feat: add cosign keyless support to trust policy (#1503)

Makefile

@@ -592,6 +592,7 @@ e2e-helm-deploy-ratify:
 	--set notationCerts[0]="$$(cat ~/.config/notation/localkeys/ratify-bats-test.crt)" \
 	--set cosignKeys[0]="$$(cat .staging/cosign/cosign.pub)" \
 	--set cosign.key="$$(cat .staging/cosign/cosign.pub)" \
+	--set cosign.tLogVerify=false \
 	--set oras.useHttp=true \
 	--set-file dockerConfig="mount_config.json" \
 	--set logger.level=debug
@@ -611,6 +612,7 @@ e2e-helm-deploy-ratify-without-tls-certs:
 	--set notaryCert="$$(cat ~/.config/notation/localkeys/ratify-bats-test.crt)" \
 	--set cosign.key="$$(cat .staging/cosign/cosign.pub)" \
 	--set cosignKeys[0]="$$(cat .staging/cosign/cosign.pub)" \
+	--set cosign.tLogVerify=false \
 	--set oras.useHttp=true \
 	--set-file dockerConfig="mount_config.json" \
 	--set logger.level=debug

charts/ratify/README.md

@@ -51,6 +51,13 @@ Values marked `# DEPRECATED` in the `values.yaml` as well as **DEPRECATED** in t
 | cosignKeys                                         | An array of public keys used to create inline key management providers used by Cosign verifier                                                                                                                                                                                                                                                                         | `[]`                              |
 | cosign.enabled                                     | Enables/disables cosign tag-based signature lookup in ORAS store. MUST be set to true for cosign verification.                                                                                                                                                                                                                                                         | `true`                            |
 | cosign.scopes                                      | An array of scopes relevant to the single trust policy configured in Cosign verifier. A scope of '*' is a global wildcard character to represent all images apply.                                                                                                                                                                                                     | `["*"]`                           |
+| cosign.rekorURL                                    | URL string reference to remote rekor server. If not specified, implementation will default to use Rekor public good instance `https://rekor.sigstore.dev`.                                                                                                                                                                                                             | ``                                |
+| cosign.tLogVerify                                  | Enables/disables verification of presence of signature in Transparency log.                                                                                                                                                                                                                                                                                            | `true`                            |
+| cosign.keyless.ctLogVerify                         | Enables/disables verification of presence of Secure Certificate Timestamp (SCT) in transparency log                                                                                                                                                                                                                                                                    | `true`                            |
+| cosign.keyless.certificateIdentity                 | String certificate identity used for exact identity match during verification. Either `certificateIdentity` or `certificateIdentityRegExp` MUST be defined, but both cannot be defined at together                                                                                                                                                                        | ``                                |
+| cosign.keyless.certificateIdentityRegExp              | String certificate identity regular expression for identity matching during verification. Accepts the Go regular expression syntax described at https://golang.org/s/re2syntax. Either `certificateIdentity` or `certificateIdentityRegExp` MUST be defined, but both cannot be defined together                                                                          | ``                                |
+| cosign.keyless.certificateOIDCIssuer               | String certificate OIDC issuer for exact issuer matching during verification. Either `certificateOIDCIssuer` or `certificateOIDCIssuerRegExp` MUST be defined, but both cannot be defined together                                                                                                                                                                        | ``                                |
+| cosign.keyless.certificateOIDCIssuerRegExp            | String certificate OIDC issuer regular expression for issuer matching during verification. Accepts the Go regular expression syntax described at https://golang.org/s/re2syntax. Either `certificateOIDCIssuer` or `certificateOIDCIssuerRegExp` MUST be defined, but both cannot be defined together                                                                     | ``                                |
 | vulnerabilityreport.enabled                        | Enables/disables installation of vulnerability report verifier                                                                                                                                                                                                                                                                                                         | `false`                           |
 | vulnerabilityreport.passthrough                    | Enables/disables passthrough. All validation except `maximumAge` are disregarded and report content is added to verifier report                                                                                                                                                                                                                                        | `false`                           |
 | vulnerabilityreport.schemaURL                      | URL for JSON schema to validate report against                                                                                                                                                                                                                                                                                                                         | ``                                |

