chain Metadata for Ratify Assets
+
+Ratify currently publishes multiple forms of release assets both for production and development uses. Currently, these assets are not published with accompanying supply chain metadata including signatures, SBOMs, and provenance. Shipping each of these forms of metadata with all binaries and container images produced by Ratify will provide consumers a verifiable way to guarantee integrity of Ratify assets. Furthermore, this will improve Ratify's OSSF scorecard. In general, Ratify will prioritize addressing HIGH, MEDIUM risks surfaced by OSSF scorecard. Learn more about the OSSF checks performed [here](https://github.com/ossf/scorecard/blob/main/docs/checks.md)
+
+## What does Ratify currently publish?
+
+Ratify publishes two types: release and development. Release assets accompany official Ratify Github releases. Development assets are published weekly (or adhoc as needed).
+
+Each publish type includes the following group of assets:
+
+* CRD container image to `ghcr.io/ratify-project`
+* Base container image to `ghcr.io/ratify-project`
+* Base + plugins container image to `ghcr.io/ratify-project`
+* Ratify binaries as a single bundle per OS/arch which includes:
+ * ratify binary
+ * sbom-verifier plugin binary
+ * vulernability-report verifier plugin binary
+* `checksums.txt` which contains list of checksum for each binary bundle
+* Helm chart
+ * Release ONLY: published packaged helm chart to `ratify-project.github.io`
+ * Dev ONLY: published packaged helm chart to `ghcr.io/ratify-project`
+* Source code (zip + tar ball)
+
+## Signatures
+
+Ratify should support signing all container images and binaries with both Sigstore Cosign and Notary Project.
+
+### Notary Project Image Signatures
+
+Ratify can utilize Notary Project's install and sign github actions published.
+Notation requires a KMS to store the signing certificate. There is no support for Github Encrypted Secrets for storing the certificate.
+
+1. Configure Notation action to sign using certificate's associated key stored in AKV.
+2. Sign CRD, base, plugin images
+
+#### Certificate Lifecycle Management
+
+Ratify will use a self-signed certificate stored in Azure Key Vault. This certificate is valid for 1 year. A new version is auto-generated after 9.5 months.
+The notation signing action will be configured to always use the latest certificate version.
+
+The verification certificate will be published in 2 different directories:
+
+* Ratify website @ `ratify.dev/.well-known/pki-validation/...`
+* Root of Ratify github repository @ `https://github.com/ratify-project/ratify/main/.well-known/pki-validation/...`
+
+The verification steps in the security section of Ratify website will recommend downloading certificates from the ratify website.
+
+The latest certificate can always be found at `ratify.dev/.well-known/pki-validation/ratify-verification.crt`. When a new version of the certificate is generated, the `./ratify-verification.crt` content MUST be updated to contain the new certificate. The previous version will be preserved as a separate file following convention: `./ratify-verification_.crt` where `` is the last date where that particular certificate version was valid. Ratify will NOT re-sign any dev release assets so older versions of certificates must be published so users can continue to validate those.
+
+NOTE: certificate update operations will be a MANUAL process and maintainers must track certificate regeneration date and make updates accordingly as specified by convention above.
+
+### Cosign Image Signatures
+
+Ratify can utilize Cosign's installer github action to install cosign on the runner. There is no accompanying sign action so the CLI must be directly used. Cosign will be used to generate keyless signatures. Signature will be uploaded to the Sigstore public-good transparency log. Cosign will use Ratify's workflow OIDC identity for signing. This will guarantee that the trusted identity is the Ratify workflow that published the images.
+
+1. Sign CRD, base, plugin images with cosign keyless
+
+### Sign binaries
+
+Notary Project is about to release support for blob signing which allows for all binaries to be signed using the same signing certificate used for container image signing. The public certificate can be appended to the release assets.
+
+Cosign has support for binary signing and Ratify can leverage the built-in GoReleaser support to achieve this. The keyless support will automatically append the `.sig` files as well as `.pem` to use for verification to the release.
+
+## SBOM
+
+There are multiple tools for generating SBOMS such as Syft, Trivy, Microsoft SBOM tool, etc.
+
+### Docker Buildx Attestations
+
+Recently, Ratify added support for generating SBOM in-toto attestations via buildx. Buildx supports generating SBOM via Syft and attaching the attestation as an OCI Image part of the top level image index. Read more [here](https://ratify.dev/docs/next/troubleshoot/security#build-attestations).
+
+Other OSS projects such as Gatekeeper publish attestations in a similar fashion. It's very simple to add such support making adoption more widespread.
+
+These attestations produced via buildx adhere to a docker-specific standard for discoverability and verification.
