Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Connaisseur should early exit from verification when threshold is met #1200

Open
dbbhat opened this issue Aug 22, 2023 · 0 comments
Open

Connaisseur should early exit from verification when threshold is met #1200

dbbhat opened this issue Aug 22, 2023 · 0 comments

Comments

@dbbhat
Copy link

dbbhat commented Aug 22, 2023
edited
Loading

Describe the feature
Connaisseur should early exit from verifying signatures if threshold is met

Optional: Is your feature request related to a problem? Please describe.
We have a validator spec with two keys as trustRoots shown below

- name: cosignvalidator
  type: cosign
  trustRoots:
  - name: connaisseur-key-1
    key: k8s://connaisseur/connaisseur-secret-1
  - name: connaisseur-key-2
    key: k8s://connaisseur/connaisseur-secret-2
  auth: 
    secretName: foo-secret  # reference a k8s secret in the form required by the validator type (check the docs)

and for the imagePolicy, the threshold is set to be 1

- pattern: "<registry>/<foo>/<bar>/*:*"
  validator: cosignvalidator
  with:
    trustRoot: "*"
    threshold: 1
    verifyInTransparencyLog: false

However from the logs, seeing that connaisseur verifies signature wrt both keys specified

{"timestamp": "2023-08-22 20:33:20.361542", "message": "COSIGN output of trust root 'connaisseur-key-1' for image'<registry-foo>:<tag-bar>': RETURNCODE: 0; STDOUT: {\"critical\":{\"identity\":{\"docker-reference\":\"<image-name>\"},\"image\":{\"docker-manifest-digest\":\"sha256:<digest>\"},\"type\":\"cosign container image signature\"},\"optional\":null}\n\n{\"critical\":{\"identity\":{\"docker-reference\":\"<foo>"},\"image\":{\"docker-manifest-digest\":\"sha256:<digest>\"},\"type\":\"cosign container image signature\"},\"optional\":null}\n\n; STDERR: **Warning** Skipping tlog verification is an insecure practice that lacks of transparency and auditability verification for the signature.\n\nVerification for nvcr.io/<foo>:<tag>--\nThe following checks were performed on each of these signatures:\n  - The cosign claims were validated\n  - The signatures were verified against the specified public key\n"}

{"timestamp": "2023-08-22 20:33:20.403335", "message": "COSIGN output of trust root 'connaisseur-key-1' for image'<registry-foo>:<tag-bar>': RETURNCODE: 0; STDOUT: {\"critical\":{\"identity\":{\"docker-reference\":\"<image-name>\"},\"image\":{\"docker-manifest-digest\":\"sha256:<digest>\"},\"type\":\"cosign container image signature\"},\"optional\":null}\n\n{\"critical\":{\"identity\":{\"docker-reference\":\"<foo>"},\"image\":{\"docker-manifest-digest\":\"sha256:<digest>\"},\"type\":\"cosign container image signature\"},\"optional\":null}\n\n; STDERR: **Warning** Skipping tlog verification is an insecure practice that lacks of transparency and auditability verification for the signature.\n\nVerification for nvcr.io/<foo>:<tag>--\nThe following checks were performed on each of these signatures:\n  - The cosign claims were validated\n  - The signatures were verified against the specified public key\n"}

Ideally, I would expect that when a certain threshold is specified, connaisseur should early exit when the threshold is met and not verify wrt all trust roots specified.
@phbelitz phbelitz added the gofix Issues fixed with the golang switch label Feb 22, 2024
@phbelitz phbelitz removed the gofix Issues fixed with the golang switch label Jul 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@phbelitz @dbbhat