charts/ratify/templates/_helpers.tpl

@@ -146,4 +146,20 @@ Set the namespace exclusions for Assign
 {{- if and (ne .Release.Namespace $gkNamespace) (ne .Release.Namespace "kube-system") }}
 - {{ .Release.Namespace | quote}}
 {{- end }}
+{{- end }}
+
+{{/*
+Choose cosign legacy or not. Determined by if cosignKeys are provided or not
+OR if azurekeyvault is enabled and keys are provided
+OR if keyless is enabled and certificateIdentity, certificateIdentityRegExp, certificateOIDCIssuer, or certificateOIDCIssuerExp are provided
+*/}}
+{{- define "ratify.cosignLegacy" -}}
+{{- $cosignKeysPresent := gt (len .Values.cosignKeys) 0 -}}
+{{- $azureKeyVaultEnabled := .Values.azurekeyvault.enabled -}}
+{{- $azureKeyVaultKeysPresent := gt (len .Values.azurekeyvault.keys) 0 -}}
+{{- if or $cosignKeysPresent (and $azureKeyVaultEnabled $azureKeyVaultKeysPresent) .Values.cosign.keyless.certificateIdentity .Values.cosign.keyless.certificateIdentityRegExp .Values.cosign.keyless.certificateOIDCIssuer .Values.cosign.keyless.certificateOIDCIssuerExp -}}
+false
+{{- else }}
+true
+{{- end }}
 {{- end }}

charts/ratify/templates/verifier.yaml

@@ -50,7 +50,7 @@ spec:
   name: cosign
   artifactTypes: application/vnd.dev.cosign.artifact.sig.v1+json
   parameters:
-    {{- if or (gt (len .Values.cosignKeys) 0) (and .Values.azurekeyvault.enabled (gt (len .Values.azurekeyvault.keys) 0)) }}
+    {{- if  (eq (include "ratify.cosignLegacy" .) "false") }}
     trustPolicies:
       - name: default
         version: 1.0.0
@@ -65,6 +65,16 @@ spec:
           {{- if and .Values.azurekeyvault.enabled (gt (len .Values.azurekeyvault.keys) 0) }}
           - provider: kmprovider-akv
           {{- end }}
+        tLogVerify: {{ .Values.cosign.tLogVerify }}
+        rekorURL: {{ .Values.cosign.rekorURL }}
+        {{- if or .Values.cosign.keyless.certificateIdentity .Values.cosign.keyless.certificateIdentityRegExp .Values.cosign.keyless.certificateOIDCIssuer .Values.cosign.keyless.certificateOIDCIssuerRegExp }}
+        keyless:
+          ctLogVerify: {{ .Values.cosign.keyless.ctLogVerify }}
+          certificateIdentity: {{ .Values.cosign.keyless.certificateIdentity }}
+          certificateIdentityRegExp: {{ .Values.cosign.keyless.certificateIdentityRegExp }}
+          certificateOIDCIssuer: {{ .Values.cosign.keyless.certificateOIDCIssuer }}
+          certificateOIDCIssuerRegExp: {{ .Values.cosign.keyless.certificateOIDCIssuerRegExp }}
+        {{- end }}
     {{- else }}
     key: /usr/local/ratify-certs/cosign/cosign.pub
     {{- end }}

charts/ratify/values.yaml

@@ -16,6 +16,15 @@ cosign:
   enabled: true
   scopes: ["*"] # corresponds to a single trust policy
   key: "" # DEPRECATED: Use cosignKeys instead
+  rekorURL: ""
+  tLogVerify: true
+  keyless:
+    ctLogVerify: true
+    certificateIdentity: ""
+    certificateIdentityRegExp: ""
+    certificateOIDCIssuer: ""
+    certificateOIDCIssuerRegExp: ""
+
 vulnerabilityreport:
   enabled: false
   passthrough: false

config/samples/clustered/verifier/config_v1beta1_verifier_cosign.yaml

@@ -11,4 +11,5 @@ spec:
         scopes:
           - "*"
         keys:
-          - provider: ratify-cosign-inline-key-0
+          - provider: ratify-cosign-inline-key-0
+        tLogVerify: false

config/samples/namespaced/verifier/config_v1beta1_verifier_cosign.yaml

@@ -12,3 +12,4 @@ spec:
           - "*"
         keys:
           - provider: default/ratify-cosign-inline-key-0
+        tLogVerify: false