+
+Here's an example image index with an SBOM attestation:
+
+```bash
+$ docker buildx imagetools inspect ghcr.io/ratify-project/ratify:v1.3.0
+Name: ghcr.io/ratify-project/ratify:latest
+MediaType: application/vnd.oci.image.index.v1+json
+Digest: sha256:f261f5076b8a1fd3f53cfbd10f647899d5875e4fcd40b1854598a18f580b422d
+
+Manifests:
+ Name: ghcr.io/ratify-project/ratify:v1.3.0@sha256:c99c9b5edfe005e0454c4160388a70520844d1856c1fcc3f8557532d6a034f32
+ MediaType: application/vnd.oci.image.manifest.v1+json
+ Platform: linux/amd64
+
+ Name: ghcr.io/ratify-project/ratify:v1.3.0@sha256:f1b520af44d5e22b9b8702cbbcd651092df8672ed7822851266b17947c2a0962
+ MediaType: application/vnd.oci.image.manifest.v1+json
+ Platform: linux/arm64
+
+ Name: ghcr.io/ratify-project/ratify:v1.3.0@sha256:6105d973c1c672379abfdb63486a0327d612c4fe67bb62e4d20cb910c0008aa9
+ MediaType: application/vnd.oci.image.manifest.v1+json
+ Platform: linux/arm/v7
+
+ Name: ghcr.io/ratify-project/ratify:v1.3.0@sha256:836450813252daf7854b0aec1ccafe486bbb1352ec234b9adf105ddc24b0cb37
+ MediaType: application/vnd.oci.image.manifest.v1+json
+ Platform: unknown/unknown
+ Annotations:
+ vnd.docker.reference.digest: sha256:c99c9b5edfe005e0454c4160388a70520844d1856c1fcc3f8557532d6a034f32
+ vnd.docker.reference.type: attestation-manifest
+
+ Name: ghcr.io/ratify-project/ratify:v1.3.0@sha256:dcfa5faf20c916c9a41dd4636939594d8164f467ebb00d73570ae13cbcbf59ad
+ MediaType: application/vnd.oci.image.manifest.v1+json
+ Platform: unknown/unknown
+ Annotations:
+ vnd.docker.reference.digest: sha256:f1b520af44d5e22b9b8702cbbcd651092df8672ed7822851266b17947c2a0962
+ vnd.docker.reference.type: attestation-manifest
+
+ Name: ghcr.io/ratify-project/ratify:v1.3.0@sha256:c936d0ed115975ee7fc8196fbc5baff8100e92bff3d401c60df6396b9451e773
+ MediaType: application/vnd.oci.image.manifest.v1+json
+ Platform: unknown/unknown
+ Annotations:
+ vnd.docker.reference.type: attestation-manifest
+ vnd.docker.reference.digest: sha256:6105d973c1c672379abfdb63486a0327d612c4fe67bb62e4d20cb910c0008aa9
+```
+
+You can see the `attestation-manifest` reference-type.
+
+To inspect, it's recommended to use docker's image inspection tool:
+
+```shell
+docker buildx imagetools inspect ghcr.io/ratify-project/ratify:v1.3.0 --format '{{ json .SBOM }}'
+```
+
+### Referrer Artifacts
+
+Ratify should support generating SBOMs via an OSS tool and attach to the published container images via ORAS. This would be in line with the Ratify verification capabilities supported by the project.
+
+### SBOM Binary Artifacts
+
+Ratify should support publishing an SBOM in a common format like SPDX as a release artifact published next to each OS/arch specific binary.
+
+GoRelease already support automatic SBOM generation and Ratify should update GoReleaser to take advantage of this support. Example [here](https://github.com/goreleaser/goreleaser-example-supply-chain/blob/d6d60f6320dbe97bda24b6351d9afa2035b3a23a/.goreleaser.yaml#L48).
+
+Ratify should also sign the SBOM using both notation and cosign.
+
+## Provenance
+
+### Docker Buildx Attestation
+
+Please refer to SBOM section for format [details](#docker-buildx-attestations).
+
+Ratify also added SLSA provenance attestation generation support as part of docker buildx. Similar to SBOM support, this adds a SLSA provenance attestation to the image index during image build.
+
+### Referrer Artifacts (TBD)
+
+As a future improvement, Ratify can look into attaching the SLSA build provenance metadata as a referrer artifact attached to the image. This might be in the form of a standalone artifact or packaged in an in-toto attestation.
+
+### Provenance Binary Artifacts
+
+Ratify should support publishing an provenance file for each OS/arch binary. The OSSF scorecard also recommends (and looks for) a provenance file in the release.
+
+This would involve adding an extra workflow to generate the SLSA provenance for each output binary after GoReleaser has finished. Example [here](https://github.com/slsa-framework/slsa-github-generator/blob/main/.github/workflows/generator_generic_slsa3.yml).
+
+Ratify should also sign each Provenance release file with notation and cosign.
+
+## Proposed Dev Implementation
+
+### Questions
+
+1. Is it ok to use a self-signed certificate for Ratify's signing purposes? Yes, we are ok with this.
+2. How do we handle certificate revocation scenarios? Is it Ratify's responsibility to resign all the release and dev images? Ratify will follow the supportability promise and only resign the **latest** minor release assets.
+3. For binary signing, should Ratify only sign the `checksums.txt` or should Ratify sign all the assets individually? All assets should be signed.
+4. Do we need to publish the same artifacts as referrers as well or is it sufficient to use docker buildx attestations? Ratify will consider this in the future as need arises. Right now, other OSS projects, like OPA Gatekeeper. have adopted buildx attestations.
+
+### Stage 1
+
+* Generate SBOM buildx attestations and publish for release and dev images
+* Generate SLSA provenance buildx attestation and publish for release and dev images
+* Add verification guidance to Ratify website under `Security` section
+
+### Stage 2
+
+* Container image signing using Notation for dev images and chart
+ * Generate and store self signed certificate in Azure Key vault
+ * AKV is in same subscription used for azure e2e tests
+ * Publish verification public cert in the root of the Ratify repo
+* Container image signing using Cosign for dev images
+ * Keyless support only
+ * Publish to rekor public good transparency log
+* Signing support only introduced for dev images to test if workflow and approach is what Ratify should adopt long term
+* Add SBOM generation to GoReleaser
+* Add verification guidance to Ratify website under `Security` section
+
+### Future (TBD)
+
+* Attach SBOMs to release and dev images using Syft (not as in-toto attestations)
+* Add Provenance generation after GoReleaser
+* Introduce binary signing using Notation and Cosign
+* Attach SLSA provenance to release and dev images as referrers
diff --git a/go.mod b/go.mod
index 1d34acb48..1c03ba92e 100644
--- a/go.mod
+++ b/go.mod
@@ -21,7 +21,7 @@ require (
github.com/dapr/go-sdk v1.8.0
github.com/dgraph-io/ristretto v0.1.1
github.com/distribution/reference v0.5.0
- github.com/docker/cli v24.0.9+incompatible
+ github.com/docker/cli v26.1.5+incompatible
github.com/docker/distribution v2.8.3+incompatible
github.com/fsnotify/fsnotify v1.7.0
github.com/go-jose/go-jose/v3 v3.0.3
@@ -51,7 +51,7 @@ require (
google.golang.org/protobuf v1.34.2
k8s.io/api v0.28.12
k8s.io/apimachinery v0.28.12
- k8s.io/client-go v0.28.11
+ k8s.io/client-go v0.28.12
oras.land/oras-go/v2 v2.5.0
)
@@ -91,7 +91,7 @@ require (
github.com/digitorus/pkcs7 v0.0.0-20230818184609-3a137a874352 // indirect
github.com/digitorus/timestamp v0.0.0-20231217203849-220c5c2851b7 // indirect
github.com/dimchansky/utfbom v1.1.1 // indirect
- github.com/docker/docker v24.0.9+incompatible // indirect
+ github.com/docker/docker v26.1.5+incompatible // indirect
github.com/emicklei/go-restful/v3 v3.11.0 // indirect
github.com/evanphx/json-patch v4.12.0+incompatible // indirect
github.com/evanphx/json-patch/v5 v5.6.0 // indirect
diff --git a/go.sum b/go.sum
index 20714a008..320634ea3 100644
--- a/go.sum
+++ b/go.sum
@@ -238,12 +238,12 @@ github.com/dimchansky/utfbom v1.1.1 h1:vV6w1AhK4VMnhBno/TPVCoK9U/LP0PkLCS9tbxHdi
github.com/dimchansky/utfbom v1.1.1/go.mod h1:SxdoEBH5qIqFocHMyGOXVAybYJdr71b1Q/j0mACtrfE=
github.com/distribution/reference v0.5.0 h1:/FUIFXtfc/x2gpa5/VGfiGLuOIdYa1t65IKK2OFGvA0=
github.com/distribution/reference v0.5.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
-github.com/docker/cli v24.0.9+incompatible h1:OxbimnP/z+qVjDLpq9wbeFU3Nc30XhSe+LkwYQisD50=
-github.com/docker/cli v24.0.9+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
+github.com/docker/cli v26.1.5+incompatible h1:NxXGSdz2N+Ibdaw330TDO3d/6/f7MvHuiMbuFaIQDTk=
+github.com/docker/cli v26.1.5+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk=
github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
-github.com/docker/docker v24.0.9+incompatible h1:HPGzNmwfLZWdxHqK9/II92pyi1EpYKsAqcl4G0Of9v0=
-github.com/docker/docker v24.0.9+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/docker v26.1.5+incompatible h1:NEAxTwEjxV6VbBMBoGG3zPqbiJosIApZjxlbrG9q3/g=
+github.com/docker/docker v26.1.5+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
github.com/docker/docker-credential-helpers v0.8.0 h1:YQFtbBQb4VrpoPxhFuzEBPQ9E16qz5SpHLS+uswaCp8=
github.com/docker/docker-credential-helpers v0.8.0/go.mod h1:UGFXcuoQ5TxPiB54nHOZ32AWRqQdECoh/Mg0AlEYb40=
github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
@@ -964,8 +964,8 @@ k8s.io/apiextensions-apiserver v0.27.7 h1:YqIOwZAUokzxJIjunmUd4zS1v3JhK34EPXn+pP
k8s.io/apiextensions-apiserver v0.27.7/go.mod h1:x0p+b5a955lfPz9gaDeBy43obM12s+N9dNHK6+dUL+g=
k8s.io/apimachinery v0.28.12 h1:VepMEVOi9o7L/4wMAXJq+3BK9tqBIeerTB+HSOTKeo0=
k8s.io/apimachinery v0.28.12/go.mod h1:zUG757HaKs6Dc3iGtKjzIpBfqTM4yiRsEe3/E7NX15o=
-k8s.io/client-go v0.28.11 h1:YHtF6Bg4/DdYHHsx6f5Ti/0giwoo19t3DbBYYmo9xks=
-k8s.io/client-go v0.28.11/go.mod h1:yi2BW8PQhFDLGmZ3WbyTJYX5J8YM6n3WUj1fvL7pJ4g=
+k8s.io/client-go v0.28.12 h1:li7iRPRQF3vDki6gTxT/kXWJvw3BkJSdjVPVhDTZQec=
+k8s.io/client-go v0.28.12/go.mod h1:yEzH2Z+nEGlrnKyHJWcJsbOr5tGdIj04dj1TVQOg0wE=
k8s.io/component-base v0.27.7 h1:kngM58HR9W9Nqpv7e4rpdRyWnKl/ABpUhLAZ+HoliMs=
k8s.io/component-base v0.27.7/go.mod h1:YGjlCVL1oeKvG3HSciyPHFh+LCjIEqsxz4BDR3cfHRs=
k8s.io/klog/v2 v2.120.1 h1:QXU6cPEOIslTGvZaXvFWiP9VKyeet3sawzTOvdXb4Vw=
diff --git a/httpserver/Dockerfile b/httpserver/Dockerfile
index c976137f9..f0bf06d41 100644
--- a/httpserver/Dockerfile
+++ b/httpserver/Dockerfile
@@ -11,7 +11,7 @@
# See the License for the specific language governing permissions and
# limitations under the License.
-FROM --platform=$BUILDPLATFORM golang:1.22@sha256:829eff99a4b2abffe68f6a3847337bf6455d69d17e49ec1a97dac78834754bd6 as builder
+FROM --platform=$BUILDPLATFORM golang:1.22@sha256:86a3c48a61915a8c62c0e1d7594730399caa3feb73655dfe96c7bc17710e96cf as builder
ARG TARGETPLATFORM
ARG TARGETOS
diff --git a/httpserver/types.go b/httpserver/types.go
index f307bc55d..8e3655cb5 100644
--- a/httpserver/types.go
+++ b/httpserver/types.go
@@ -22,9 +22,11 @@ import (
const (
VerificationResultVersion = "0.1.0"
+ ResultVersion0_2_0 = "0.2.0"
// Starting from this version, the verification result can be
// evaluated by Ratify embedded OPA engine.
ResultVersionSupportingRego = "1.0.0"
+ ResultVersion1_1_0 = "1.1.0"
)
type VerificationResponse struct {
@@ -34,9 +36,9 @@ type VerificationResponse struct {
}
func fromVerifyResult(res types.VerifyResult, policyType string) VerificationResponse {
- version := VerificationResultVersion
+ version := ResultVersion0_2_0
if policyType == pt.RegoPolicy {
- version = ResultVersionSupportingRego
+ version = ResultVersion1_1_0
}
return VerificationResponse{
Version: version,
diff --git a/httpserver/types_test.go b/httpserver/types_test.go
index ce2c359a2..04ed6da5c 100644
--- a/httpserver/types_test.go
+++ b/httpserver/types_test.go
@@ -32,12 +32,12 @@ func TestFromVerifyResult(t *testing.T) {
{
name: "Rego policy",
policyType: pt.RegoPolicy,
- expectedVersion: "1.0.0",
+ expectedVersion: "1.1.0",
},
{
name: "Config policy",
policyType: pt.ConfigPolicy,
- expectedVersion: "0.1.0",
+ expectedVersion: "0.2.0",
},
}
diff --git a/internal/logger/logger.go b/internal/logger/logger.go
index 6721cd65e..ff050cef3 100644
--- a/internal/logger/logger.go
+++ b/internal/logger/logger.go
@@ -61,6 +61,8 @@ const (
Executor componentType = "executor"
// Server is the component type for the Ratify http server.
Server componentType = "server"
+ // CommandLine is the component type for the Ratify command line.
+ CommandLine componentType = "commandLine"
// ReferrerStore is the component type for the referrer store.
ReferrerStore componentType = "referrerStore"
// Cache is the component type for the cache.
diff --git a/pkg/executor/core/executor.go b/pkg/executor/core/executor.go
index ef9d27210..2cc90b028 100644
--- a/pkg/executor/core/executor.go
+++ b/pkg/executor/core/executor.go
@@ -175,19 +175,22 @@ func (executor Executor) verifyReferenceForJSONPolicy(ctx context.Context, subje
if verifier.CanVerify(ctx, referenceDesc) {
verifierStartTime := time.Now()
verifyResult, err := verifier.Verify(ctx, subjectRef, referenceDesc, referrerStore)
- verifyResult.Subject = subjectRef.String()
if err != nil {
verifyResult = vr.VerifierResult{
- IsSuccess: false,
- Name: verifier.Name(),
- Type: verifier.Type(),
- Message: errors.ErrorCodeVerifyReferenceFailure.NewError(errors.Verifier, verifier.Name(), errors.EmptyLink, err, nil, errors.HideStackTrace).Error()}
+ IsSuccess: false,
+ Name: verifier.Name(),
+ Type: verifier.Type(),
+ VerifierName: verifier.Name(),
+ VerifierType: verifier.Type(),
+ Message: errors.ErrorCodeVerifyReferenceFailure.NewError(errors.Verifier, verifier.Name(), errors.EmptyLink, err, nil, errors.HideStackTrace).Error()}
}
if len(verifier.GetNestedReferences()) > 0 {
executor.addNestedVerifierResult(ctx, referenceDesc, subjectRef, &verifyResult)
}
+ verifyResult.Subject = subjectRef.String()
+ verifyResult.ReferenceDigest = referenceDesc.Digest.String()
verifyResult.ArtifactType = referenceDesc.ArtifactType
verifyResults = append(verifyResults, verifyResult)
isSuccess = verifyResult.IsSuccess
@@ -227,10 +230,12 @@ func (executor Executor) verifyReferenceForRegoPolicy(ctx context.Context, subje
verifierResult, err := verifier.Verify(errCtx, subjectRef, referenceDesc, referrerStore)
if err != nil {
verifierReport = vt.VerifierResult{
- IsSuccess: false,
- Name: verifier.Name(),
- Type: verifier.Type(),
- Message: errors.ErrorCodeVerifyReferenceFailure.NewError(errors.Verifier, verifier.Name(), errors.EmptyLink, err, nil, errors.HideStackTrace).Error()}
+ IsSuccess: false,
+ Name: verifier.Name(), // Deprecating Name in next release, reference to VerifierName instead.
+ Type: verifier.Type(), // Deprecating Type in next release, reference to VerifierType instead.
+ VerifierName: verifier.Name(),
+ VerifierType: verifier.Type(),
+ Message: errors.ErrorCodeVerifyReferenceFailure.NewError(errors.Verifier, verifier.Name(), errors.EmptyLink, err, nil, errors.HideStackTrace).Error()}
} else {
verifierReport = vt.NewVerifierResult(verifierResult)
}
diff --git a/pkg/verifier/api.go b/pkg/verifier/api.go
index dcc549662..8f9695515 100644
--- a/pkg/verifier/api.go
+++ b/pkg/verifier/api.go
@@ -25,14 +25,19 @@ import (
// VerifierResult describes the result of verifying a reference manifest for a subject
type VerifierResult struct { //nolint:revive // ignore linter to have unique type name
- Subject string `json:"subject,omitempty"`
- IsSuccess bool `json:"isSuccess"`
- Name string `json:"name,omitempty"`
- Type string `json:"type,omitempty"`
- Message string `json:"message,omitempty"`
- Extensions interface{} `json:"extensions,omitempty"`
- NestedResults []VerifierResult `json:"nestedResults,omitempty"`
- ArtifactType string `json:"artifactType,omitempty"`
+ Subject string `json:"subject,omitempty"`
+ IsSuccess bool `json:"isSuccess"`
+ Name string `json:"name,omitempty"`
+ VerifierName string `json:"verifierName,omitempty"`
+ Type string `json:"type,omitempty"`
+ VerifierType string `json:"verifierType,omitempty"`
+ Message string `json:"message,omitempty"`
+ ErrorReason string `json:"errorReason,omitempty"`
+ Extensions interface{} `json:"extensions,omitempty"`
+ NestedResults []VerifierResult `json:"nestedResults,omitempty"`
+ ArtifactType string `json:"artifactType,omitempty"`
+ ReferenceDigest string `json:"referenceDigest,omitempty"`
+ Remediation string `json:"remediation,omitempty"`
}
// ReferenceVerifier is an interface that defines methods to verify a reference
diff --git a/pkg/verifier/cosign/cosign.go b/pkg/verifier/cosign/cosign.go
index 40a67fbfb..a5a3bc4c4 100644
--- a/pkg/verifier/cosign/cosign.go
+++ b/pkg/verifier/cosign/cosign.go
@@ -285,11 +285,13 @@ func (v *cosignVerifier) verifyInternal(ctx context.Context, subjectReference co
if hasValidSignature {
return verifier.VerifierResult{
- Name: v.name,
- Type: v.verifierType,
- IsSuccess: true,
- Message: "cosign verification success. valid signatures found. please refer to extensions field for verifications performed.",
- Extensions: Extension{SignatureExtension: sigExtensions, TrustPolicy: trustPolicy.GetName()},
+ Name: v.name,
+ Type: v.verifierType,
+ VerifierName: v.name,
+ VerifierType: v.verifierType,
+ IsSuccess: true,
+ Message: "Verification success. Valid signatures found. Please refer to extensions field for verifications performed.",
+ Extensions: Extension{SignatureExtension: sigExtensions, TrustPolicy: trustPolicy.GetName()},
}, nil
}
@@ -396,11 +398,13 @@ func (v *cosignVerifier) verifyLegacy(ctx context.Context, subjectReference comm
if len(signatures) > 0 {
return verifier.VerifierResult{
- Name: v.name,
- Type: v.verifierType,
- IsSuccess: true,
- Message: "cosign verification success. valid signatures found",
- Extensions: LegacyExtension{SignatureExtension: sigExtensions},
+ Name: v.name,
+ Type: v.verifierType,
+ VerifierName: v.name,
+ VerifierType: v.verifierType,
+ IsSuccess: true,
+ Message: "Verification success. Valid signatures found",
+ Extensions: LegacyExtension{SignatureExtension: sigExtensions},
}, nil
}
@@ -482,10 +486,13 @@ func staticLayerOpts(desc imgspec.Descriptor) ([]static.Option, error) {
// ErrorToVerifyResult returns a verifier result with the error message and isSuccess set to false
func errorToVerifyResult(name string, verifierType string, err error) verifier.VerifierResult {
return verifier.VerifierResult{
- IsSuccess: false,
- Name: name,
- Type: verifierType,
- Message: errors.Wrap(err, "cosign verification failed").Error(),
+ IsSuccess: false,
+ Name: name,
+ Type: verifierType,
+ VerifierName: name,
+ VerifierType: verifierType,
+ Message: "Verification failed",
+ ErrorReason: err.Error(),
}
}
diff --git a/pkg/verifier/cosign/cosign_test.go b/pkg/verifier/cosign/cosign_test.go
index 4ceb03a96..fde624a3e 100644
--- a/pkg/verifier/cosign/cosign_test.go
+++ b/pkg/verifier/cosign/cosign_test.go
@@ -407,8 +407,8 @@ func TestErrorToVerifyResult(t *testing.T) {
if verifierResult.Type != "cosign" {
t.Errorf("errorToVerifyResult() = %v, want %v", verifierResult.Type, "cosign")
}
- if verifierResult.Message != "cosign verification failed: test error" {
- t.Errorf("errorToVerifyResult() = %v, want %v", verifierResult.Message, "cosign verification failed: test error")
+ if verifierResult.Message != "Verification failed" {
+ t.Errorf("errorToVerifyResult() = %v, want %v", verifierResult.Message, "Verification failed")
}
}
@@ -562,6 +562,7 @@ mmBwUAwwW0Uc+Nt3bDOCiB1nUsICv1ry
cosignOpts cosign.CheckOpts
store *mocks.MemoryTestStore
expectedResultMessagePrefix string
+ expectedErrorReason string
defaultCosignOpts bool
}{
{
@@ -569,14 +570,16 @@ mmBwUAwwW0Uc+Nt3bDOCiB1nUsICv1ry
keys: map[PKKey]keymanagementprovider.PublicKey{},
getKeysError: true,
store: &mocks.MemoryTestStore{},
- expectedResultMessagePrefix: "cosign verification failed: error",
+ expectedResultMessagePrefix: "Verification failed",
+ expectedErrorReason: "error",
},
{
name: "manifest fetch error",
keys: map[PKKey]keymanagementprovider.PublicKey{},
getKeysError: false,
store: &mocks.MemoryTestStore{},
- expectedResultMessagePrefix: "cosign verification failed: failed to get reference manifest",
+ expectedResultMessagePrefix: "Verification failed",
+ expectedErrorReason: "failed to get reference manifest: manifest not found",
},
{
name: "incorrect reference manifest media type error",
@@ -589,7 +592,8 @@ mmBwUAwwW0Uc+Nt3bDOCiB1nUsICv1ry
},
},
},
- expectedResultMessagePrefix: "cosign verification failed: reference manifest is not an image",
+ expectedResultMessagePrefix: "Verification failed",
+ expectedErrorReason: "reference manifest is not an image",
},
{
name: "failed subject descriptor fetch",
@@ -602,7 +606,8 @@ mmBwUAwwW0Uc+Nt3bDOCiB1nUsICv1ry
},
},
},
- expectedResultMessagePrefix: "cosign verification failed: failed to create subject hash",
+ expectedResultMessagePrefix: "Verification failed",
+ expectedErrorReason: "failed to create subject hash: subject not found for sha256:5678",
},
{
name: "failed to fetch blob",
@@ -628,7 +633,8 @@ mmBwUAwwW0Uc+Nt3bDOCiB1nUsICv1ry
},
},
},
- expectedResultMessagePrefix: "cosign verification failed: failed to get blob content",
+ expectedResultMessagePrefix: "Verification failed",
+ expectedErrorReason: "failed to get blob content: blob not found",
},
{
name: "invalid key type for AKV",
@@ -659,7 +665,8 @@ mmBwUAwwW0Uc+Nt3bDOCiB1nUsICv1ry
blobDigest: validSignatureBlob,
},
},
- expectedResultMessagePrefix: "cosign verification failed: failed to verify with keys: failed to process AKV signature: unsupported public key type",
+ expectedResultMessagePrefix: "Verification failed",
+ expectedErrorReason: "failed to verify with keys: failed to process AKV signature: unsupported public key type: *ecdh.PublicKey",
},
{
name: "invalid RSA key size for AKV",
@@ -690,7 +697,8 @@ mmBwUAwwW0Uc+Nt3bDOCiB1nUsICv1ry
blobDigest: validSignatureBlob,
},
},
- expectedResultMessagePrefix: "cosign verification failed: failed to verify with keys: failed to process AKV signature: RSA key check: unsupported key size",
+ expectedResultMessagePrefix: "Verification failed",
+ expectedErrorReason: "failed to verify with keys: failed to process AKV signature: RSA key check: unsupported key size: 128",
},
{
name: "invalid ECDSA curve type for AKV",
@@ -721,7 +729,8 @@ mmBwUAwwW0Uc+Nt3bDOCiB1nUsICv1ry
blobDigest: validSignatureBlob,
},
},
- expectedResultMessagePrefix: "cosign verification failed: failed to verify with keys: failed to process AKV signature: ECDSA key check: unsupported key curve",
+ expectedResultMessagePrefix: "Verification failed",
+ expectedErrorReason: "failed to verify with keys: failed to process AKV signature: ECDSA key check: unsupported key curve: P-224",
},
{
name: "valid hash: 256 keysize: 2048 RSA key AKV",
@@ -761,7 +770,7 @@ mmBwUAwwW0Uc+Nt3bDOCiB1nUsICv1ry
"sha256:6e1ffef2ba058cda5d1aa7ed792cb1e63b4207d8195a469bee1b5fc662cd9b70": []byte(`{"critical":{"identity":{"docker-reference":"artifactstest.azurecr.io/4-15-24/cosign/hello-world"},"image":{"docker-manifest-digest":"sha256:d37ada95d47ad12224c205a938129df7a3e52345828b4fa27b03a98825d1e2e7"},"type":"cosign container image signature"},"optional":null}`),
},
},
- expectedResultMessagePrefix: "cosign verification success",
+ expectedResultMessagePrefix: "Verification success",
},
{
name: "valid hash: 256 keysize: 3072 RSA key",
@@ -801,7 +810,7 @@ mmBwUAwwW0Uc+Nt3bDOCiB1nUsICv1ry
"sha256:6e1ffef2ba058cda5d1aa7ed792cb1e63b4207d8195a469bee1b5fc662cd9b70": []byte(`{"critical":{"identity":{"docker-reference":"artifactstest.azurecr.io/4-15-24/cosign/hello-world"},"image":{"docker-manifest-digest":"sha256:d37ada95d47ad12224c205a938129df7a3e52345828b4fa27b03a98825d1e2e7"},"type":"cosign container image signature"},"optional":null}`),
},
},
- expectedResultMessagePrefix: "cosign verification success",
+ expectedResultMessagePrefix: "Verification success",
},
{
name: "valid hash: 256 curve: P256 ECDSA key AKV",
@@ -841,7 +850,7 @@ mmBwUAwwW0Uc+Nt3bDOCiB1nUsICv1ry
"sha256:6e1ffef2ba058cda5d1aa7ed792cb1e63b4207d8195a469bee1b5fc662cd9b70": []byte(`{"critical":{"identity":{"docker-reference":"artifactstest.azurecr.io/4-15-24/cosign/hello-world"},"image":{"docker-manifest-digest":"sha256:d37ada95d47ad12224c205a938129df7a3e52345828b4fa27b03a98825d1e2e7"},"type":"cosign container image signature"},"optional":null}`),
},
},
- expectedResultMessagePrefix: "cosign verification success",
+ expectedResultMessagePrefix: "Verification success",
},
{
name: "valid hash: 256 curve: P384 ECDSA key",
@@ -881,7 +890,7 @@ mmBwUAwwW0Uc+Nt3bDOCiB1nUsICv1ry
"sha256:6e1ffef2ba058cda5d1aa7ed792cb1e63b4207d8195a469bee1b5fc662cd9b70": []byte(`{"critical":{"identity":{"docker-reference":"artifactstest.azurecr.io/4-15-24/cosign/hello-world"},"image":{"docker-manifest-digest":"sha256:d37ada95d47ad12224c205a938129df7a3e52345828b4fa27b03a98825d1e2e7"},"type":"cosign container image signature"},"optional":null}`),
},
},
- expectedResultMessagePrefix: "cosign verification success",
+ expectedResultMessagePrefix: "Verification success",
},
{
name: "successful keyless verification",
@@ -917,7 +926,7 @@ mmBwUAwwW0Uc+Nt3bDOCiB1nUsICv1ry
"sha256:d1226e36bc8502978324cb2cb2116c6aa48edb2ea8f15b1c6f6f256ed43388f6": []byte(`{"critical":{"identity":{"docker-reference":"wabbitnetworks.azurecr.io/test/cosign-image"},"image":{"docker-manifest-digest":"sha256:623621b56649b5e0c2c7cf3ffd987932f8f9a5a01036e00d6f3ae9480087621c"},"type":"cosign container image signature"},"optional":null}`),
},
},
- expectedResultMessagePrefix: "cosign verification success",
+ expectedResultMessagePrefix: "Verification success",
},
{
name: "failed keyless verification",
@@ -953,7 +962,8 @@ mmBwUAwwW0Uc+Nt3bDOCiB1nUsICv1ry
"sha256:d1226e36bc8502978324cb2cb2116c6aa48edb2ea8f15b1c6f6f256ed43388f6": []byte(`{"critical":{"identity":{"docker-reference":"wabbitnetworks.azurecr.io/test/cosign-image"},"image":{"docker-manifest-digest":"sha256:623621b56649b5e0c2c7cf3ffd987932f8f9a5a01036e00d6f3ae9480087621c"},"type":"cosign container image signature"},"optional":null}`),
},
},
- expectedResultMessagePrefix: "cosign verification failed",
+ expectedResultMessagePrefix: "Verification failed",
+ expectedErrorReason: "failed to parse static signature opts: failed to unmarshal bundle from blob payload: illegal base64 data at input byte 91",
},
}
@@ -991,7 +1001,10 @@ mmBwUAwwW0Uc+Nt3bDOCiB1nUsICv1ry
}
result, _ := cosignVerifier.Verify(context.Background(), subjectRef, refDescriptor, tt.store)
if !strings.HasPrefix(result.Message, tt.expectedResultMessagePrefix) {
- t.Errorf("Verify() = %v, want %v", result.Message, tt.expectedResultMessagePrefix)
+ t.Errorf("result.Message = %v, want %v", result.Message, tt.expectedResultMessagePrefix)
+ }
+ if result.ErrorReason != tt.expectedErrorReason {
+ t.Fatalf("expected error reason: %s, but got: %s", tt.expectedErrorReason, result.ErrorReason)
}
})
}
diff --git a/pkg/verifier/notation/notation.go b/pkg/verifier/notation/notation.go
index 30648e474..1a4349347 100644
--- a/pkg/verifier/notation/notation.go
+++ b/pkg/verifier/notation/notation.go
@@ -46,10 +46,10 @@ import (
)
const (
- verifierType = "notation"
- defaultCertPath = "ratify-certs/notation/truststore"
- trustStoreTypeCA = string(truststore.TypeCA)
- trustStoreTypeypeSigningAuthority = string(truststore.TypeSigningAuthority)
+ verifierType = "notation"
+ defaultCertPath = "ratify-certs/notation/truststore"
+ trustStoreTypeCA = string(truststore.TypeCA)
+ trustStoreTypeSigningAuthority = string(truststore.TypeSigningAuthority)
)
// NotationPluginVerifierConfig describes the configuration of notation verifier
@@ -175,11 +175,13 @@ func (v *notationPluginVerifier) Verify(ctx context.Context,
}
return verifier.VerifierResult{
- Name: v.name,
- Type: v.verifierType,
- IsSuccess: true,
- Message: "signature verification success",
- Extensions: extensions,
+ Name: v.name,
+ Type: v.verifierType,
+ VerifierName: v.name,
+ VerifierType: v.verifierType,
+ IsSuccess: true,
+ Message: "Signature verification success",
+ Extensions: extensions,
}, nil
}
@@ -233,7 +235,7 @@ func (v *notationPluginVerifier) GetNestedReferences() []string {
func normalizeVerificationCertsStores(conf *NotationPluginVerifierConfig) error {
isCertStoresByType, isLegacyCertStore := false, false
for key := range conf.VerificationCertStores {
- if key != trustStoreTypeCA && key != trustStoreTypeypeSigningAuthority {
+ if key != trustStoreTypeCA && key != trustStoreTypeSigningAuthority {
isLegacyCertStore = true
logger.GetLogger(context.Background(), logOpt).Debugf("Get VerificationCertStores in legacy format")
} else {
diff --git a/pkg/verifier/types/types.go b/pkg/verifier/types/types.go
index 1c12dc086..2eed0a669 100644
--- a/pkg/verifier/types/types.go
+++ b/pkg/verifier/types/types.go
@@ -47,11 +47,14 @@ const (
// VerifierResult describes the verification result returned from the verifier plugin
type VerifierResult struct {
- IsSuccess bool `json:"isSuccess"`
- Message string `json:"message"`
- Name string `json:"name"`
- Type string `json:"type,omitempty"`
- Extensions interface{} `json:"extensions"`
+ IsSuccess bool `json:"isSuccess"`
+ Message string `json:"message"`
+ ErrorReason string `json:"errorReason,omitempty"`
+ Name string `json:"name"`
+ VerifierName string `json:"verifierName,omitempty"`
+ Type string `json:"type,omitempty"`
+ VerifierType string `json:"verifierType,omitempty"`
+ Extensions interface{} `json:"extensions"`
}
// GetVerifierResult encodes the given JSON data into verify result object
@@ -61,11 +64,13 @@ func GetVerifierResult(result []byte) (*verifier.VerifierResult, error) {
return nil, err
}
return &verifier.VerifierResult{
- IsSuccess: vResult.IsSuccess,
- Message: vResult.Message,
- Name: vResult.Name,
- Type: vResult.Type,
- Extensions: vResult.Extensions,
+ IsSuccess: vResult.IsSuccess,
+ Message: vResult.Message,
+ Name: vResult.Name,
+ Type: vResult.Type,
+ VerifierName: vResult.Name,
+ VerifierType: vResult.Type,
+ Extensions: vResult.Extensions,
}, nil
}
@@ -78,9 +83,12 @@ func WriteVerifyResultResult(result *verifier.VerifierResult, w io.Writer) error
// verifier.VerifierResult.
func NewVerifierResult(result verifier.VerifierResult) VerifierResult {
return VerifierResult{
- IsSuccess: result.IsSuccess,
- Message: result.Message,
- Name: result.Name,
- Extensions: result.Extensions,
+ IsSuccess: result.IsSuccess,
+ Message: result.Message,
+ Name: result.Name,
+ Type: result.Type,
+ VerifierName: result.VerifierName,
+ VerifierType: result.VerifierType,
+ Extensions: result.Extensions,
}
}